Digital Shock (£)
Uploaded on 2018-06-01 in Directors Reports
This is a Management Report, which focuses on Executive’s need to understand Cyber Security and the opportunities for commercial business. The Report has been edited to enable reading in a short period of time - in 15 to 20 minuets.
Directors Report: This Premium article is exclusive to Premium Subscribers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.
The 4th Industrial Revolution and Cyber Security
This revolution is a significant development and will create an integration of digital, physical and biological systems that will change our world.This process has been called a Cyber Innovation, or Web 0.3 but is probably best described as the 4th Industrial Revolution.
This transformation will completely alter the way we live and experience life and it will happen far faster than previous industrial revolutions and it is initially causing a lot of security issues that need to be dealt with on a controlled and on-going basis by senior management.
Cyber security needs to be a Main Board strategic concern and a team that includes the CIO/IT Director must report directly to the main board regularly about IT changes and cyber security.
An Independent Cyber Audit Team must also be used to review, randomly check processes, procedures and data on a regular basis. This Cyber Audit Team should be independent of the IT department and its day-to-day operations
The independent Cyber Audit Team should present and report its findings directly to the Board and then to the internal IT management and these changes should be incorporated into your commercial strategy and tactics.
GDPR – Legal Regulations effective from May 2018
The EU General Data Protection Regulation replaces the Data Protection Act 1998. GDPR enforces a much tougher and stricter regime, with more severe penalties for data breaches. It is very important that organisations check, understand and secure their data to ensure they comply with GDPR.
No matter where your headquarters and where your business/organisation are based, if you handle data for customers in Europe or you have European employees, you need to be ready for GDPR.
What is GDPR?
The GDPR (General Data Protection Regulation) is the European Union’s new regulation on data and cyber-security. It’s designed to strengthen data protection for everyone, and create a single data protection regime for businesses and consumers to rely on. It comes into force on 25 May 2018.
Why is it important?
The GDPR replaces the 1998 Data Protection Act (DPA) and has a much greater emphasis on consent (ensuring that we agree to businesses having our data) and the documentation data controllers must keep (maintaining good records of data storage).
GDPR aims to bring European data protection laws up to date with the modern technological age. It will unify the various existing data protection laws across Europe. And in some cases, it will bring companies outside the EU within the scope of European law where applicable.
What do I need to do to comply?
The UK’s Information Commission’s Office the ICO governs GDPR compliance and have produced a guide to comply. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/
What types of privacy data does the GDPR protect?
• Basic identity information such as name, address and ID numbers
• Web data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation
Which companies does the GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Specific criteria for companies required to comply are:
• A presence in an EU country.
• No presence in the EU, but it processes personal data of European residents.
• More than 250 employees.
• Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.
However, the GDPR legislation currently leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.”
This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
GDPR Advisory Board, which brings together industry experts from the legal, training and academic worlds, providing monthly reports on the preparation needed for the General Data Protection Regulation, recommends these as the top five things to get right under GDPR:
• Demonstrate that you are taking data protection seriously, up-to-date policies, record keeping and staff training are all important elements of this
• Ensure that the public-facing information notice reflects the reality of how the business actually does use and treat personal data behind the scenes
• Ensure that the business has proper organisational and technical measures and policies in place to keep personal data safe and secure, having a robust information security policy which is actually adhered to throughout the business is part of this
• Make sure that if the business were to suffer a security breach (i.e. in short where personal data was accessed outside of the organisation without authorisation) you would be able report this to the regulator (the Information Commissioner’s Office) within 72 hours of becoming aware of this breach
• Make sure that, where personal data is processed on your behalf by an external organisation, you have contracts in place that meet the requirements of the GDPR
Failure to comply with the GDPR could expose the business to fines (potentially up to 4% of annual turnover or €20m, whichever is higher), claims for damages from individuals, but perhaps more damagingly, loss of reputation.
To get help and information contact The GDPR Advisory Board at: https://www.gdpr-board.co.uk
Background - Cyber Knowledge for the New Digital Age
We are at the beginning of an electronic revolution that like earlier industrial revolutions will substantially alter and change our society, the way we live, our engagement with others and this one will alter us as individuals. Cyber issues have entered most of the areas of any organisation’s systems and often, routine working methods and communications. Therefore, the whole operational process requires far more strategic management involvement and much more sophisticated Cyber security engagement from all levels of an organisation’s management and employees.
The process also requires far more technical planning and precise tactical understanding than these issues did even a few years ago.
This electronic revolution is developing by employing emerging computing technologies such as cognitive electronics and using advanced analysis, nanotechnology, biotechnology, and quantum computing to develop everything from new methods of commercial production, to specific recognition and robotic bio-technology.
This process will alter everything from enhance human brain thinking to automated avionics and robotics and this process will change all types of jobs within education, business, policing, the military and government.
By connecting even more billions of people using mobile devices, electronic connections, storage capability, information accessibility and processing power this revolution will substantially increase the size of the interconnected the world.
Examples of this transformation show everything from changes in collection, processing, production with 3D printing all the way to some humans and other animals becoming partly electronic and using bio-robotic technology to change ways in which they operate and for instance extending their life spans.
This interconnected world of cyber offers enormous opportunities to gain understanding, insightful data, commercial expansion and government interconnection. All of which can seriously improve an individual’s and a commercial knowledge, jobs and growth potential. This revolution is already positively and negatively altering our geo-politics and macro-economic development.
Some of the benefits that arise from these relatively recent electronic developments, such as Cloud and Cognitive Computing, are beginning to become enormously influential. However, cyberspace also includes hacker criminal threats, and the growing arena of inter-nation cyber-warfare.
The potential for engaging with and countering cyber-crime comes in many new unique ways, one of which is Automated Content Recognition technologies. This can extract visual data from thousands of information streams and use new algorithms that can search these cloud-based indexes in seconds. It can produce a specific relevant answer within seconds something that would have taken hours and probably days using a human analyst process.
Some of the latest AI techniques allow users to identify specific moments or in-video elements with extreme accuracy. Whether it is facial recognition for security or tracking products to monitor spends. This technology has for instance the power to revolutionise how a range of industries use video to effect business and sometimes to monitor potential cyber-crime.
Everyone from governments, commercial organisations and you as individuals all need new understanding, strategies and specific tactics using Cyber’s outlook and potential. This requires a change in perspective, continued research, changes to working methods and employing the relevant technology that projects into the new interconnected global future.
It is very important that commerce creates and continually reviews an electronic cyber strategy ensuring that this is used in their tactics on the ground. The results will be far more effective, precise and relevant than can be achieved using traditional methodologies.
Each strategy should incorporate IT’s particular electronic relevance to your area of business and this done thoughtfully will offer real opportunities for globally inter-connected future progress, while ensuring that capable security is implemented and continually up-dated.
This 4th Revolution employs deep data analysis with interconnections and links to Bio-technology, Artificial Intelligence, robotics and the Internet of Things which will significantly alter us as humans and the places we work and live.
When used well these processes ensure our security, as well as significantly improving the broader issues of global and national macro-economics, intelligence, law enforcement and geo-politics.
When misused by criminals and cyber warfare activists this transformation has the potential for catastrophic outcomes.
Cyber Knowledge Management
Knowledge Management is becoming exceedingly important in the new world of Cyberspace. There is an enormous amount of lost and unused information in any organisation. This valuable data can be found, re-created, analysed and used to discover vital markets and client and internal information that significantly improves the current and future business performance of the company.
One of the best ways to improve understanding, techniques and commercial activities of any organisation is to create a senior Cyber Knowledge Management/Analysis role. The purpose of which is to gather, incorporate, analyse and report potential and change to the CEO and Board and to discuss ways to improve the company’s performance.
The role can be called Chief Cyber Knowledge Management Officer (CCKMO), and is vital for the new age of digital analysis.
The types of activities that this role suggests are as follows:
Strategic design and installation of procedures and techniques to create, protect, and use embedded corporate/business techniques and knowledge.
Designing and create systems and activities to uncover and liberate current hidden and miss-used knowledge that is not known, or implicit and unstated information and knowledge.
Discussing the reasons and purpose of managing knowledge as a resource and embodying it in other initiatives and programs
Using cognitive computing techniques and intelligence information analysis to review and uncover market and competitive information that is of real use and benefit to the organisation.
This process really helps organisations move forward. Very successful companies are those that consistently create new knowledge, present and incorporate this information throughout the organisation embodying it in systems, people, management, products and services.
In most industries businesses are not the best at strategically using and managing information and data. Their procedures and processes often undervalue the creation and analysis of knowledge, their systems and people often file dump, lose or give away what is sometimes very important information that could be used to analyse and improve the business strategy, planning and operational systems.
Create the new role of CCKMO and make it part of your Strategy
At the outset the job should be to improve a particular part of the organisation, a job that is often done by outside corporate consulting firms.
Using outside consultants can still be of real use but beginning to lean the process internally is far more important to the on-going running and strategic future of the organisation and it also brings the knowledge in-house and actually saves a lot of one-off expenditure.
The role should work with discussions with the IT department and the Chief IT Officer and also the Chief Information Officer but the role should be independent of both and report to the CEO and the Board.
Most businesses are not very good at managing facts, opportunities and knowledge. They often undervalue the creation and analysis of knowledge, they often file or give away what they potentially may know and they often do not encourage discussion and sharing of internal data, information and knowledge. Worst case they do not know what they know.
Greatest Cyber Myths to Question
With the average cost of a data breach now sitting around $6.5 million in the US alone, businesses should be reviewing how they can avoid being compromised.
With more interest in the industry than ever, we review the top five myths surrounding cybersecurity:
Myth 1: Small organisations aren’t targeted by hackers…
It’s a common misconception that hackers overlook small organisations and focus on large organisations only, but the truth is that virtually every web-based attack (98%) is opportunistic in nature, according to the 2015 Verizon Data Breach Investigations Report (DBIR).
In fact, because of this misunderstanding, small organisations tend to have inadequate levels of cybersecurity (more so than large organizations) and are actually an ideal target for hackers. What’s worse is that 60% of small organisations that are compromised close down within six months. Every organisation, large and small, needs to strengthen its cyber-security procedures.
Myth 2: It’s really expensive to be cyber secure and the ROI isn’t worth it
It’s true that being cyber secure costs money, but effective cybersecurity is actually a lot more affordable than people think, and considerably cheaper than suffering a data breach (now averaging $6.5 million).
It’s impossible to put an average cost on being cyber secure as every organization is different, in terms of size, resources, etc., but organizations can implement ISO 27001, the internationally recognised cybersecurity standard, from as little as $659 with our packaged solutions.In terms of return on investment (ROI), it’s hard to quantify the savings from an attack that didn’t happen, but the whole idea of cybersecurity is to decrease the costs related to security problems (i.e. incidents). If you manage to decrease the number and/or extent of security incidents, you will save money. In most cases, the savings achieved are far greater than the cost of the safeguards, so you will ‘profit’ from cybersecurity.
Myth 3: Cyber threats are a technology problem so a technology solution will fix them
Implementing the latest AlienVault solution may keep track of attacks or unusual activity, but it won’t get to the root of the problem. It won’t prevent your staff from clicking on malicious links in emails, from letting a stranger through your organization’s front door, or from sending unencrypted customer data to someone outside the organization.
A comprehensive, holistic approach that covers your people, processes, and technology is the only real answer to achieving true cybersecurity, and ISO 27001 is the only internationally recognised cybersecurity standard that addresses all of these three areas.
Myth 4: Hackers are your biggest threat
Reports show that your employees are in fact your biggest threat.
