For any business, the costs of a data breach are incalculable, ranging from short-term financial penalties to long-term reputational damage. However, the days of implementing an information security system and then sitting back are gone.
Automated attacks make no distinction between SMEs and large corporations – underlined by figures from the Department for Business, Innovation and Skills (BIS) 2013 Information Security Breaches survey, which show that 87 per cent of small organisations suffered a data breach in 2012, resulting in unwelcome costs typically in the range of £35,000 to £65,000.
It’s therefore unrealistic to suppose you can defend against every potential attack: sooner or later, some attacks will succeed. Instead, it is your organisation’s ‘resilience’ in identifying and responding to security breaches that will become a critical survival trait in the future.
Becoming cyber-resilient means accepting the risk that an attack may be successful, no matter how well prepared your defences are, and therefore embracing incident response and business continuity planning.
Any organisation, large or small, can take specific steps towards cyber resilience:
1. Secure the cyber perimeter
The Global State of Information Security® Survey 2014 found that hackers represent the most likely source of cyber-attacks (32 per cent), followed by competitors (14 per cent) and organised crime (12 per cent). Even the smallest companies are under threat of automated and indiscriminate cyber-attacks, which target identifiable hardware and software vulnerabilities such as un-patched software, inadequate passwords, poorly coded websites, insecure applications and poorly protected data (at rest and in transit).
Understanding your vulnerabilities is paramount. Test all your systems regularly and ensure the Open Web Application Security Project (OWASP) and storage area network (SANs) top ten vulnerabilities and security weaknesses are patched. If you store data in the Cloud, those tests should also cover the software provided by your Cloud service provider.
2. Secure mobile devices beyond the perimeter
Encrypt and secure access to all portable and mobile devices (laptops, mobile phones, BlackBerrys, USB sticks, etc.) to ensure the increasingly elastic network perimeter remains secure and that data taken beyond the perimeter remains private.
3. Secure inward- and outward-bound communication channels
This area encompasses channels such as e-mail, instant messaging, Live Chat, and so on. Make sure there are appropriate arrangements for data archiving and that an appropriate balance exists between protecting confidentiality, integrity and availability of information.
4. Secure the internal network
Identify risks and implement controls against intrusions from internal threats such as rogue wireless access points, unauthorised USB sticks and unencrypted mobile data storage devices (including mobile phones, iPods and so on).
5. Train your staff
Attackers understand that employees are the security chain’s weakest link and abuse natural human weaknesses through a style of attack known as ‘social engineering’. Staff must be trained to recognise and respond appropriately to social engineering attacks, which include ‘tailgating’ (piggybacking on someone with legitimate access), ‘phishing’ (defrauding an online account holder of financial information by posing as a legitimate company), ‘spear phishing’ (phishing attempts directed at specific individuals) and ‘pharming’ (directing internet users to a bogus website in order to obtain personal information). Also ensure that you have a considered social media strategy, minimising information loss through social media platforms such as Facebook, LinkedIn and Twitter.
Your organisation’s ability to respond to and recover from data breaches also depends on your technical staff, who must be adequately trained to manage cyber risk and apply cyber security controls. Smaller organisations which outsource their IT need to check their supplier’s cyber security credentials.
6. Develop and test your security incident response plan (SIRP)
Sooner or later your defences will be breached, and you need an effective, robust plan for responding to that breach. Your response plan should include developing a digital forensics capability, so you have the in-house competence to secure areas affected by digital crime long before outside experts arrive on the scene.
7. Adopt appropriate information and cyber-security standards
Adopting key best practice standards for information security management, such as ISO 27001 and ISO 27032, will assure you of your organisation’s security and response capability and, as importantly, assure business partners and customers that their information is safe in your hands. Such standards provide the combined wisdom of years of best practice experience, helping ensure that all salient points are met in protecting your information.
Alan Calder is founder and Executive Chairman of IT Governance.
Share this story