As companies wake up to a new way of working, what are the key security priorities they should be looking to implement, writes AJ Thompson, CCO at the corporate IT consultancy Northdoor.
Cyber-security is never far away from headline news. The last few years has seen a substantial increase in the interest of mainstream media in security breaches, hacks and data loss, helped by a better understanding of the importance and value of data by the public, Government and regulators alike (particularly with the high-profile introduction of regulations such as GDPR).
The COVID-19 outbreak and resulting huge impact it has had on lives and working practices has again thrown cybersecurity under the spotlight. Increasingly sophisticated cyber criminals, intent on taking advantage of the situation and uncertainty of individuals working outside of the corporate environment, has meant that there have been numerous, callous attempts to gain access to corporate networks, resulting in data losses, ransomware being planted and substantial disruption to business.
As a result of this some companies have been spreading Fear, Uncertainty and Doubt (FUD) with confusing and often contradictory advice. Companies, more aware than ever of what the consequences could be for a poor response to a breach might be, seem to be, at the same time, increasingly confused as to what the first steps should be in organising themselves to respond to an attack and where possible prevent one.
In amongst all of the confusion and alarm surrounding cybersecurity, companies need to focus on the core areas they need to address. These might include the following.
1)Incident Response Team
Bringing together and implementing an Incident Response Team is perhaps the first step many companies need to consider. Without this team, a response to a threat or live attack can be disjointed and ineffective in dealing with the situation. The very opposite to what customers, the press and regulators are looking for. The reassurance for all of those parties and the companies themselves that there is a dedicated team dealing with and responding to the situation with consistency and vigour is crucial.
The Incident Response Team is primarily made up of IT and/or cyber security staff, but also may include Public Relations, Human Resources and legal team members. This should be a virtual team which can pulled together when needed. The team is designed to stop any attack, minimise the impact of the company, its customers and employees as well as the reputation of the organisation. As soon as there is a sign of a threat or attack underway the team should come together to mitigate the risk and reduce the cost to the company across the board.
The Government’s National Cyber Security Centre has issued some really useful advice on the building of a cyber security Incident Response Team you can find out more information here: https://www.ncsc.gov.uk/collection/incident-management/creating-incident-response-team.
2)Network monitoring and intrusion systems – proactivity key
The second step that many companies are looking to take is to ensure that the defences they have in place are effective and good enough to deal with the increasingly sophisticated threat coming from cyber criminals. Ensuring that all systems and equipment are up-to-date with the latest security patches and are still being supported is the first basic step. During this period where we have seen such a huge increase in home working, many may well have been opening up and starting old laptops to ensure that they can work outside of the office. In some cases, it may be that there have not be updated and worst case no longer supported which leaves them vulnerable to attack.
We are seeing increasingly a subtler approach from criminals who are gaining access to corporate networks and then doing very little other than monitoring. They are looking for where they can gain access to the most valuable data and identifying key vulnerabilities within systems. Sometimes these criminals ‘hide’ for months before eventually acting or selling the information to others. This has been particularly the case with ransomware attacks, where the perpetrators wait to find and steal the most valuable data before asking for their ransom.
The key to defending systems from an increasing threat is to be proactive in your approach. The continual change in the approach and sophistication of the cybercriminal means that sitting passively behind your wall of defences is no longer an option. Inevitably, passive defence will mean that the attacker will find the tools to overcome it. Proactively searching for and identifying threats is absolutely key. Searching for vulnerabilities within your own organisation is an obvious step, but organisations also have to ensure that their entire supply chain is as strongly defended as their entire systems – you are only as secure as your weakest link. There have been multiple examples of huge breaches where criminals have gained access not directly through the victim’s infrastructure, but through that of a partner or supplier.
3)Addressing the insider threat
Your own employees remain one of the main weaknesses in most company’s security. This has certainly not reduced during the pandemic with many working outside of the corporate environment, at home. The 2020 Global Encryption Trends Study has shown that 54 percent of respondents identified employee mistakes as the top threat to sensitive data, by far the biggest threat with system or process malfunction (31 percent) and hackers (29 percent) following someway behind.
Most employees allow criminals access to networks, infrastructure or data accidentally, and it is this ‘accidental insider threat’ that companies can easily help to reduce. The key is education and communication. If employees are able to identify a likely phishing email for example, this dramatically reduces the ability of criminals to gain access. Home working isn’t going to go away after the pandemic dies down. Companies need to ensure that their employees are armed with the information that allows them to reduce the success of criminals targeting individual employees.
There has of course been a number of different regulations passed over the last five years or so, designed to ensure companies are doing everything possible to protect data. The introduction of GDPR is a great example of where regulations are being introduced to combat the threat of data breaches. It is also a good example of how companies are rushing to ensure that they are adhering to such regulations in light of the increased media scrutiny.
However, companies should not be thinking “are we compliant” but rather, “are we secure’. There is a difference, regulations cannot be introduced at the speed criminals can implement new, sophisticated technology to gain access. By being compliant you are only as secure as the threat was at the time the regulations were drawn up; it is likely the criminal is already two or three steps ahead.
Being proactive and ensuring best practice security measures are introduced, over and above the regulatory requirements, means that the threat of the accidental insider actions are somewhat nulled, whilst preparing organisations for future regulations.
We are living through unprecedented times, but as we have seen this seems to act as an incentive for cyber criminals to up their activity. This, alongside, more employees than ever working at home, away from corporate environments, means companies have to be on the front foot. Being proactive in their approach, ensuring that employees are fully brought in, whilst industrialising data processes and security will be crucial over the coming months.
