Over the last twelve months, the Great British Public has bared witness to a steady stream of high profile breaches of the likes of Wetherspoons, Ofcom, and TalkTalk, to name but a few. Things have not been any better for small businesses who are collectively attacked seven million times per year by cybercriminals, costing the UK economy £5.26 billion, according to the Federation of Small Businesses. It therefore comes as no surprise that, according to recent research carried out by 451 Research, 89 per cent of UK organisations feel vulnerable to cyberattacks, especially when considering that nearly half of the organisations had experienced a data breach in the past.
As big data, cloud, and IoT usage increases, so do security concerns
As the data threat landscape continues to expand and cloud, big data, and IoT adoption accelerates, new sets of unique risks are constantly being introduced to organisations. This adds to the uncertainty that surrounds cybersecurity and the necessary steps to take to avoid the colossal financial and reputational damage that can occur as a result of a breach. In fact, ‘complexity’ was identified as the number one barrier to adopting data security.
Data security has often been perceived as being difficult to initiate and maintain, though deployment challenges can vary greatly in terms of the specific type of data being protected, and also where in the IT stack security measures are deployed, i.e. at the disk level, file level or application layer. The recent hack of IoT fitness tracking wearable ‘Fitbit’ further adds to the complexity surrounding these technologies and the security needed. Investigations found that the accounts that were accessed by an unauthorised party had ‘leaked’ credentials, compromised previously from other third-party sites unrelated to Fitbit, demonstrating that it’s no longer enough just to secure networks and endpoints.
The continued threat that comes from within
One of the more dynamic, and therefore challenging, attack scenarios that organisations continue to face is the ‘insider threat’. It is difficult to defend against, as it can involve both external and internal abuse of access to corporate data – whether this happens to be intentional or unintentional. Nearly 60 per cent of all UK participants still identified privileged users as the number one threat to cybersecurity.
Essentially the issue arises when employees or contractors have poorly controlled access to insecure sensitive data. This leads to a few different possible scenarios – examples include disgruntled or departing employees making copies of confidential files, inappropriate sharing of account log-n credentials, or phishing scams by outsiders who in turn leverage system access in order to steal data. It can also be the case that malware is introduced to the system. A laptop or PC could become infected and controlled by external forces, but lie dormant until the hacker turns them on, which can result in information being drip fed out of the organisation without anything being suspected.
Edward Snowden’s actions are perhaps the most famous example of an insider threat incident, but some others include the TalkTalk breach – where three employees of an Indian company outsourced by TalkTalk were arrested for stealing data and using the information to con customers out of thousands of pounds and, in March this year, a former employee of communications regulator Ofcom was found to have stolen commercially sensitive data and offered it to a broadcaster.
Inadequate security measures can destroy an organisation’s brand and reputation
A company’s reputation and brand image is an important corporate asset that can play a pivotal role in determining the success of the organisation. Should something happen that compromises this asset and negatively impacts the public’s perception of the firm, the effects can be devastating. A data breach incident will inevitably call into question the company’s credibility, as it is put under a microscope and examined on how it handled the issue, pre- and post-breach.
An example of the kind of reputational damage an attack can have was demonstrated when cybersecurity experts urged parents to boycott VTech’s electronic toys after 700,000 British children were affected by a data breach earlier this year. Although there appears to be a growing appreciation of the impact a data breach can have on a brand’s reputation with the 451 Research report revealing that that ‘reputation and brand protection’ is now the most important reason for securing sensitive data, UK organisations continue to strongly associate compliance with security, despite data breaches continuing to affect organisations that have been certified as compliant.
Compliance alone is not enough
When asked about IT security spending plans, ‘compliance’ came out on top, with nearly half of respondents citing it to be their number one priority. The truth is, even if you adhere to any number of regulations, you can still be breached, and the impact of a breach is rarely mitigated by simply stating you were compliant.
A case in point is yet another TalkTalk breach. The company could not initially say whether customer data was encrypted following the breach in October last year. It transpired that it wasn’t, but it also came to light that it did not need to be in order for the company to meet various compliance requirements. Unfortunately incidents like this bear testament to the fact that compliance alone simple isn’t enough, and that customers who have their unencrypted data compromised will not be reassured to find out that the affected company happened to meet all the compliance regulations in the World.
Aside from the obvious financial implications associated with brand damage, every organisation has a level of corporate social responsibility to all of its stakeholders. When a company is entrusted with sensitive data, it is its responsibility to demonstrate a commitment to implementing best practices, which can stretch beyond the interests of the firm and that which is required by law, by utilising all the knowledge and technology at their disposal to ensure that all their data remains secure.
When it comes to new compliance mandates, the recently approved EU wide General Data Protection Regulation (GDPR) will be on everybody’s lips. Those hoping the Brexit will provide an easy option out of having to follow the strict guidelines that will be brought about by the mandate will be sorely disappointed. The Information Commissioner’s Office (ICO) has made it clear that while the GDPR may not directly apply to the UK once it is out of the EU, data protection laws will not change and will still be applicable to UK companies handling EU citizenship data.
So long as UK companies continue to deal with the data of EU customers, all data protection measures taken must be of an equal standard to those operating in the EU under the GDPR. Instead of viewing the GDPR as a burden, companies should see it as a useful guideline to follow, helping the business avoid financial and reputational damage that can occur as a result of a data breach.
How to stay protected in a climate where cybercrime is rife
Concerns over ‘complexity’ have led to many organisations only encrypting data which they consider to be highly sensitive. While obviously this is better than no encryption at all, it does beg the question: what exactly is sensitive data? It is hard enough to know where sensitive data is located, let alone classify it and determine its level of sensitivity, particularly when it is constantly changing. Research confirms that most companies, in fact, do not have complete knowledge of where their sensitive data is located.
By ‘encrypting everything’, organisations will no longer need to worry about what data is sensitive and where that data is located. Instead, they can feel confident that no matter where data resides or how it will move around the organisation, when a breach does occur, any information accessed by cybercriminals would have been rendered illegible and of little to no use to anyone.
Encryption alone is not always enough. When tackling the insider threat, for example, it is important to have appropriate access controls in place. These controls can ensure that once a user is granted access it is continuously controlled, enforcing controls on user entitlements to access information, as well as other factors such as time of day. This can even prevent an authorised user from providing access to another person.
Data security needs to become a critical component of any comprehensive business strategy
The past few years have been challenging for the information security industry as a whole, and nearly everyone has been affected – end users, enterprises, and security vendors alike. If anything has been learned in that time, it is that the old ways of doing business and securing resources are no longer working as they once did. In the wake of the UK’s recent decision to opt out of the EU, many UK businesses are facing a period of uncertainty. With the decrease in the value of the pound and fears over a widening IT skills gap, it is understandable that cybersecurity might be low on the agendas for some UK companies. The truth of the matter is, though, that cybercrime is not going anywhere.
As firms grow to accept the limitations of traditional security approaches, data security needs to become a critical component of any comprehensive business strategy. Organisations of all sizes need to consider encrypting everything and implementing stringent access controls, particularly as cloud, big data, and IoT create greater volumes of sensitive data distributed across an exponentially larger array of devices, to not only ensure compliance but that data is secured and protected from external attacks as well as those from within.