Information Security: Strategies and stakeholders you should know in 2017
In 2016 the global tech sector saw no shortage of internet security threats and data breaches. There were DDoS attacks on Twitter and Netflix, ‘Peace’ attacks on MySpace, LinkedIn and Tumblr, and what would be known as the biggest data breach in history for over 1 billion Yahoo users, among many more. There’s been no sign of things slowing down in 2017 either, with data breaches on Docusign, Gmail and Verifone already occurring.
Online client profiles and databases present a land of opportunity for hackers, criminals, and hacktivists motivated to commit fraud and steal information. Today, most business leaders know that they are responsible for their clients’ information and cybersecurity, and need to adopt a wide range of policies to ensure that safety.
Information security vs cybersecurity
Information security (commonly shortened to infosec) is a general term for ‘data security’ and often refers to protecting the confidentiality, integrity and availability (CIA) of data. This includes physical data stored in file cabinets as well as electronic data stored on servers. To this effect, InfoSec covers a broader range of assets than cybersecurity.
Cybersecurity is about protecting electronic data. This is relevant to modern businesses whose data bases are largely stored online. There are still physical components to cybersecurity such as the laptops, ipads, data centres and server rooms where most information is kept.
Over the past decade, infosec and cybersecurity have fused together, as the need has grown for companies to place a strong emphasis on ensuring both. In an age of ever-increasing security threats coupled with ever-changing compliance regulations, information security is far from a simple task.
So- if you’re planning to enter the information space or keep a business with data profiles, how do you minimize risk and prevent security breaches from happening?
“Data is quickly becoming the crown jewels for any organization. Knowing what Data Assets a company has, where they reside, and who has access to them is critically important” says James Taylor, strategic development manager at Nuvias Group and industry expert. “Whether this is due to compliance / legislation in the instance of Personal Identifiable Information (PII) or to protecting Intellectual Property etc, proactively securing data is now essential for all organizations.”
Below are some practices that can help keep your company information safer in 2017.
Keep your company safe(r) by following infoSec best practices
1. Update software regularly
The longer a software has been on the market, the more opportunity there has been to uncover its instabilities — which explains why the majority of malware affects out of date programs. This means that when you neglect to update your software, you are potentially exposing your device and organization as a target.
In May this year a ransomware outbreak occurred targeting computers running an older version of the Microsoft Windows operating system, encrypting data and demanding $300 worth of Bitcoin as ransom payments. The attack, dubbed ‘Wannacry’, was unprecedented in scale and resulted in 200,000 attacks on Windows systems in 150 countries. In response, Microsoft released a security update to address the issue in older Windows OS and Windows Server editions.
Despite recurring situations like these, companies still don’t often update their software for a variety of reasons. System updates can be expensive or labour intensive, and often require staff to spend time re-learning and re-adjusting to the new programs and procedures. But avoiding these short term pains can lead to even more costly issues in the long run. Fortunately, a growing trend is now seeing software vendors making their updates easier and less disruptive.
2. Enable two factor authentication
Two factor authentication (also called multiple-step verification) is an authentication mechanism to double check that your identity is legitimate. It can come as a built-in option on your device (laptop, phone, email etc) or be installed as a third party application. Not only does two factor authentication deny others access to confidential information, it can also distinguish between users of shared accounts, making access control easier.
It’s relatively simple for cyber attackers to test password combinations. In fact, 90% of employee passwords can be cracked within 6 hours. Multiple authentication assures that you and your employees aren’t relying solely on passwords.
Though proper two factor authentication tools are often quite expensive and are not a fix-all for security breaches, slowing down and reducing criminals’ chances at succeeding is well worth avoiding the higher costs associated with data breaches (it averages around $200,000 for a small businesses to fix issues post data breach).
The increased security that two factor authentication offers can be so appealing, that some companies — including MailChimp — even offer their customers a discount if they take steps to enable it.
3. Diligently monitor and manage third party access
In the age of the internet, opportunities for growing a highly qualified and remote team are abundant. Contractors, business partners, suppliers, remote workers and vendors are all able to work together with your company through remote access. Sharing data in this remote manner, however, can prove a golden ticket for those with ill intentions.
A great example of the risks posed by third party access is the story of the four Citibank account holders in New York that were defrauded of nearly $350,000 in 2005, by a group of call center staffers based in Pune, India. The call centre staff were employed by a software and services company to which Citibank had outsourced work, and managed to procure Citibank customers’ personal data, PINs, and account numbers.
To avoid opening extra doors for malware and malicious hackers, try using a temporary password when providing remote access. This limits the scope of access of the third party user while also enabling you to log all of their actions. Logging your remote teams’ actions also makes it easier to detect unusual activity and assists in conducting any necessary investigations.
4. Back-up your data
This is another basic security measure that doesn’t require hiring an entire IT team. Ransomware, the form of malware that locks files with powerful encryption, soared in 2016. Kaspersky Lab revealed a 11-fold increase between Q1 and Q3. By Q3 2016 a business was being attacked with ransomware every 40 seconds. Having your files encrypted is usually followed by a random demand that is issued to supply the key to unlock the data. Failing to comply can result in company data remaining locked forever.
In June last year the University of Calgary paid a whopping $20,000 ransom in bitcoin to a hacker who seized control of the university’s computer systems. Having a full backup of all your data can be a life-saver in such situations.
When organizing the backup data, ensure the task is divided among multiple employees (to avoid insider threats), and that the backups are created on a frequent basis. The US Computer Emergency Readiness Team provides a writeup of different backup options.
5. Be wary of phishing
Ironically, it is often well-meaning employees that expose your company’s data to malicious threats. Perpetrators using phishing techniques can lure employees into providing access to your system via (seemingly legitimate) spam emails or phone calls.
The prevalence of phishing techniques shows no signs of decline. Barkly found a 250% increase of phishing in Q1 of 2016, and estimated that almost 30% of malicious emails are opened by employees.
In 2016 Waltar Stephan, CEO of a plane parts manufacturer FACC, fell for an email scam that lost his company $56.79 million. In the phishing email, Mr. Stephan was asked to organize a secret transaction with someone posing as an executive in the company. FACC was able to regain a fifth of what was taken, but the rest disappeared into accounts in Slovakia and Asia, wiping a big portion off the company’s share value. Mr. Stephan was asked to leave his position of CEO which he had held for 17 years!
To avoid becoming the next Mr. Stephan yourself, ensure that your work emails have a proper spam filter, and educate your employees on popular phishing techniques, as well as what to do in the event that they suspect they have fallen for one.
What else can be done to stay secure?
Putting up firewalls and building physical infrastructure around sensitive data are further important processes that can contribute to solid information security. As the best practices above imply, however, often outside help and a skilled security team is needed. The Cybersecurity Ventures Cybersecurity Market Report shows that cybersecurity spending is expected to exceed $1 trillion over the next five years.
Below are additional tools, programs and vendors that can help achieve your goal of protecting user information.
Filefacets is an enterprise content management system that allows you and your company to locate, process and move unstructured content from multiple sources across your whole enterprise. They are vocal about their General Data Protection Regulation (GDPR) and Information Governance (IG) compliance certifications and are committed to keeping sensitive data secure.
root9B is a cybersecurity consulting and operational support firm that provides remote defence, a manned infosec solution, training, cyber policy assessment and malware analysis. root9b has been ranked first on the Cybersecurity 500 list and is considered a top player in the information security arena.
Echosec is a social media discovery platform that enables security professionals to monitor and act on events in real time. Trusted by Fortune 500 companies to search social media everyday, Echosec is becoming a standard tool used to train security and intelligence agents all over the world.
BlackBerry: To stay ahead of the curve Blackberry claims to deliver the world’s most secure, comprehensive mobile solution to help mobilize their client’s people, processes, apps and information. The platform Blackberry offers is trusted by hundreds of companies and governments around the world. It securely manages apps, files, voice and messaging, and enables mass-crisis communications.
Hutsix offers what they call the ‘human side of information security’. They promote security as a responsibility belonging to everyone on the team (not just the IT staff) and offer a cloud-based awareness campaign that trains your employees in security awareness. Hutsix’s management dashboard provides constant visibility around the deployment of tactics learned by departments and employees which they say can prevent up to 95% of security breachings.
PwC: Though mostly known for its audit and tax consulting services, PwC does a lot of cybersecurity consulting as well. It claims to offer 4 key elements to help you take a broader view of cybersecurity and privacy as both protectors and enablers of the business: strategy and transformation, privacy and consumer protection, incident and threat management, implementation and operations. These offerings helped PwC rank #32 on the list of Cybersecurity 500 list.
Hyas: Hyas is a highly skilled infosec firm developing the next generation of information technology solutions for small to medium sized businesses. Hyas is regularly sought after by law enforcement agencies to advise on international computer crime matters.
Plurilock is a regulatory compliance solution that restricts 3rd party access by identifying intruders by the stroke on their keyboard. It uses AI technology to build user profiles based on the way they type and identifies all abnormal behaviour.
Certn is a risk management tool for property managers and credit issuers that uses AI technology to establish an understanding of the risk associated with certain loan takers. It’s increasingly difficult to assess people’s character, but Certn creates an avenue for people to figure out who they’re dealing with. Certn creates an extra avenue for security by helping you better understand the character of who you’re dealing with.
An ounce of prevention is worth a pound of response
In this high risk and rapidly changing security climate, the prospect of effectively securing data can seem overwhelming. Development of IoT devices and machine learning technologies is predicted to change the scope of security breaches and opening up the play-field for sophisticated malware. It’s thus fundamental that companies make sure their security system is able to change and adapt to the surrounding new challenges.
While no plan is 100% foolproof, companies can thankfully reduce a large majority of their vulnerabilities by adhering to the information security best practices mentioned above, and by employing security experts and security software.