Some of the recent data breaches internationally have been spectacular—and all too well publicised, from the point of view of the compromised organisations. That Talk Talk breach late last year made the headlines as a potential 1.5 million personal data leakage and was made even wore by the fact that the company had experienced well-publicised breaches in the past. In the end, the actual data breach affected much fewer customers: of a total of 157,000 customers with some of their data hacked, ‘only’ around 15,000 lost their bank details (account numbers and sort codes) but most of them had names, addresses and email revealed plus an unknown but significant number of matching birth dates. The company has lost nearly 300,000 customers so far while the direct costs are acknowledged as £35 million (€44.3 million).
There is no such thing as 100% security, certainly not in the IT world. So the first requirement is to prevent and detect attacks, starting with basic things like access control, data classification, encryption for data at rest or in transit and of course deploying basic security tools like antivirus and antimalware software. Security logs need to be closely monitored for suspicious behaviour, which many companies don’t in fact do, Brian Honan, BH Consulting
In many ways, the Talk Talk incident confirms the real world consequences of a data breach — swingeing costs and severe damage to reputation. Customer data loss is the headline grabber. Professional firms, for example, would rather lose their own data than client information. Not that such a neat choice is ever available. With other types of organisation the data breach can lead to direct financial loss, as in banking/finance and corporate embezzlement not to mention ransomware. More and more, the target data is corporate IP with potentially incalculable if not disastrous consequences.
Inevitability
All information security experts agree that cyberattacks are common and some data breaches are inevitable. “Be prepared for the inevitable,” are Brian Honan’s first words of advice to any organisation. “There is no such thing as 100% security, certainly not in the IT world. So the first requirement is to prevent and detect attacks, starting with basic things like access control, data classification, encryption for data at rest or in transit and of course deploying basic security tools like antivirus and antimalware software. Security logs need to be closely monitored for suspicious behaviour, which many companies don’t in fact do. They just react when something has gone wrong.”
In many respects those points and management preoccupations are about technology, Honan says. “But security awareness training for staff is equally essential so that they are aware of the threats they and the organisations face and the risks that come with that. They need to take some responsibility for the data entrusted to them. They will also understand ‘Oh, so that’s why we have to do things this way.’ In fact, hopefully they will then be alert to and identify potential threats, notably phishing attempts, or even suggest safer ways of doing things.
Accidental
“A very high proportion of data leakage is accidental and down to IT users being just a little careless rather than anything malicious. All too often they are in fact trying to do their jobs better, like copying information onto a USB key or emailing to themselves to work on at home. The better informed they are the less likely this sort of lapse will be. In fact, you can create a willing security culture if people are informed and motivated.”
Another key strategy is to build the maximum resilience into your systems. “You want to avoid a business stoppage in the event of a breach or a cyberattack. If your web site is hacked, your email server compromised or whatever you have data back-up in place. Similarly, coping with attacks should be an integral part of the organisation’s business continuity plans.”
So, in fact, should dealing with the consequences of a breach after the event, in Honan’s opinion. “It’s not just about the technical stuff, examining logs and establishing how the breach was made. There is a hugely important business dimension. The public consequences of a security breach have shifted, subtly but firmly. It’s not the fact that you had a data breach that is the most potentially damaging effect. It is more about how you handle the aftermath, communicating in as clear and transparent a way as possible with your customers, your partners and the authorities. For companies doing business internationally, compliance is very important because there may well be different legal requirements in jurisdictions where you have customers.”
Users are a key area of potential vulnerability because what can happen is usually not technical in nature — innocent but ignorant use of Dropbox, for example, or succumbing to phishing. In fact, phishing has become very sophisticated and convincing, often based on information that has already been gleaned like authentic email addresses, Dermot Williams, Threatscape
Thought processes
That theme is echoed by Dermot Williams, who points out that in engaging with customers today he stresses the business side initially. “We don’t want to get into the specs of point security products before encouraging them to think about their security issues much more broadly. What do you need to secure and what are the possible outcomes in your business? We tend to distil it all down to three thought processes: what do you need to defeat threats? How to protect your business critical data, especially customer data? How to protect the business value, the brand name and corporate reputation?”
“Then we can move on to questions like ‘Where are the attack surfaces?’ “Where is the data at risk?’ We have identified nine attack surfaces such as network end points and mobile devices, the network itself, cloud, messaging systems, applications and web systems. Less immediately obvious, perhaps, are users, partners — because system to system communications are becoming much more common — and your external digital footprint. Users are a key area of potential vulnerability because what can happen is usually not technical in nature — innocent but ignorant use of Dropbox, for example, or succumbing to phishing. In fact, phishing has become very sophisticated and convincing, often based on information that has already been gleaned like authentic email addresses.”
Subscribers 0
Fans 0
Followers 0
Followers