“Internal attacks are one of the biggest threats facing your data and systems,” states Cortney Thompson, CTO of Green House Data. “Rogue employees, especially members of the IT team with knowledge of and access to networks, data centers and admin accounts, can cause serious damage,” he says.
As well as disgruntled employees, you also need to be aware of careless or uninformed employees, those who mistakenly leave their work cell phone in a taxi, have weak passwords, or click on links in suspicious emails, and how your partners and suppliers are handling their cybersecurity. These all pose enormous security threats to your systems and data, and tend to be more insidious.
Myth 5: I don’t need cybersecurity – I have cyber insurance
Although cyber insurance seems like a fail-safe, simple way to tackle cybersecurity, it is often the opposite. Many cyber insurers include clauses stating that failing to implement basic cybersecurity measures will void your coverage, so it’s really important to check your policy carefully.
Insurance protection is just one of the ways to mitigate costs; you must also consider having an incident response plan and team in place, extensive use of encryption, business continuity management involvement, CISO leadership, employee training, board-level involvement, and other factors.
We touch on ISO 27001 frequently in IT Governance because of its comprehensive, holistic approach to cybersecurity and its worldwide recognition. To help businesses implement the Standard, we have devised a range of packaged solutions that blend expert tools and resources to provide you with everything you need to implement ISO 27001 without the usual associated complexities and costs.
Cyber Security and Commercial Opportunities
The advance of digital technology and the greater access to personal and corporate information and data has created a global black market for stolen data and personal private information. As a result the improved hacking and information theft has affected all sectors of the global economy.
Today over a third of the world’s population of seven billions uses the Internet and this usage has grown by over twenty times in a decade. The concepts of Cyber and CyberSpace are used to describe the systems and services directly or indirectly connected to the Internet, telecommunication systems, the Web and all the inter-connected electronic and computer networks.
CyberSpace has some historic similarities to the way in which oceans were used by commerce, nations and groups for inter-national exploration, research, trade, military and naval attacks and piracy. The oceans have similarities in this model because to the current Internet and the Web is similar to trade routes and the Dark Web piracy. Piracy is still used on the trade routes as hacking is now used on the Dark Web and across different aspects of the Internet. Piracy was used by governments, where it was called privateering, as well as by groups of independent pirates.
Piracy was gradually contained and finally internationally significantly reduced, but this process took a very long time. It required government agreements, extensive intelligence analysis and naval engagement before the reduction of piracy was achieved. However, this extended process took centuries to accomplish real success and finally significant aspects of it were outlawed by the Peace of Westphalia and put into international treaties by the Declaration of Paris in 1856.
And in the 20th century, when the invention of aeroplanes changed many national views on international air space, it came to governments and corporates to review and legalise international flights. The process of agreements on across border flights, although sometimes difficult, was far more effective and faster as a process than the time shipping and piracy agreements had taken. A similar type of process is needed by current governments to achieve Cyber agreements and to reduce the costs of Cyber-Crime.
Not only did these historic agreements alter commerce and international trade economics, they also changed the ways in which secret intelligence organisations operated in the new environment.
We have gone, in a relatively short space of time, from senior politicians and ministers of state saying that government’s don’t read a ‘Gentlemen’s mail’, to Snowden’s ‘revelations’ that government’s do occasionally review your social network profile, and they do occasionally read your email. Yet openly they have claimed that they don’t.
CyberScape – The Growing Influence of Cyber
The Cyber-threat landscape has also significantly evolved in recent years moving from a denial of service and website disruption to far more advanced hacking. Hacker’s steal and or exploit weaknesses in a computer system or network and are now using sophisticated and more complex technologies to achieve data, financial and political benefit.
This new global revolution has influenced almost all aspects of modern society and has opened a mass of new developments and opportunities. It has created a knowledge society that personalises many areas of the economy and across markets it is changing jobs and specialisations and globally it is substantially increasing our ability to use enormous amounts of data and knowledge.
Cloud Computing
Cloud Computing is defined as a model of networked computer power where an application or program runs on a series of connected servers rather than on a single local computing device such as a Mac or PC.
Cloud Computing is a multitude of services that are usually provided over the Internet on a usage or metered basis. Cloud Computing involves the sale of computer software and hardware as services, which an organisation can rent instead of purchase.
The Cloud is run and sustained by cloud service providers through a network of server farms, which offer their subscriber’s unlimited availability and data storage, along with seamless access to software, applications provisioning, and automatic upgrades.
Cloud computing is often considered a significant landscape-altering technology that is enjoying increasing rates of adoption and implementation, however companies often engage with the Cloud without taking sufficient risk management precautions.
Cloud Computing has the potential to not only become a defining technology of the twenty-first century, but also as defining utility, just as electricity was for the twentieth.
Cloud Computing architecture comprises of four rising distinct layers:
- The physical resources the computer hardware and hosting platforms and network connections.
- The systems management tools, which form the infrastructure as a service layer. These are typically data centres and virtualisation technology is used to maximise the use of physical resources, applications and the quality of service.
- The platform as a service (PaaS), which binds all the middleware tools.
- At the top are the user-level applications such as social networks and scientific models that are hosted in the software as a service layer or SaaS.
The biggest concerns about Cloud Computing, however, are still the security and privacy issues. The idea of handing over important data to another company rightly worries some people. Corporate executives might hesitate to take advantage of a Cloud Computing System because they cannot be sure of their company's information security.
Some of the security questions regarding Cloud Computing are more philosophical. Does the user or company subscribing to the Cloud Computing service own the data? Does the Cloud Computing system, which provides the actual storage space, own it? Is it possible for a Cloud Computing company to deny a client access to their client's data?
The pressure on the CIO not only to deliver a successful migration, but also to accurately predict the financial benefits of the move, is enormous.
Current Cloud and Looking Ahead
Companies around the world are moving core enterprise systems to the Cloud. What was quite recently a complicated and expensive in-house IT system can now be outsourced and the implementations now appear relatively simple and less expensive in the Cloud.
This reduction in cost and complexity is causing an explosion of Cloud services and Cloud service providers.
With multiple cloud services, many companies are losing track of the who, what, where, when and why of their data.
With multiple environments and services, it is easy to lose track of what data goes into which environment, and who has access to the data. Not all cloud services are the same, failure to monitor and enforce security levels and access limitations could lead to disastrous results.
Below, we outline potential issues involved in having multiple cloud services and service providers, along with a proposed action plan to stay on top of your growing cloud services environments:
- Worldwide spending on public Cloud services and Infrastructure will reach $124.5 billion in 2017, representing an increase of 25.4% over 2016.
- In terms of company size, nearly half of all public cloud spending will come from large businesses (those with more than 1,000 employees) while medium-sized businesses (100-499 employees) will represent more than 20% of cloud expenditure.
- Sixty-four percent, of enterprises are using different types of Cloud and aspects of the Internet of Things (IoT) without properly and continually securing sensitive data.
- Cloud Computing defines a model of networked computer power where an application, or electronic program, runs on a series of connected servers outside of your organisation’s boarders, rather than on your local system and computing devices.
- In the simplest terms, Cloud Computing means storing and accessing data and programs over the Internet instead of via your own computer's hard drive. The Cloud is just a metaphor for the Internet.
- The Cloud has the potential to not only become a defining technology of the twenty-first century, but also as defining utility, just as electricity was for the twentieth. This involves the sale of computer software and hardware as services, which an organisation can rent instead of purchase.
There are many reasons to switch to Cloud Computing, including the ability to save considerable amounts of money while improving productivity and efficiency. However, there are some security issues that need to be recognised and monitored and this Report will discuss and analyse these Cloud Security issues.
Security Issues with the Cloud
However, organisations often engage with the Cloud without taking sufficient management understanding and security precautions. Perhaps the biggest concerns about Cloud Computing are still the security and privacy issues. The idea of handing over important data to another company rightly concerns some managers. Therefore, corporate executives are often hesitant to take advantage of a Cloud Computing System because they feel unsure of their company's information security.
- Some of the security questions regarding Cloud Computing are more philosophical.
- Does the user or company subscribing to the Cloud Computing service own the data?
- Does the Cloud Computing system, which provides the actual storage space, own it?
- Is it possible for a Cloud Computing company to deny a client access to that client's data?
Many companies, law firms and universities are debating these and other questions about the nature of Cloud Computing and some of these discussions and arguments can be found by searching the Web.
There's a growing concern in the IT industry about how Cloud Computing could impact the business of computer maintenance and repair. If companies switch to using streamlined computer systems, they'll have fewer IT needs but less understanding of the results. Some other industry experts believe that the need for IT jobs will migrate to the back end of the Cloud Computing System.
The pressure on the IT Directors, and CIO, not only to deliver a successful migration, but also to accurately predict the financial benefits of the move, is enormous.
As the cloud evolves these important new capabilities, what IDC calls 'Cloud 2.0', the use cases for the cloud will dramatically expand.
Cloud Security
Most cloud storage breaches were actually facilitated by users who gave away their passwords, often as the victims of phishing. The most common terms you’ll see when shopping for a cloud storage or backup provider.
Changes to Security
The changes to security will progress as even more aspects of cognitive computing and robotics are put to use in different areas of commerce and the personal economy. And on the personal level Cyber is beginning to alter the way we consider individual identity, our traditional concepts of hierarchy, beliefs and nationality.
New research and planning is therefore required to meet the rapidly emerging criminal opportunities, challenges and threats from broadband technology, networks and the response required for Cyber security to effectively operate.
From a security perspective the range and number of targeted Cyber-attacks continues to climb steeply and any individual or organisation can be the goal. While opportunistic mass hacking attacks are still being used, targeted attacks are showing much higher growth rates, as they potentially provide much greater gains for the attackers.
The UK government’s assessment puts intellectual property theft and espionage as the most damaging and costly criminal activities. However online theft, fraud, identity theft and data loss cost millions every year. UK research suggests that over eighty-three percent of large companies and sixty-four percent of small businesses reported data breaches in 2014.
Hackers are now subtly going to greater lengths to personalise their exploits in order get people to drop their guard and get them to believe that the fake email or phishing emails, with attached malware, that look for instance as if someone in the organisation has emailed asking for them to do something specific like giving information or moving money, is genuine.
Increasingly these Cyber exploits are becoming successful. The attack process is becoming easier as there is a growing amount of information provided by individuals and organisations about themselves, and this is often now available online, particularly in professional and social networking sites. One of the benefits of effective on-going employee and management cyber training considerably reduces these risks.
Cyberspace
The interconnectivity of Cyberspace, its reach, structure and sophistication has significantly changed some of the concepts of national security, geo-politics and global trade.
And so the availability and rapid dissemination of high-speed digital networks and the lessons from Cyber-attacks have also recently caused some 21-century policy makers to prioritise Cyber Warfare security making Cyber the forth, or fifth, part of Western military structures alongside the Army, Navy, Air Force and some military operations in Space.
In the corporate area security software and hardware have been found to have increasing vulnerabilities due to the lack of its strategic design. And many IT systems have very ineffective anti-hacking codes and overall security standards that are not being taken as seriously as they should and they are not yet effectively employed.
At best CyberSecurity solutions are dynamic and adaptable, with minimal impact on network performance. In contrast, we see other approaches such as national-level filters and firewalls. These often provide only an illusion of security while hampering the effectiveness and growth of the Internet as an open, interoperable, secure, and reliable medium of exchange.
For most people the same is true commercially; Cyberspace for should remain at a level playing field that rewards innovation, entrepreneurship, and industriousness and it should not be a venue where states arbi¬trarily disrupt the free flow of information to create unfair advantage.
Cyber issues now affect everyone from the way their power and electric supplies operates through to their personal identity and banking codes to the research they might do commercially or personally on the Web.
However, the dangers and problems have significantly increased and constant attacks by Cyber criminals, activists, hackers and foreign states trying to steal official and commercial secrets mean cyber-attacks are now ranked on a par with international terrorism as a threat by many governments and some of the large corporates
Conclusions
Cyber Security Checklist for Management
Cyber security certainly must be a Main Board strategic concern. An independent Cyber Audit Team must also be used to review and purposely randomly check processes and this team should be independent of the IT department and its day-to-day operations.
Cyber security, and Cyber opportunities, need to be understood at the highest levels of all organisations and should be significant strategic concern.
From a security viewpoint the independent external team must also be used to review and randomly check processes and procedures and data on a regular basis. The teams used would be similar to the Annual Financial Audits and this Cyber Security Audits Team should be independent of the IT department and its day-to-day operations.
This should act as an independent audit team on an irregular basis throughout the year and it should use white hat hackers to delve deep into the electronic systems looking for current and potential problems. This team should frequently report to the Board on changes of security and should produce current Cyber Reports. Importantly an internal and external product/service development team should frequently review Cyber opportunities and these should be reported to the Board and changes incorporated within the organisation’s strategy and tactics.
The Board should also separately discuss worst-case scenarios with the CIO/IT Director and reviews should independently take place using outside consultants as Cyber-Crime is costing businesses around the world over $300 billion a year.
Whether you’re a small, medium-sized or large business, it’s time to face facts: your organisation will be breached.
The sensitive information you hold is a gold mine for hackers: customer details, corporate information, and sensitive material that could be used for blackmail or to sell on. All information that is important to you, is valuable to a hacker.
There are believed to be around 117,339 cyber-attacks a day, and with the average cost of a data breach now estimated at $6.5 million, all companies have cause for concern.
Common Cyber Threats you need to Understand
Some of the most common methods cyber criminals use to extract corporate data; make sure you’re aware of them and have suitable solutions in place to prevent their success.
Phishing emails
Every day, 156 million phishing emails are sent, 15.6 million make it through spam filters, 8 million are opened, 800,000 recipients click on the phishing links, and 80,000 people provide their personal information. Sending phishing emails to an organisation’s employees is one of the most popular methods cyber criminals use to get their foot through the door. It’s simple to do, easy to reach a large number of people, and, generally speaking, phishing emails deliver results.
The most-attacked industries are e-commerce (32.4% of all phishing attacks), banks (25.7%), and social networking (23.1%). Cyber criminals are getting increasingly clever, often imitating small companies that supply larger companies. In November 2013, Target had 110 million customers’ credit card data and personal information stolen through an email malware attack on one of its suppliers, costing the company $148 million.
What can you do?
Although there isn’t a clear-cut solution for this one, you can make sure you have a number of hurdles in place to trip up cyber criminals: Protect your network with a firewall, spam filters, and antivirus and anti-spyware software.
Educate your staff not to click on links, download files, or open attachments in emails from unknown senders, or to provide personal information. This can be done effectively through staff, management and director awareness training.
Outdated/Unpatched software
Software providers regularly update their products to fix bugs and security issues. Using out-of-date software can make your organization extremely vulnerable to an attack, so it’s best to update and patch as soon as possible. Verizon’s 2015 Data Breach Investigations Report (DBIR) found that more than 70% of cyber-attacks exploited known vulnerabilities that had patches available – with some exploiting vulnerabilities dating back to 1999.
Cyber criminals frequently scout the Internet for organizations that use outdated or unpatched software and are quick to exploit any that they find. The most common unpatched and exploited programs are Java, Adobe Reader, and Adobe Flash.
Adobe is currently urging Flash users to update to the latest version of the software after a significant security flaw was discovered. According to reports, a Chinese hacking collective known as APT3 is already exploiting the vulnerability by sending phishing emails to companies in the engineering, telecommunication, and aerospace industries.
What can you do?
Run regular penetration tests on your network and web applications to search for vulnerabilities. This way you’ll spot the weaknesses and have a better chance at fixing it before cyber criminals can get a look in.
DDoS attacks
A distributed denial-of-service (DDoS) attack occurs when a hacker sends a large amount of traffic to your website that your server can’t handle. As a result, your site server hangs and stops responding to any more requests – basically crashing the site. With falling costs, it has become easier to engineer such attacks, and more businesses are being targeted. About 32% of information technology professionals surveyed said DDoS attacks cost their companies $100,000 an hour or more. More than 3.4 million DDoS cyberattacks were perpetrated worldwide in 2014, up more than 60% from 2.1 million in 2013.
What can you do?
The more you know about what your normal traffic looks like, the easier it is to spot when its profile changes. Most DDoS attacks start as sharp spikes in traffic, and it’s helpful to be able to tell the difference between a sudden surge of legitimate visitors and the start of a DDoS attack.
It also makes sense to have more bandwidth available to your web server than you think you are likely to need. This won’t stop it completely, but it will buy you extra time to help fix the problem.
Do You Have a Cyber Security Plan?
Whether you use a third party for your retail website or exchange intellectual property with customers and partners, you need to protect your business information. It’s the types of breaches you don’t often read about that have longer lasting effects on the effectiveness of your business.
The data targets are many; intellectual property, company secrets, employee records, business plans, customer data, financial and legal documents.
It’s not only cyber-attacks that you need to worry about. Of the 43 percent of businesses that experienced some type of data breach in 2014, less than one-third were due to cyber-attacks.
Here are 5 things you should think about when locking down your valuable data assets, and no matter how simple, you should have a security plan:
It’s Not Just Digital
The most important aspect of protecting information is clear communication to your employees of your expectations around handling information. A simple security policy can keep everyone in know about Confidential (e.g. employment applications) and Proprietary (e.g. secret copyrights) documents.
Secure Your Premises
Locks, digital entry systems, alarms and perimeter obstacles such as fences are considered deterrents. These simply make an unauthorized entry take longer thus deterring a would-be thief from taking on the job in the first place. Digital entry systems add the further protection of knowing who was on premise and when.
If you manage your own computer systems keep them in a secure area where only authorised personnel have direct access to the hardware. This, along with proper digital access controls for applications that your employees and customers use will improve your security posture significantly.
Anyone Can Read Your Email
Yes, sending documents and information in emails is easy but almost anyone with a basic knowledge of networks and communication protocols can read email relayed through the Internet. If you have sensitive information to share or collaborate on, use technologies such as Box.com, which has services to send and receive documents in a secure and authenticated manner.
If you use an internal email system, make sure you set up policies that can detect certain types of data such as SSNs, company documents and potentially dangerous attachments, block these at the source.
This practice is known as DLP (Data Loss Prevention) and is the most commonly used form of preventing the problem from occurring in the first place. But nothing is more valuable than simple communication to your workforce of the known dangers of email and your expectations around email usage.
If You Don’t Use It, Don’t Store It
An outdated process or application collects social security numbers when they are no longer needed or used; “we always file the applications and background check results in that unlocked filing cabinet”; “our repeat customers like the convenience of not having to provide or enter their credit card every time they do business with us.”
It’s a balance and you have to make the call, but consider that every time you store information, paper or digital, your liability increases. Even if you store documents or data at a 3rd-party, you are still liable.
Simple dedication to keeping things cleaned up and diligence in assessing real need can go a long, long way. This includes making sure that when computer/PCs and mobiles are no longer used or are being replaced that the old versions are electronically cleaned and recycled.
Social Engineering
It’s not just data and documents that can leak sensitive information about your business and customers. Many times human interaction is the culprit of some very damaging security breaches. Social engineering is an industry term when a fraudster uses relationship knowledge to gain access to information that would be otherwise unavailable. Finally, clear communication to your employees about what kind of information, if any, should be provided to outsiders without proper verification or permission.
___________________________________________________________________
