In 2017, even organisations which have the best cyber-security policies and tools in place are still, unfortunately, vulnerable to a data breach. There are several reasons for this. First and foremost, we live in an age of increasing digitalisation of information, and this — coupled with more flexible working practices — has certainly made the IT department and CISO's job significantly more pressured. Sensitive, potentially organisation-crippling information now resides on numerous endpoint devices, such as laptops and smartphones, across a variety of geographic locations. And as we know, no employee is infallible when it comes to protecting important data.
So, we know data breaches will happen — but what about the kind of data that could be leaked? It stands to reason that corporate financial information, should it fall into the wrong hands and get out in the public domain could be very damaging to a business. Seeing employee paychecks, national insurance numbers, company assets, company debts, account information — all could have a significant fiscal and reputational impact on the affected organisation. In fact, Code42's recent Ctrl-Z security study found that both business decision makers and IT decision makers view financial information as their highest data protection priority (at 33 percent).
Don't get blinkered to just the balance sheet
While financial data might have ranked No1 when it comes to protection priorities, customer information came in a close second place for 31 percent of the businesses that took part in the Ctrl-Z study. Customer data, from an organisational perspective, is incredibly valuable. Think about the primary focus of the sales and marketing teams — it is to quantify and sell to leads, and keep that CRM system up-to-date. Therefore, the sheer amount of sensitive data, especially of existing customers, that organisations hold is often very large.
You only need to cast your mind back a couple of years to broadband provider TalkTalk to see the associated value of customer information. The company's data breach in October 2015 exposed the personal data of 157,000 of its customers, and whilst the direct financial penalty from the Information Commissioner's Office may have ‘only' been £400k, the total cost to the organisation was far, far higher. The associated reputational damage caused the mass exodus of around 100,000 existing customers, and undoubtedly put thousands more people off from ever opting for the service provider. In fact, to this day, its share price and brand image has arguably still not completely recovered.
Stem the flow of sensitive info
Whilst there is no magic ‘undo button' to protect an organisation against a data breach, there are steps which can be undertaken to counteract or mitigate some of the more harmful side effects.
This starts with understanding the flow of data across an organisation. For example, presuming that sensitive information is ring-fenced in the data centre, accessible only to a specific department is almost certainly not the case in 2017. Multiple business lines and hierarchies of employees will almost certainly have access to potentially compromising information. Therefore, every device in the business must be protected accordingly.
Once the information itself and usual movement patterns have been identified, it is vital to ensure that employees are aware of and educated about a company's implemented security policy. They need to know the best practice means of transmission and storage of corporate data, and they must be given access to the tools they need to do their jobs, all of which should be sanctioned by the IT department as safe to use.
Don't do this and your employees could well be part of the 52 percent of business decision makers who use unauthorised programs / applications to prioritise getting their job done. Needless to say, this can become very problematic from an information security perspective.
Infosecurity working for you
Obviously, a full suite of complementary infosec tools are also a must to safeguard information from both outside and within the organisation itself. Antivirus, multi-factor authentication and endpoint monitoring / backup technology should all be staple minimum requirements. It is also essential that when sensitive information is backed up, it remains encrypted at rest on a device or in the cloud, and also in-transit between these locations. Additionally, encryption keys should be kept with the organisation on-site, in a secure, preferably offline location. This ensures that if the worst happens and a breach does occur, then at least the information will be in an inaccessible format to any prying eyes.
Ultimately, no organisation is impervious to a data breach.. Maintaining good cyber-security hygiene and work practices across a company, backed up by a full security stack — that is where both IT and corporate leadership should be concerting their efforts.
Contributed by Richard Agnew, VP UK, I & Northern Europe at Code42
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.