Protect your company against cyber security attacks
Recent high profile data breaches have brought the issue of cyber security firmly to the front of many company's risk and contingency plans. Not only is it important to be aware of areas of future risk but also to implement policies and processes which can help protect your company now, before the chance for a cyber security criminal attack.
In a series of Cyber Security Seminars, held across the UK, professionals from many backgrounds all working in the industry shared their thoughts on the greatest potential risks in the next few years, and suggestions for future proofing your company against attacks.
No new threats
Cyber security criminals can be clever, but they are not inventing new threats. When they have found something that works they tend to stick to those basics and just tweak things.
The biggest risk in the next few years will be changes to current programmes. Companies are constantly trying new software in a bid to perform faster and promote growth, and cyber security criminals will look to alter their current malware to work with new untrusted sources.
Understand your information
Maybe this seems simple, but so many times companies do not fully understand the type of information they are housing and the value of that information.
Andrea Simmons - CISO Consultant & Director, Institute of Information Security Professionals stated, "If you dont know which sets of data contain personally identifiable information (PII) then you have a [big] challenge."
"A great phrase I learned from the ex-CIO of the White House is maintain a line of sight of data" she continued. Many people think cyber security is difficult - it isn't. By focusing on the basics and looking to what the cyber criminals are after you can significantly decrease the chance of a cyber security threat.
Haroon Malik - Managing Consultant, NCC Group echoed this sentiment and gave an excellent example, "Universities create immense amounts of intellectual property [from] medicines to architecture and other disciplines yet tend to use unencrypted USB sticks and ancient computers. When you ask them what information they want to secure they wont know."
If you dont know what you have and why a cyber criminal would want it, you wont be effective against cyber security.
Keep it simple
Many people think cyber security is difficult - it isn't. By focusing on the basics and looking to what the cyber criminals are after you can significantly decrease the chance of a cyber security threat.
The three basic areas to protect are:
- Privileges: Many cyber criminals are able to get into a company's information by steak user's privileges and administrative rights. Make sure to only allow employees the administrative rights they really need, and monitor those who have high-security privileges.
User access management can really become complicated during mergers, acquisitions and partnerships but continue to keep it a focus. There are tools that can be used to manage user access and privileges from an outside source during these times such as Celebra.
- Payload dropping: So many breaches we see in the news now are due to payloads running on a system that shouldnt have been allowed to.
"If an attacker doesnt have the right to drop his payload onto a machine he wont be able to do anything," Andrew Avanessian, Vice President - Avecto.
- Untrusted Apps: Trusted apps such as Microsoft have higher security measures built in, but commonly we allow employees to download and use untrusted apps. Especially on company phones which may also be connected to the company's intranet. Instead of allowing everything to be connected, run any untrusted content in an isolated manner.
"I look at breaches all the time and the one thing they commonly have in common? They didnt have the basics right." Andrew Avanessian continued.
One simple way to help prevent (or lessen the damage of) a cyber security attack is to segment your data. Many companies spent a lot of time and money gathering all of their data into one location so they can manage it easier but this just makes it easier for cyber criminals. It may take more work in the beginning, but will pay off in the end as criminals cant access everything in one go.
Make sure your personnel files are seperate from your financial files and again separate from your client files.
Complex cloud systems
Tony Ventura - Senior Chief Security Officer, of a leading global service suggested that using a cloud based system as a way of storing data can help, to reduce the risk of an attack. If the cloud based system were to be implemented, it is important that the cloud is treated in the same way as you would treat your business. Or alternatively, the cloud could be used to store the “junk” and keep the real data internally.
It must be remembered however that the cloud system is still a computer system. It still suffers the same basic threats as any other computer systems. Make sure before you choose to use a cloud based system you run an audit and request a compliance check.
Protect the ecosystem
Given all the partnering and third party outsourcing happening within security, protecting the security ecosystem is vitally important however is commonly overlooked. Companies are passing data onto organisations whose perimeters arent secure.
To combat this, many firms are starting to carry out pre-risk ratings. Rather than assessing a merger or acquisition purely by the value of the contract, you can tier a company by risk level (cyber security risk being a category) and carry out audits based on these tiers.
Detection doesn't work
"You'll never be ahead of the bad guys," Andrew Avanessian concluded.
By focusing on a detection strategy, and trying to catch malware and sleeper attacks before they activate you've already let cyber criminals into your system. By zeroing in on the key basics mentioned above you will build a protective wall around the perimeter of your information and help block criminals before they can tap into anything.
Read more information on cyber security and the other topics discussed at the seminars here.
Contact us for more information about future technology seminars, or to have a confidential discussion about any of your recruitment needs please contact: