Will we ever get ahead of the hackers?
The number of data breaches has continued to grow in 2015. Barely a day goes by without a company or country falling victim to a cyber-security attack, says Gary Newe.
Gary Newe, F5
Some of the high profile attacks we've witnessed this year include Github, Uber, and Chris Froome's personal training data. These attacks, amongst others, demonstrate the vast scale of the problem that so many have had to deal with and others fear will happen to them.
But behind the headlines – which often focus on which celebrity pictures have been leaked, or whether America suspects Russia or China is to blame – the message is clear: hackers are still one step ahead of many organisations' security procedures. In spite of this, there are ways that companies and individuals can protect themselves in order to level the playing field and ensure hacker dominance is short-lived:
Sharing is key – Becoming a victim of a cyber-attack can be devastating for any company. Not only can it put sensitive data in the hands of the wrong people, it can have a damaging effect on its reputation with customers. But in order to get ahead of the hackers, organisations need to work together to keep them out. This means sharing information about types of attacks, defence tactics and best practices.
Recently, the US Congress passed legislation to legally protect organisations that share cyber threat indicators and defensive measures to help encourage such practices. The two bills drafted this year offer liability protection for companies that share cyber threat indicators with the government. These types of measures are essential because they encourage knowledge sharing between companies, whilst protecting them from liability, under current law, for divulging details of a cyber-attack on their organisation.
Education for all – The best way to combat a recurring problem is to increase awareness and educate people about why it happened in the first place. Companies should therefore take the time to share usage best practices at a customer and employee level. Security risks are often a result of employee or customer mistakes or actions. But this doesn't mean the onus is only on them.
As a company, it is your duty to have policies in place to educate your staff about security. Sometimes cyber attackers will use a method as simple as sending a piece of malware in an email – as we saw with the Target data breach. But as hackers become more sophisticated, educating employees needs to go beyond better password management. Think about how users are authenticated to use the network for example, and how easy it would be for a hacker to breach. Login processes that require two-factor authentication can add an extra layer of security to accounts with users logging in from remote locations. Although you may have protection around company data inside the network, employees might choose to use their preferred cloud applications to manage work documents, which may operate outside IT jurisdiction, putting your data at risk. Ensure you have a policy in place which specifies which applications employees are allowed to use or even better, implement a system that manages and secures the identities of users, rather than every device they use to access the network. Most importantly, explain to staff why these measures are important and what they can do to help, encouraging their contribution and compliance in maintaining security.
Have a plan – If experience has taught us anything, it's that anyone can fall victim to a cyber-security attack. There's no excuse then for a business not to have a security plan in place and arm themselves with the latest technology – such as encryption, DDoS mitigation techniques and protection for critical apps.
Recent research revealed that over half (54 percent) of businesses lack security intelligence to protect against cyber threats. Six in ten IT decision makers also lack complete confidence in their company's cyber security policies. Organisations need to act now and put a plan in place if they haven't already, and ensure they're investing in the right technologies to protect their business and data.
A change in how we handle and look after information, whether as individuals or businesses, is inevitable. This might be due to a behavioural change caused by a massive or highly damaging hack that effects a large amount of people – for example, the UK's connected heating devices being hacked in the middle of winter. Alternatively it'll be institutionally-driven change – 2015 is likely to see the introduction of the new EU Data Protection legislation, having implications for the ways in which data is collected, stored, accessed and secured by organisations. Regardless, businesses shouldn't sit still and wait for one of the above. Instead, they should take the lead, implementing their own policies and security infrastructures. Doing so can help us all get ahead of the hackers.Contributed by Gary Newe, Technical Director, F5.