Managing the common risks in cyber security
Category : Thought Leadership
Cybercrime is hitting epidemic proportions. 2015 has already seen a large increase in the volume of global cyber security incidents with the likes of Sony and AshleyMadison.com amongst the high profile victims. However, a recent PWC Global State of Information Security Survey found that despite the number of detected cyber-attacks increasing 66 per cent year on year since 2009, global cyber security spending has decreased by four per cent in the same period. Cyber security provisions are not being factored into business planning and budgeting, when they could protect against massive data breaches.
So, what practical approaches can business implement to protect themselves against the most common threats? Performanta, a specialist information security firm, offers companywide initiatives that can be implemented, as well as technologies that can help reduce a company’s risk.
Risk 1: Lack of cyber education
At the moment, negligence is a huge problem. Many employees are not aware of cyber security threats; this creates a weak point which can be exploited by cyber criminals. A recent Verizon report shows that 23 per cent of employees will open phishing emails and a further 11 per cent will click on attachments. Spear phishing emails attempt to target specific people within an organisation to unlawfully access its confidential data. Dynamic threats such as spear phishing target the likes of confidential intellectual property (IP) data and are an effective tool for hackers.
Employees need to be informed of the many potential phishing threats that they can encounter. Management should encourage an education programme that tackles the issue head on. For example, a company could create a weekly newsletter to educate staff on the latest threats to be aware of and how to flag any potential issues. Offering basic cyber security training to all employees, including C-level executives who are prime suspects for such cyber-attacks, can benefit employees by increasing their threat awareness both at work and at home.
Risk 2: Insider threats
Insider threats from malicious actors and disgruntled ex-employees are some of the more serious and common risks businesses face as they will often already have wide access to the network and to sensitive information. The practical approach to this threat is to deploy specific technologies that tracks users, creates a profile of their movements and reports any anomalies. This system will flag any abnormal user behaviour, and can provide alerts based on warning signs as they occur.
Companies should also closely monitor those accounts that have privileged access to the system. All access and activity on the privileged accounts should be tracked, and an independent security team deployed to audit these logs on a regular basis.
Risk 3 – Bring your own device (BYOD)
A modern workforce now wants and expects to be able to use their personal laptops, phones and tablets to conduct business via company servers whilst being on the go. However this can create a security weak point that can allow for a breach of company’s network. Management teams should work to limit risks by establishing a comprehensive BYOD policy that all companies’ members – even C-level executives – have to adhere to.
This policy would see employees educated about the risks their devices can bring, what documents it is appropriate to access from non-company devices, and also mandate certain protections like password protection and device encryption. If a business is going to implement a BYOD policy that allows employee devices full access to its network, they must treat them like a company laptop with all of the security safeguards that apply.
An agreed corporate policy gives the IT team a basis for refusing requests, or coming up with a well-thought out solution rather than being cajoled by requests from senior company members. This type of forward thinking will help protect against the ‘nightmare’ scenario where a device is lost, unprotected, with access to sensitive corporate data.
One solution to all these risks is to seek the advice of professional cyber security companies who specialise in not only the technology but in creating a secure vision of the company. This would incorporate all of the variables needed to protect a company with a goal to creating one holistic security plan, and then working towards implementing it. This level of foresight and planning is also an excellent way to separate the companies that simply want to just sell equipment, from those who wish to be security partners.
In the modern cyber security environment, CEOs and business managers have no option but to become more aware of the common cyber security risks and begin to implement best practices. To do any less is leaving themselves open to unacceptable levels of risk and putting their business in jeopardy. By implementing some of these guidelines, companies go from having an intangible potential leak to a measurable threat that can be responded to and dealt with proactively.