In my many conversations with friends and acquaintances about the world of cyber security, talk will very quickly turn to the daily headlines of data breaches, hacking and stolen passwords.
Indeed, recent talk has been about “the largest hack ever,” in a case where Russian criminals reportedly stole “1.2 billion user names and passwords, plus 500 million email addresses,” as reported by media sites including this one http://www.nbcnews.com/tech/security/russian-hackers-said-haul-over-billion-stolen-emails-passwords-n173401
This type of headline would give the average CEO palpitations as they realise what this would mean for their business if they were subject to such a data breach. Before rushing to purchase an expensive, shiny kit with flashing lights, there are basic steps that every organisation can take to reduce their cyber risk that may not cost too much;
- Implement robust policies and procedures that are fully understood and embraced by users so they understand the important part they play in managing this risk.
In my experience, users are often the best form of defence when it comes to information security. This especially applies when attempts are made to access data using social engineering attacks, such as phishing emails. Many a sharp-eyed user has spotted a phishing email that has been let through the system by no end of filters and technical controls. Key to this is training and education, which I’ll come onto later…
- Ensure all hardware and software is fully patched, kept up to date (Windows XP anyone?), and is using the latest antimalware and antivirus signature files.
Despite revelations from a senior executive at Symantec that “antivirus is dead,” as reported here http://www.huffingtonpost.co.uk/2014/05/07/antivirus-is-dead_n_5279004.html, the reality is that anti-malware solutions still have a role to play in protecting your IT estate. It’s certainly too soon to dispense with them altogether. Patching is of course vital, and made easier with automatic updates from vendors. That said, each patch will need testing against corporate applications to make sure they don’t break anything downstream, but getting patches tested and deployed is a useful way to reduce your exposure.
- Deploy and manage end point encryption so that any lost or stolen computer equipment is better protected
I always remember a data loss incident that I investigated where an unencrypted laptop was stolen from an office. It wasn’t encrypted as it was used for internal testing only. Unfortunately, the day it was stolen the secure cabinet it should have been locked in was inaccessible due to building work. The lesson to learn here is to encrypt by default. Yes encryption key management can be troublesome at times but it is manageable with some of the solutions now available.
- Have fully tested backup and disaster recovery plans so that lost data can be recovered in the event of failure.
With the proliferation of secure cloud backup solutions, instigating a regular backup regime is not difficult. Just make sure that data is fully encrypted during the process (in motion,) and that you know where it will be residing when backed up. This is especially important. If for some reason the backed up data is in plain text. In that case, there are legal, regulatory and jurisdictional issues that need to be considered. Of course regularly checking that backups will restore can put your mind at rest that when the day comes and you need them, you will be able to recover your data.
- Make sure IT equipment is physically secure.
This goes without saying, and applies to all IT equipment including smartphones and tablets. There are some good third party products that enable you to physically secure laptops. Smartphones are more difficult to physical lock down which brings me to…
- Have a policy and set of controls to manage mobile devices.
These often contain the most current and sensitive corporate data available, and so need to be well protected. What complicates this is BYOD, the bringing to work of user’s own mobile devices that the user can then connect (overtly or covertly) to corporate resources. There are big complications around what you can and can’t do when it comes to remotely wiping or deleting data from a user’s device. Tread carefully and take advice – technical, legal and HR wise.
- Train all users to understand the importance of protecting organizational physical and data assets.
By getting users onside with your cyber security efforts, you will get an army of helpers out there spotting phishing emails and looking out for other problems before, hopefully, they arise.
So there you have it, some information security controls that can be put in place relatively cost effectively without the need for more boxes with flashing lights.