Even for those involved in IT security it's easy to imagine that the serious incidents happen to somebody else. Recent major breaches such as those reported by Equifax, Uber and Deloitte leave only a feeling of schadenfreude. However, although big name cases attract publicity, a UK government report says that half of all UK businesses experienced a cyber-attack in 2017.
Often breaches occur because the security team has not had time to apply and test security patches in timely manner. Or employees ignore the need for ‘strong' passwords. It seems that the Deloitte breach occurred when an administrator's account was protected only by a single password with no ‘two-step' authentication.
So, while implementing the right systems is important, organisations must also instil the right attitude within the business so that employees understand the importance of data security and don't put the organisation at risk with the way they manage and handle data.
In an age where easy access to data is the norm, this is not straightforward. Businesses must ensure that employees never compromise security in exchange for being able to access the information they want, when they want it – however frustrating this may be. There is a need for education here. Take the manager that needs to deliver a presentation the next day and wants to store it in an accessible place. There is a natural inclination to save the slides in multiple locations – on the company laptop, on a file-sharing application and on a memory stick, perhaps, with the rationale that if one location fails, the others can serve as back-up.
Such an approach creates its own problems and users need to be made aware of the issues and concerns. If the laptop is left on a train, it could be easy prey for anyone with the skill and inclination to break into it. The file sharing application could potentially be compromised also, while USB sticks are frequently lost. Simply by taking the data outside of the corporate infrastructure, you are bypassing all the security measures and potentially putting sensitive information at risk.
It's a clear demonstration of how so many businesses can make themselves vulnerable by effectively sleepwalking into data breaches. So, what's the solution?
Technology should always be part of it. Anti-virus and anti-malware software needs to be implemented and kept up-to-date. Data leakage protection can also be deployed, providing electronic tracking of files, or putting systems in place that stop users arbitrarily dropping data out to unauthorised cloud services. Adaptive authentication, in which risk-based multi-factor authentication helps ensure the protection of users accessing websites, portals, browsers or applications, also has an increasingly key role to play.
Businesses need to reinforce the message that employees must take a responsible approach to managing and protecting data. They must be aware of the potential security threats and do all they can to mitigate them - from keeping care of devices they use at work to ensuring their passwords are strong.
Making sure every employee knows the consequences of non-compliance with regulations such as the General Data Protection Regulation (GDPR) being important. If they know that penalties can be as severe as £20 million or up to four percent of total turnover – and consequently jobs could be at stake – the threat is no longer abstract but a real, personal concern.
Finally, encourage them to adopt the assumption that a serious incident could happen anywhere, at any time and to any business – and that it's never merely ‘someone's else's problem'.
Contributed by Mike Simmonds, managing director, Axial Systems.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.