High-profile information security breaches are seemingly becoming weekly news—not least the recent TalkTalk hack, where more than 20,000 customer bank account numbers and sort codes, plus 1.2 million customer email addresses and phone numbers, were stolen. In the wake of this, Vodafone announced that the personal details of almost 2,000 customers may have been stolen by criminals. Hacks like these are extremely damaging and impact every level of a business. As a specialist in IT security, Mike Hickson, Managing Director of LSA, has put together a guide to help limit your exposure.
1. Your data as a vital company asset
What is shocking about the TalkTalk breach is that a previous company tweet publically stated that customer passwords may be stored in an unencrypted format, essentially enticing hackers to target them. In today’s era of cybercrime, not encrypting vital data is a risky strategy. Companies must treat their data (be it internal data, competitive data, customer data, etc.) like a precious commodity—and protect it accordingly.
2. Invest now to save later
With nine out of ten large companies experiencing a breach in the last year, the UK government is investing £500,000 in cybersecurity education to protect businesses and public services. Just as the government sees this as an important area to invest in, so should businesses. Combatting the cybersecurity threat means investing time and money—and maintaining that investment. Scrimping in this area is a false economy, ultimately costing companies much more in lost customers and revenue.
3. Don’t put all your eggs in the “protection” basket
There is no denying that strong defensive systems are important. When you consider that email is one of the most popular ways of getting malicious content into a system, antivirus protection, APT defence and spam filters are absolute must-haves. However, good cybersecurity goes beyond filtering emails, encrypting data and protecting systems with firewalls and passwords. You also need good intrusion-detection systems in place so you know when someone is poking around where they shouldn’t. Reaction is another key piece of the puzzle; when a threat is detected, your systems and people should know how to react. A good example of this is a system that locks users out if they enter the wrong password three times in a row. Backups and disaster recovery systems are also essential, especially when it comes to recent threats like the CryptoWall ransomware virus.
4. Make sure you have an information security policy
As security expert Bruce Schneier says, “People often represent the weakest link in the network security chain and are chronically responsible for the failure of security systems.” This is why information security policies are so important; they clarify the company’s position on security best practice and explicitly state what employees can and can’t do with company resources. A good information security policy should cover issues like how data is stored and shared, employees’ use of social media, and the company’s position on BYOD (Bring Your Own Device). A recent survey showed that 74 per cent of companies are either already allowing, or are planning to allow, the use of personal devices for work purposes. With people working on a range of (potentially unsecure) devices and connecting them to the company WiFi, the security risks increase significantly. Make sure you clarify what devices employees are allowed to use for work purposes (if any), and how they may be used.
5. Beware of malicious insiders
Around 35 per cent of cyberattacks come from insiders and 88 per cent of IT professionals admit they struggle to identify insider attacks. As Schneier says, “In the end, an organization is at the mercy of its people.” One way to help protect against this is to only allow access to systems and data to those that really need it for their job—and then monitor those with access.
6. Educate your staff
All these measures mean little if your staff don’t know how to identify threats and potential scams. According to authors Christopher Hadnagy and Michele Fincher, “close to 300 billion e-mails are sent every day, and of that number, 90 percent are spam and viruses.” One wrong click by any one of your employees can cause havoc. In addition to email threats, “social engineering” is where hackers attempt to con employees into giving up valuable information (such as passwords) by posing as legitimate sources.
Companies need to educate their staff on potential threats and what to do if they suspect something. This is best done through in-house training and e-mail updates. Companies need to engage employees in cybersecurity and make it clear that, these days, it’s not just the domain of the IT team.
Now more than ever, companies and their employees need to take cybersecurity extremely seriously. Those who don’t run the risk of becoming yet another bad news story.