Hosting and securing data is now an inherent part of corporate life. Every company holds confidential data of some sort, which can put them at risk if that data is not secured properly. Cyber attacks are on the rise. Symantec reported that attacks rose 40% last year, and the World Economic Forum flagged cyberattacks as one of this year’s biggest risks. 2015 has seen some of the highest profile cyber attacks we have ever seen (Ashley Madison and Carphone Warehouse among them).
Research from Grant Thornton shows that cyber attacks cost businesses upward of £200bn a year, with the average cyber attack costing a business 1.2% of its revenue.
Security is no longer just an issue for the CTO. It’s a strategic, board level concern. The UK Government’s ongoing national cyber security strategy has highlighted the importance of improving cyber awareness and risk management among businesses. The UK government identifies security as a board level responsibility, and has gone as far as to create guidelines and help sheets for executive teams on how to protect sensitive data.
Security must be a priority for businesses. Bolting on security solutions as an afterthought to business systems isn’t good enough to protect confidential data against increasingly sophisticated cyber threats.
Sometimes, the simplest errors are the most costly in security terms. Leaving a confidential document on a train, or a laptop in a taxi, or having a password that is simple to hack, are all common mistakesthat companies must protect against. I’ve lost count of the number of times I’ve been in a hotel business centre, and seen a confidential document lying on the photocopier.
The growing use of mobile devices creates greater risk, too. Employees bring their own tablets and smartphones to the office, connecting to social networks and the Internet of Things, and with these devices comes more potential points of failure. Businesses commonly use messaging apps and file storage systems , which all create additional risks. Educating employees about their role in keeping the corporate network secure and creating a culture of security, is critical.
That education should start at board level. People present the biggest risk to the business, because they are the ones who make mistakes that hackers can exploit. Board members can be even more vulnerable than most; they’re more likely to travel with confidential documents than more junior employees, and will certainly have access to the most sensitive company information. They may be more experienced in business, but they may not be as tech-savvy as other employees .
The senior leadership team should be focused on cybersecurity and set it as a priority for the company. Security should be discussed regularly at the board level, and action taken to mitigate vulnerabilities.
In addition to being alert to the risks, the board must be held accountable to the same stringent security rules as the rest of the business. We know that details of highly confidential information such as M&A details, financial transactions and so on are often emailed or couriered to board members to review. And if a business doesn’t protect its most sensitive information, all its work in good corporate governance, strong security systems, and regular testing is rendered worthless.
It is important to have a long-term plan to protect the network, employees (and their devices), and documents, and to test that plan regularly using third-party penetration testing. This plan might include:
Avoiding breaches caused by human error
– – Review internal security regularly: enforce password changes, and limit what can exist outside the firewall. Regularly train employees in handling sensitive data, and keep tight control over who has access to it.
– – Create a clear protocol for what happens if a password is stolen, and ensure your systems can deny access rights to confidential data if needed. Always know where confidential documents are, at any given point, to avoid the risk of papers being left in a cab, or overlooked on a plane.
Securing confidential documents
– – Never use unsecured email send sensitive documents, and ideally avoid printing documents entirely. Use collaboration tools built with security in mind to communicate confidential information. Ensure that data is always encrypted (even when it is on the move) with at least 128-bit SSL/TLS encryption, although using 256-bit encryption is ideal when documents are being stored on servers or devices.
Securing your datacentre
– I – If you (or your suppliers) use a datacentre, secure the servers on which sensitive data is stored, and use physical security such as on-site guards, CCTV, strict access control, and generator back ups to keep the data safe and on-line.
– – Include redundant facilities to enable systems, storage and networks to continue even if something does happen to the primary systems. Back up data to a secondary, geographically separate disaster recovery environment and monitor your data 24/7.
Keeping the network secure isn’t an easy task, but the best place to start a culture change is at the top. And there are some great tools to help make the easiest thing to do also be the most secure thing to do.