Another day, another cybersecurity breach. But why is information security still low down on the list of risks to so many businesses?
A whopping 63 per cent of business decision makers in large organisations across the globe agree they are likely to suffer a security breach at some point, according to NTT Com Security’s Risk:Value report.
Yet, what’s more alarming is that UK executives alone believe that only 49 per cent of their critical data is fully secure.
These findings provide some real insight into the minds of executives about the value placed on the data in their business and whether they feel this data is at risk. We have seen a string of high-profile attacks recently and companies of all sizes in every sector need to take stock. The risk of a cyber attack is not going away and we are all vulnerable to an attack.
Businesses need to be smarter at moving the data security dial from ‘important’ to ‘vital’ – and recognise it as both good practice and a business enabler. Here are top five tips on moving the dial to ‘vital’…
1. Completely secure all critical data
Many organisations are falling behind with the appropriate controls to detect and respond to the threats faced. The threat landscape will constantly change and continue to become more sophisticated, so there is a requirement for more advanced controls built on top of a strong foundation to keep up with today’s trends and attacks.
Implementing basic security measures with a clear understanding of an organisation’s critical assets alone will help reduce an enterprise’s exploitable footprint, provide investigative basis and provide the potential ability to respond to a security threat. As a minimum, assess the highest risks first, validate and implement the right controls, and ensure that each control is actually implemented and regularly tested to ensure that it is effective.
To name a few, this includes ensuring that critical patches are in place, and vulnerabilities are scanned and mitigated. Ensure that every technology put in place is also correctly configured, but also the necessary operational procedures are in place to maintain the correct configurations in line with the changing threats.
2. People and processes matter too
Data security is not just dependent on technology. It is about people and processes too. Enforcing an incident response plan, and recognising that security incidents will happen, is critical for minimising the impact of a breach. Organisations with a formal process that defines an incident and provides step-by-step guidance on how to handle a future attack will be better prepared to handle incidents in an effective and consistent way.
In order to limit damage and reduce recovery time and cost, an incident response plan needs to be kept up-to-date and then shared among relevant personnel. Tests should also be performed regularly to ensure people understand their roles and responsibilities.
Establishing policies to share with other parts of the business affected by a breach – whether PR, business continuity, risk or customer services teams – is also crucial. Although it is not always essential to share information about a breach with a company’s customers and partners, it will be necessary to define and communicate a policy internally.
It all depends on the nature of the incident and how early the IT team can understand and communicate what it is and what remedial action is being taken.
3. Education, education, education
As intellectual property and critical data continues to extend into every corner of an organisation, information security becomes everyone’s problem and everyone's responsibility. Improving internal knowledge and awareness of data security among employees is therefore imperative.
Sadly, though, employees often fail to follow even the strictest security policies and procedures - not for malicious reasons but often because they are too busy and are looking for the easiest way round it. Data security is also perceived as a bit technical and all too often is seen as ‘someone else’s job’ (which is usually seen as the IT manager).
Businesses should implement relevant training and awareness-raising programmes to help staff understand their roles and responsibilities, and change their behaviour. Like any education programme, combine training with well-defined, measurable goals and an understanding of the intended audience.
4. Take out (appropriate) cyber liability insurance
Technological advancements are changing the way we operate, yet these developments can also be our biggest downfall. The reality is that information security technology, although working hard to remain one step ahead of cyber attackers, will never prevent 100 per cent of potential attacks. Taking out a cyber insurance policy can transfer the financial risks associated with data loss and data security breaches.
Cyber insurance, however, is a minefield of ambiguity. According to the Risk:Value report, just 48 per cent of UK businesses say their company insurance covers for both data loss and a security breach, while a quarter don’t even know what they are insured for in the event of a data security breach.
Every business serious about insuring its vital assets must first demonstrate to the insurer the protective steps it has taken before taking out a policy.
As described in the first tip, this includes both assessing and reducing the risk in the first place, and the steps to continuously monitor these risks. Only then can an insurance company begin to understand the company’s risk exposure and create a policy that is relevant to the business.
5. Outsource security requirements
The threat landscape will continually change, which means every company must consider its current risk exposure in the context of its commercial objectives.
Working with a trusted provider can help businesses access intelligent information for active threat management. A Managed Security Services Provider (MSSP) can provide visibility and control to manage information security risk – and is therefore able to actively notify customers about potential threats and proactively mitigate them.
Most companies have applications that they don’t want to touch and can’t lockdown roles and responsibilities. Collaboration with a third party will allow businesses to actively manage the threat before it impacts them.
It’s worth noting, though, that businesses should take caution when thinking of working with a managed and professional security services provider. Find one that is prepared to work within the business model and strategic aims – not to their own agenda.
It’s about getting access to their collective global knowledge and systems, and highly experienced people.
The risk of an attack is unlikely to diminish and the sophistication and frequency of attacks continues to grow. But moving the data security dial to ‘vital’ will enable organisations to both reduce the risk of an attack, and detect and mitigate a breach sooner.
Stuart Reed is Senior Director of Global Product Marketing at NTT Com Security.