It may be a cliché but it can’t be said enough: where security breaches are concerned, it’s not if but when. Breaches are splashed across the front pages of the news on an almost daily basis, with some of the world’s biggest companies falling victim. But the story behind these latest breaches to hit the headlines is different.
Just last month, the Red Cross Blood Service suffered a breach of its valuable patient data, but how did it end up in the public domain? Unlike the usual narrative, the Red Cross didn’t see its systems hacked by ransomware or have cyber criminals find a weakness in its security strategy.
This unfortunate mistake happened after a contractor left an unsecured back up copy of the data on a development website. This isn’t the only example, as recently it was revealed that global IT management and consultancy Capgemini was responsible for a similar breach of jobseekers’ data.
How valuable is data?
In today’s data-driven world, the amount of customer data a business collects is rapidly increasing, with experts predicting this figure to be 35 zettabytes by 2020. At most companies, the amount of data collected far outpaces the ability to protect it – increasing the chances of a serious data breach. In fact, there is now evidence that data breaches not only cost firms $4 million per incident, but also substantially erode consumer trust and corporate reputations.
Most strategies focus on cybersecurity and hacker protection, but overlook the major culprit – the firm’s own employees. Data breaches involving human error are becoming more and more commonplace, with BT finding that 60 per cent of cases of compromised data were caused by human error. Mistakes may be a part of life but the risk of an employee, contractor or partner sharing your customers’ or business’ data can be mitigated with good practices.
Start with a strong foundation
To protect yourself against both cyber criminals and human error you need to ensure you have a strong but simple security foundation. It’s important to review this strategy regularly as threats are ever changing. To do this, think like a criminal and identify what data is most valuable to ensure you are protecting the right parts of the business. Employees and clients are vital to detecting threats as they are often the weak link.
The key to a successful security strategy is the ‘simple’ part; there are tried and true security methods that need to underpin the wider process. Being able to explain the importance of these to your workforce is step one in mitigating risk.
Make security commonplace
Many organisations have made their security strategy a taboo subject. Without collaboration from within and between peers in our region and globally, we will not be able to protect our data.
Security should not only fall to the IT team. Make this an agenda point at regular board meetings and task senior executives with reviewing policies and processes to ensure they align with the rest of the business.
Not only will these executives be able to share their insights into the areas of the business that need protecting, but it will show that this is an issue the business is taking seriously while encouraging the rest of the workforce to comply.
Does your workforce know who to contact if they’ve seen a breach or what financial penalty a business can face for exposing valuable IP? The more educated your workforce is around the issue, the more likely they are think about their actions. The best way to encourage people to talk security is by providing regular training as well as educating employees about the regulatory rules they need to adhere to.
How will your security team react in the face of a threat? In a recent survey, only 9 per cent of businesses claimed they faced no hurdles in achieving a quick response in the event of an attack. But nearly half saw regulation or reliance on legacy systems as constraints on their efforts to respond quickly to a digital security threat.
Make sure you are prepared by working with your clients and partners to stage exercises testing your capabilities. It’s essential your clients and suppliers are aware of the strategy and their role during the response to an attack.
We need to accept that a breach of data, whether it’s via human error or a cyber-attack, is inevitable. With the law in Australia set to change with the introduction of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 as part of the Privacy Act 1988, businesses will be required to report certain breaches to the Office of the Australian Information Commissioner as well as the affected individuals.
Businesses are advised to have in place a process that will allow them to quickly identify a breach, assess whether the breach is an ‘eligible data breach’ under the Bill and the next steps in notifying the relevant parties.
With the frequency of breaches on the rise, it’s important that we learn from each other and share our experiences. The more we know about how these breaches occur, the more prepared we can be. In Australia, the CERT has announced it will open its first cyber threat sharing centre by the end of the year.
These centres will facilitate intel sharing between the private and public sectors with the aim of producing data and advice for improving security strategies.
Cybersecurity is changing by the day and to protect businesses and their consumers’ data, we need to constantly evolve to keep up with it. While everyone understands the importance of protecting data, there is still a perception gap between the ideal scenario and reality.
Consumers believe their data is safe and secure when they hand it over but in reality, it isn’t as secure as one would hope. With the right technology coupled with investment in processes and educating people, we can reach a level where reality matches up to expectation.
Article by Hans Haverhals, Head of Cyber Security Australasia, BT.