First, let’s look at the numbers:
To make this meaningful, each organisation has to consider how different threats relate to their own activities and environment. They also need to understand their users and the specific risks that may arise from who they are and how they work.
For example, highly IT literate users may be less likely to fall victim to phishing attacks, but could create risks through use of shadow IT. Studies from both Gartner and Everest Group have estimated that 50 per cent or more of IT spending in large enterprises is occurring outside the control of IT.
For other organisations where a lot of people work remotely, mobile security will be of particular importance, so they will need to minimise the amount of business data transferred to or held on the mobile device. Cloud could be a good solution here: one of the key advantages of using cloud to deliver a virtualised desktop environment is that no data ever leaves the data centre unless the organisation’s security policy specifically allows mapping of local drives, USB memory sticks or other external storage.
One area where even supposedly secure organisations can come up short is configuration, such as in an IaaS environment. Configuring the set-up correctly is not rocket science, but you do need to get it right, and obtain expert advice if unsure. There have been many reported cases, and no doubt many unreported ones, of data on unprotected Amazon S3 storage, with Dow Jones, Accenture and most notably the Pentagon all making the basic error of failing to set appropriate, Amazon provided security controls or passwords to protect their data, leading to a warning from the NTSC.
Malicious, disgruntled or even curious employees continue pose a significant threat of data breach and leakage. In the future AI solutions such as Advanced Threat Protection, Software Defined Networking and Software Defined WAN will enable organisations to monitor and mitigate this threat more effectively.
Don’t assume that because your organisation is small, or not a household name, that it is less likely to be a target than an industry leader. The cost of a data breach, while smaller, could be proportionately even more damaging and could even put you out of business. Many attacks are not targeted at specific organisations and will catch anyone who is vulnerable. Security may be a particular challenge for medium sized organisations, who typically cannot justify a full-time in-house security specialist. If a generalist is responsible for security in your organisation, consider supplementing their skills with external training or advice from a third party security specialist.
The first step is clearly to put the basic security precautions in place, and as I discussed previously Cyber Essentials is a good place to start. As the NTSC’s chief executive Ciaran Martin points out, some attackers continue to do the same thing over and over again because sometimes they will get through. He recommends steps such as using two-factor authentication and back-ups, scanning for vulnerabilities and having strategies to counter phishing attacks.
With these basics in place, you should then think about how your organisation works on a daily basis. We recommend a four-step process to develop a comprehensive data security strategy: