Three rules to help protect your business from cyber attacks
The proliferation of cyber threat types and reported incidents is no doubt causing much anxiety amongst the world’s security officers – and certainly keeping the subject front and centre of corporate agendas.
With such a kaleidoscopic landscape however that one of the biggest challenges is maintaining focus; it can be hard to see a clear way forward when there’s so much being thrown at you, much of it new and unknown. So there comes a time when one has to pause to take breath and just refocus on the fundamentals, the anchor points. There are three simple rules to keep in mind:
Plan for the inevitable
Accept that you will suffer some sort of security incident. This is not an admission of failure, it’s an acknowledgement of a new normal. Governments and global commercial organisations, entities that have invested millions in security resource and tech, get hit every day. As do those at the opposite end of the scale, small low profile companies. Their breach may be different in character to those headline making attacks – perhaps an accidental sharing of data by an employee – but it’s still an incident and it is likely to have ramifications.
How you respond to that incident is the important thing, so have a proper plan in place: one that deals with both remediation (identifying and resolving the original issue) and communication (keeping employees, stakeholders, and customers fully up to speed with what has happened and what you are doing about it). Get that plan wrong or simply don’t plan, and you won’t just be looking at a loss of data, but a complete loss of trust too.
Remember the basics
Despite the fact that organisations are moving away from over-reliance on a firewall and adopting a more layered approach to security, it’s still a painful fact that most breaches come about not because of major strategic flaws but minor operational oversights. So do check that your housekeeping is following best practice. It’s a given that you maintain proper access controls with a clear starters and leavers protocol and staff rights governed by set business rules. Only properly defined roles and responsibilities will ensure that patch management gets done correctly and in a timely manner, with strict supervisory controls layered over the top of the designated ‘doers’. Use the increasingly sophisticated defensive tools available to put effective monitoring and alerting across your estate systems, flagging up abnormal activity patterns or non-standard behaviour. And ensure that any of these non-conformances trigger an appropriate operational response rather than just being left to fall through the cracks.
Mitigate the insider threat
Today it is easy to argue that the biggest security threat isn’t the corporate firewall and the risk of a breached perimeter, but staff and the supply chain - the human firewall. An organisation might believe it has the sort of security provision that makes it impenetrable but the world we live in now has made every entity essentially permeable, with information able to flow out as easily as taking a photo of a screen or emailing a document to a Gmail account or inadvertently mentioning something commercially sensitive on LinkedIn or Twitter.
Organisations have to be alive to both the malicious and accidental threat actors within, though arguably it’s the latter that’s harder to manage and neutralise as so often people simply aren’t aware of the potential risks they’re running. And with the rise of social engineering and fraud-centric attacks, it can seem like an impossible task to keep staff safe from becoming unsuspecting agents in an attack. This is where consistent and continuous education comes into play. It is not enough to rely on a one-time starters’ induction on basic security policies - security awareness should be embedded into the very fabric of an organisation, with regular training and reminders on those everyday perils (phishing, spear phishing, ransomeware, shadow IT, etc) and must-read notifications on new scams and dangers. Staff have to be made security-aware so they can better ‘derisk’ themselves and in so doing help their employers adopt a much stronger defensive posture in a world of increasing cyber threat.