With cyber threats from malware and cyber attacks to phishing and social engineering continually in the headlines, it can be difficult to assess the actual risks to your organisation so you can take appropriate action to mitigate them. In my view, you can’t manage anything that you don’t understand – so what is actually out there, and how vulnerable is your organisation to the different threats?
First, let’s look at the numbers:
- according to a new report from the National Cyber Security Centre (NTSC), a significant assault is targeted at a UK company or public-sector entity every 13 hours
- in October 2019 there were nine confirmed major data breaches in the UK
- a business will fall victim to a ransomware attack every 14 seconds
- 32% of data breaches involve phishing, and companies are three times as likely to suffer a digital breach through a social attack than via technical vulnerabilities.
Risk from highly IT literate users
To make this meaningful, each organisation has to consider how different threats relate to their own activities and environment. They also need to understand their users and the specific risks that may arise from who they are and how they work.
For example, highly IT literate users may be less likely to fall victim to phishing attacks, but could create risks through use of shadow IT. Studies from both Gartner and Everest Group have estimated that 50 per cent or more of IT spending in large enterprises is occurring outside the control of IT.
Remote worker security risk
For other organisations where a lot of people work remotely, mobile security will be of particular importance, so they will need to minimise the amount of business data transferred to or held on the mobile device. Cloud could be a good solution here: one of the key advantages of using cloud to deliver a virtualised desktop environment is that no data ever leaves the data centre unless the organisation’s security policy specifically allows mapping of local drives, USB memory sticks or other external storage.
One area where even supposedly secure organisations can come up short is configuration, such as in an IaaS environment. Configuring the set-up correctly is not rocket science, but you do need to get it right, and obtain expert advice if unsure. There have been many reported cases, and no doubt many unreported ones, of data on unprotected Amazon S3 storage, with Dow Jones, Accenture and most notably the Pentagon all making the basic error of failing to set appropriate, Amazon provided security controls or passwords to protect their data, leading to a warning from the NTSC.
Malicious, disgruntled or even curious employees continue pose a significant threat of data breach and leakage. In the future AI solutions such as Advanced Threat Protection, Software Defined Networking and Software Defined WAN will enable organisations to monitor and mitigate this threat more effectively.
Risks to small organisations
Don’t assume that because your organisation is small, or not a household name, that it is less likely to be a target than an industry leader. The cost of a data breach, while smaller, could be proportionately even more damaging and could even put you out of business. Many attacks are not targeted at specific organisations and will catch anyone who is vulnerable. Security may be a particular challenge for medium sized organisations, who typically cannot justify a full-time in-house security specialist. If a generalist is responsible for security in your organisation, consider supplementing their skills with external training or advice from a third party security specialist.
Begin with simple steps
The first step is clearly to put the basic security precautions in place, and as I discussed previously Cyber Essentials is a good place to start. As the NTSC’s chief executive Ciaran Martin points out, some attackers continue to do the same thing over and over again because sometimes they will get through. He recommends steps such as using two-factor authentication and back-ups, scanning for vulnerabilities and having strategies to counter phishing attacks.
With these basics in place, you should then think about how your organisation works on a daily basis. We recommend a four-step process to develop a comprehensive data security strategy:
- Work out and define what level of security controls your organisation requires. These should be commensurate with the value of the data being protected and the level of risk
- Assess your organisation’s data management strategy and use gap analysis to develop a long-term plan
- Review IT governance
- Develop a business continuity and disaster recovery strategy and update it as appropriate to ensure that true data protection and security are maintained.