- Security TWENTY
- Women in Security Awards
Countering data breaches is not all about technology, writes Mike Simmonds, pictured, managing director, Axial Systems.
When Bring Your Own Device (BYOD) first took off, security concerns drove companies to take measures to endeavour to counteract the risks of allowing remote access to company data from employee devices. Many believed they had shut the door to cybercrime. In reality, data breaches continued to soar. A report from the Identity Theft Resource Center and CyberScout, the data risk management company, found that the number of data breaches in the US alone jumped 29 per cent in the first half of 2017 compared to the corresponding period the year before. Across the world we have seen a raft of organisations fall foul of extensively publicised security breaches , the consequences of which are often severe, not to mention the ongoing reputational damage.
The possibility of a fine being levied is always a significant concern to business leaders, and often leads to a focus of mind on the issue in question. In the case of the pending EU General Data Protection Regulation (GDPR), for instance, the most severe penalty available for non-compliance is a fine of €20 million, or up to 4% of the preceding financial years’ total worldwide annual turnover, whichever is greater.
The reputational consequences caused by a data breach can also be as damaging; as serious fines attract negative media coverage and may deter prospective customers. The inability of the business to recover what has been lost by the breach can further compromise credibility. After all, while some cyber criminals steal data, others, notably including the propagators of ransomware, corrupt it and make it potentially worthless, even after a ransom may have been paid.
In light of the above, how can businesses best go about protecting themselves against the consequences of cyber security breaches? Part of the answer is ensuring the right security practices and protocols are in place and are adhered to as best and normal behaviour. Sometimes it is as simple as getting the latest security patches from vendors applied and tested across the company as soon as possible. Other times, it is more complex: making certain, for example, that sensitive or personal data that has been transitioned to the care of a cloud service provider is encrypted in-transit and the moment it lands rather than post-landing.
However, best practice data protection always needs to be about more than just applying a technological fix. While implementing the right systems is important, organisations must also instil a culture of security within the business so that employees understand the importance of data security to mitigate employees putting the organisation at risk by the way they manage and handle data. In an age where immediate and easy access to data is the norm, that is not straightforward. Businesses must ensure that employees never compromise security in exchange for being able to access the information they want, when they want it.
There is a need for education here. Consider the manager that must deliver a presentation the next day and decides to store it in multiple accessible locations to ensure access; on the company laptop, on a file-sharing application in the cloud and on a memory stick, perhaps, with the rationale that if one location fails, the others can serve as back-up.
Such an approach creates its own problems however – and users need to be made aware of the issues and concerns. If the laptop is left on a train or is left accessible whilst in use, it could be easy prey for anyone with the skill and inclination to break into it. The cloud-based file sharing application could potentially be compromised also (or indeed it could be that a free service gives THEM the right to have access), while USB sticks are frequently mislaid or subsequently shared as a convenient ‘hand-o-matic’ file sharing tool. Simply by taking the data outside of the corporate infrastructure, you are bypassing all the security measures and potentially putting sensitive information at risk. It’s a clear demonstration of how so many businesses can make themselves vulnerable by effectively sleepwalking into data breaches. So, what’s the solution?
Technology should always be part of it. Anti-virus and anti-malware software needs to be implemented and kept up-to-date. Data leakage protection can also be put in place, providing electronic tracking of files, or putting systems in place that stop users arbitrarily dropping data out to cloud services. Adaptive authentication, in which risk-based multi-factor authentication helps ensure the protection of users accessing websites, portals, memory sticksor applications, also has an increasingly key role to play.
While technology is important, countering data breaches is also about education. Businesses need to re-enforce the message that employees need to take a personally responsible approach to managing and protecting data over which they have control. They must be aware of the potential security threats and do all they can to mitigate them – from taking good care of devices they use at work to making sure their passwords are strong. The battle against the cyber criminals will continue but if businesses are to fight back effectively, they need their employees onside and focused.