Data breaches happen with alarming regularity. So much so, that we are at risk of becoming desensitised to both the associated costs – reputational and monetary – and the danger presented to us, the general public, when our data is breached.
In May 2020 alone we have seen examples of both large and small breaches that carry huge costs for those affected. The largest on record was the Thai based cellular telecom provider AIS who had a database that was leaking out user web browsing information in real time, with over 8.3 billion records available for nefarious people to download and utilise. While the individual records here are not much use to anyone, the entire database could allow an attacker to extrapolate browsing habits and device information back to a specific IP address, which may then be used for targeted attacks or even potential blackmail.
The truth is we can never be fully protected against the possibility of our own company data being breached, leaked or ransomed, but we must all take as many steps as we can to limit the chances of becoming one of the statistics.
Here are five key steps that businesses of any size can implement which will put them on a better footing to avoid a breach.
Implement security standards
Bringing your business processes, technology, and security under a recognised framework such as Cyber Essentials or ISO27001 is a great starting point to improve your security posture. Not only does it bring in standardised processes and focus the mind towards security, but in the process of attaining the accreditation you will have to take a root and branch review of the way your business operates and its current security footing.
Firms that already have Cyber Essentials should consider moving on to Cyber Essentials Plus, which includes an internal and external vulnerability scan to prove that they are implementing the controls that they attest to in the self-assessment questionnaire that is completed for the basic Cyber Essentials certification.
Bring in continuous compliance
Attaining an accreditation such as Cyber Essentials Plus is a fantastic accolade, but the vulnerability scans taken at the time are just that – a snapshot in time. We see many firms that make the effort to attain their certification, but then allow their security and processes to lapse during the year. They then scramble around at re-audit time to get their house in-order for the next annual review.
Instead of this approach, firms should consider continuous compliance. Essentially, this is a process of regular vulnerability scanning alongside remediation and process improvement. With this methodology in place, not only should a pass of the next annual accreditation be a dead cert, but the risk of a security breach due to unpatched or vulnerable software is drastically reduced.
Encrypt, encrypt, encrypt
Servers, desktops, laptops and mobile devices should be encrypted. While not strictly required – though strongly advised – from a GDPR standpoint, encryption is a “get out of jail free” card in the event of the loss or theft of a corporate device as the encryption renders the information on the device inaccessible without a login to the machine or the decryption key.
Bitlocker, the disk encryption technology built into the professional versions of Microsoft Windows, is a no-cost option here and works brilliantly. However, companies should utilise systems or tools to ensure compliance and logging of all their devices to provide an accountable proof of encryption should device loss occur.
Improve the human firewall
All the electronic security measures on the planet will not help prevent a data breach if an employee provides personal data to a criminal over the telephone or provides their password in response to a well-crafted phishing e-mail.
Implementing a security awareness training program should be part of the security planning for all companies. For smaller firms, a program focused on spotting phishing e-mails is a great start and will deliver immediate results.
Larger companies should consider supplementing a phishing based training program with other factors such as vishing (voice phishing – or telephone scams), smishing (SMS / text message scams) and physical security (such as tailgating employees into the building).
Alert and trained employees are also much more likely to report any strange behaviours to IT or security, allowing faster responses to a potential breach situation.
Put your security to the test
Bring in an external security consultancy firm to run penetration testing and simulated hacking attacks against the business.
Whilst some of this happens as part of Cyber Essentials Plus, or the continuous compliance vulnerability scanning, a proper penetration test goes much deeper by utilising security professionals to uncover holes in the corporate defences and to probe at, and ultimately penetrate these holes. The findings can then be utilised to tighten up the security posture even further.
Companies who develop their own in-house code or applications should also run similar testing or vulnerability assessments against their products, as internally developed software without security scrutiny can often contain dangerous errors that can lead to a data breach.
While this is probably the most expensive step on the list, it is also the step that will uncover how well (or badly) the company is handling security. Although it may be more cost efficient, do not be tempted to utilise your existing IT team or external managed service provider for the delivery of the penetration testing as it is unlikely to be impartial.
Public sector bodies should use a CHECK approved company (https://www.ncsc.gov.uk/information/check-penetration-testing). All other UK firms are free to choose whoever they wish to work with. CREST provide a useful list of accredited penetration testers at https://service-selection-platform.crest-approved.org/accredited_companies/penetration_testing/
Written by Craig Atkins, Managing Director, 1-Fix Limited.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.