I’ve left my laptop on the train…
We’ve all heard news reports of how an MP has left a laptop holding official secrets unattended on the train but what would happen if one of your staff did the same thing?
As technology becomes part of our everyday lives and we manage our work and home life through electronic devices such as smart phones and tablets, a whole new world of opportunities is available for us to work smarter and not harder. On the plus side, this new technology makes life easier, easier to pay bills, easier to stay in touch with friends and loved ones, we can even catch up with our favourite TV whilst on the way to work.
On the downside this new world of online possibilities and new way of living and working brings risk as well as opportunity. Companies need to be aware of the potential cyber risks to their business whilst also using technology to its full potential, particularly in areas such as social media and cloud computing. It is important for businesses to have an online presence, but as with everything this has to be effectively managed to ensure it is beneficial but not damaging to the company and this can be a challenge as technology is constantly changing and evolving. So what exactly is a cyber-risk? The Institute of Risk management states that:
“Cyber Risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”
Here are some scary facts
Did you know…
…1 million people are victims of Cybercrime each day
…although security breach incidents have declined slightly in the last year, the value has nearly doubled
…73% of large organisations suffered from viruses or malware attack last year
(Source: The European Commission “Strategic Risk Guide” 2014 & Department for Business Innovation & Skills (Information Security Breaches Survey) 2014 Page 02/03)
No-one is safe
Large organisations are often targeted by “hacktivist” groups with political, religious or ethical motivation. Individuals are seen as easy targets for having their credit or debit cards used fraudulently. No one is immune to cyber risks, not even small businesses. In fact, small businesses can often be a target for cyber criminals because it is assumed that they won’t have sufficient protection against a cyber-attack.
…so what or who are your weak spots?
A teenager hacking into your company network from their bedroom may be the first thing that comes to mind when considering an information security breach. But in reality, there are also cyber criminals looking to make millions through fraudulent use of confidential information and they can be based anywhere in the world.
Every organisation needs a two prong attack in the fight against cyber-crime. A comprehensive IT system with a well-structured and regularly updated firewall should naturally help to keep cyber criminals from accessing your confidential data but you must also stop staff from “letting them in” too. Opening infected email attachments, carelessness with passwords, sending sensitive information via email are all events that will increase your organisation’s cyber risk. There have even been past cases reported of deliberate security breaches by members of staff working as an insider. If staff are working with sensitive information in this way, they should be made aware of these potential risks and there should be procedures in place to prevent them making these mistakes.
Information is the lifeblood of most organisations and any compromise of confidential information can have a long lasting or even permanent impact on a company. I’ve summarised here a report by GCHQ into a quick checklist that should help with your fight against cyber-crime. As GCHQ observe;
“Information compromise can lead to material financial loss through loss of productivity, of intellectual property, reputational damage, recovery costs, investigation time, regulatory and legal costs. This could lead to a reduced competitive advantage, lower market share, impact on profits, adverse media coverage, bankruptcy, or even, where safety-critical systems may be concerned, loss of life.”1
They estimate that…
“By improving security in these key areas you will be able to prevent 80% of cyber-attacks, allowing you to focus on dealing with the other 20%.”2
10 Steps to a smarter regime
1. Protect data that leaves your organisation with your staff…
Most organisations large or small have staff that work from home or out in the field so it is important to train and protect them well from cyber-risk. Create baseline security to all IT and mobile devices to protect data with passwords and create a specific policy in your handbook for mobile workers to adhere to. Complement this with staff training and refreshers to keep standards high.
2. Train your staff
Not just mobile workers but office based staff need training to help protect your IT network. Even the largest organisations can suffer from virus or malware as they are being written and used by cyber criminals just as fast as the antivirus software is updated. Ensure that even the most junior member of staff is aware of a virus threat; after all they are most likely the ones who would naïvely open a suspect email attachment.
3. Create a back-up plan
Inevitably there will be a breach at some time within your organisation so make sure you have a manager or team in charge of handling it as quickly as possible. Get them specialist training to produce a disaster recovery plan and make sure it includes reporting the incident to the Police.
4. Develop a robust Information Risk Management Regime
Ensure that cyber-risk is part of your overall risk management system and produce supporting risk management policies.
5. Control & manage access to confidential data
The less people who have access to data the less the risk of it being unintentionally disclosed. Create a hierarchical password structure that limits user privileges and build in second user authorisation practices to maintain this. Try and keep ADMIN level users to a bare minimum.
6. Control usage and scan USB, card and other flash drives/mobile media
Produce a policy to control your staff’ usage of mobile media storage and limit their types and use. Scan all media for malware before importing on to corporate system.
7. Keep on monitoring
Create a schedule to analyse your IT system and networks for unusual activity that could indicate and attack. Make this someone’s role and implement a monitoring strategy and policies for when they are on leave so the schedule can be maintained by another member of staff.
8. Keep Secure Configurations
Build into your schedule the continuous update of security patches, making sure all your existing PCs and devices are updated as well as newly introduced hardware. Use an Asset log to help with this procedure.
9. Keep scanning for Malware
Establish anti-malware defences that are relevant to all your business functions and keep scanning for malware across the organisation.
10. Maintain high standards of Network Security
Use firewalls and specialist hardware to keep your network’s perimeter robust to filter out unauthorised access and malicious content. Monitor and test these security controls regularly.
These 10 steps will help prevent attacks but of course cannot ensure the protection against all attackers. You will need to tailor them to suit your organisation and the environment it operates in. In terms of both hardware and staff, it is vital to identify threats, manage risks, create anti cyber-crime policies and uphold and update them regularly.
Having even the most basic system security in place can prevent a large amount of cyber-attacks, but this won’t stop them all. The technology to protect against cyber risks also needs to be managed, it is important to recognise what the companies most valuable assets are, such as confidential information and intellectual property. Identify any risks to the company’s information assets, such as the people who have access to the information and the type of people who might want to target that information from the outside. Always plan for the worst case scenario, so if a cyber-attack occurs the company can recover quickly and effectively, assess how and why the attack occurred and prevent it happening in the future.
Insurance is always important in the event of a cyber-attack and can help cover the costs, but insurance can’t protect you from a damaged reputation. Having the technology in place to protect you from a cyber-attack in the first place is very important, but cyber risks aren’t just a concern for the IT department, organisational and human factors are just as important, educating staff in the correct procedures and potential risks can be highly effective in preventing an internal breach of security.
& finally, don’t assume it won’t happen to you, here are just a few household names that have “lost” their customer’s details….
Domino’s Pizza – 650,000 customers details
Google – 5 million Gmail addresses and password
AOL – a “significant” number of users (thought to be around 80 million)
eBay – 145 million hacked accounts
1. GCHQ, BIS & CPNI (Executive Companion, 10 Steps to Cyber Security) 2012
2. GCHQ, BIS & CPNI (Executive Companion, 10 Steps to Cyber Security) 2012 – Page 07