Pose the question of data security in any corporate business and you will be told about firewalls, wireless and network-based intrusion detection systems, and any number of ‘water-tight’ measures against potential external attacks. However, what if the threat is coming from inside the business? asks David Rolfe, Associate Director, FortuneWest.
The reality for any business is that its data security can be compromised from inside the organisation. It only takes one disgruntled employee to leak sensitive data to direct competitors, or to throw a virtual spanner into a company’s network and impact on the running of databases or the availability of other digital data, such as websites. The outcome of either of these scenarios can be potentially harmful; corporate reputations and industry ‘good will’ can be damaged, projects can be set back, and financial losses can occur.
Securing corporate networks against unlawful external access is a constant challenge for IT administrators. Operating systems and anti-virus patches need to be consistently updated in response to new threats. But companies also need to look inwards at the corporate environment, and to examine their culture and working practices for potential weak spots in data security. A number of simple measures should be in place to avoid potential danger to the companies’ commercial advantage. A corporate security policy on data handling provides awareness and guidelines for companies and staff on the handling of data in and outside of the workplace.
This policy should highlight the dangers faced when material is removed from the business site for the purposes of working from home or in transit. It should also provide practical measures and safeguards relating to how employees conduct themselves while in the place of work.
Ask yourself how many of your employees devices carry commercial sensitive data and how many of those have some form of encryption? I would guess that the answer would cause grave concerns.
The use of USB thumb drives, or other devices, capable of accessing the corporate network should be severely restricted or even banned. USB drives on workstation PC’s should be disabled, or only USB drives issued from the IT department should be connected. However with the onset of the Bring Your Own Device (BYOD) trend in large corporate businesses, control is more challenging and the risk of damaging the stability and security of the network is increased. This trend has opened new avenues to hackers and criminals that did not exist previously with the traditional closed network.
How many of your employees have a Gmail or Yahoo email account that could be used to pass information out of the network undetected?
Apart from the detrimental effect on workplace productivity, personal usage of the Internet through corporate systems brings the threat of malicious software. Up-to-date anti-virus programmes will not always stop malware from hitting a corporate network as the cat and mouse game between hackers and IT security departments constantly evolves and thousands of new malware viruses hit the internet every day. The always-on nature of today’s culture leads to consistent updating of social network sites, opening the door to system breaches.
The consequences of failing to adhere to the corporate security policy can be dramatic. The recent Department of Business Innovation and Skills 2013 Information Security Breaches survey reports, alarmingly, that 93% of the large businesses surveyed have suffered an attack of some description in the last 12 months, with losses ranging from £ 450,000 to £ 850,000, but the problem is no longer the province of large businesses. The rate of attacks on SMEs have escalated by more than 10 per cent from the previous year to 87pc who have suffered some form of attack.
The policy relating to data should be a living breathing organism and flex with the changes of technology and the sophistication of attacks. All staff from the highest level should sign this policy, and, periodically, be reminded of the agreement via email or company intranet. Any legal action against an employee who breaches protocol will be weakened by the absence of a signed security policy setting out the terms and conditions of removal of data from the corporate site.
Companies who ignore this view do so at their own peril as the world is changing around them and they are will be vulnerable if they do not change with it. Physical security losses are now becoming insignificant compared to the billions that are removed fraudulently using cyber dependent or cyber enabled techniques.
Where do you stand?
Visit – http://www.fortunewest.co.uk/cyber-risk.html
