[BreachExchange] How to create a culture of cyber safety
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Apr 30 19:52:53 EDT 2018
https://www.itproportal.com/features/how-to-create-a-
culture-of-cyber-safety/
2017 will go down in history as the year global ransomware damage costs
exceeded $5 billion, due in part to the largest ransomware outbreak ever
seen (WannaCry) and a data breach which exposed the personal information of
almost 50 per cent of the U.S. population (Equifax).
A dark shadow was also cast over the bright horizon of 2018 with the
disclosure of the Meltdown and Spectre vulnerabilities, leaving practically
every operating system and device at risk.
Keeping up with the relentless churn of cyber security updates can be a
challenge. However, it’s a worthwhile exercise, helping businesses
understand what’s currently happening, what could happen and the steps you
can take to prevent disasters.
Here’s how to build a cyber security culture to keep both your data and
your reputation safe:
#1 All Aboard
Despite 75 per cent of UK companies placing cyber security high on the list
of business priorities, often the task of protecting everyone falls on the
shoulders of the IT department.
Yes, IT is likely to have the most knowledge when it comes to attack
surfaces and protections, but as we’ve seen from recent major data
breaches, security is everyone’s responsibility.
Inevitably, a business will have digital front-runners, followers and
usually a few employees who are slower to adapt to technology processes. To
cater to all three, regular training workshops hosted by in-house or
outsourced experts is a must.
Ditch the tech-jargon and keep things simple. Try to make training relevant
to employees’ lives outside the organisation and show them how they can use
it to protect their personal online security as well, which will resonate
far more effectively.
Once everyone understands what’s at stake, they’ll be less likely to skip
security tasks, take risks or cut corners, which can leave your data
vulnerable to being lost or stolen.
#2 Reliable processes
If it isn’t already, information security and privacy should be built into
every internal process.
GDPR is almost here, placing new legal obligations on every business for
how data is handled, stored and protected. Those falling short of the mark
face a potential fine of up to 4 per cent of global revenue.
However, keeping your network in line with modern demands is not easy in
today’s borderless world where personal and work devices are
interchangeable and employees work outside the corporate network. Make sure
all employees, those working on-site and remotely, are informed of any
updated protocols to keep defences strong and to promote accountability.
Adopting a certified Information Security Management System can provide you
with a strong, risk-based starting point to demonstrate you’re applying
appropriate measures across business activities to protect personal data.
In the event of a breach of GDPR, your adherence to an approved ‘code of
conduct’ or certification such as ISO27001 may be taken into account when
the value of any fine is set.
All the same, GDPR extends beyond Information Security Management so it’s
important you take this into account when preparing for compliance.
#3 Manage your periphery
One of the most famous, and largest, third-party compromise were the
Paradise Papers, which leaked more than 13 million private tax files and
exposed instances of offshore tax avoidance by major corporations,
governments and celebrities.
These high-profile data breaches imply a business is only as safe as its
weakest link, which can exist internally or as part of your supply chain.
So, once your own business is in order, you should turn your attention to
your external network to check partners are in sync with your own security
values.
Take the time to really understand your business relationships. Which
vendors are using what data, how are they using it and what protections do
they have in place? The answer isn't holding back on outsourcing, but to
implement the correct systems and checks at every stage of a partnership.
Adding a contractual obligation for high-security standards, instant
notification if a breach occurs and a clause indemnifying you from loss due
to a security law is recommended.
Regular third-party audits, like sending out simple questionnaires, is a
good method to get written confirmation of security protocols. In the
worst-case scenario, you’ve got a paper trail to prove you take security
and GDPR requirements seriously.
#4 Get personal
More than thirty major tech companies recently signed a commitment to
protect public data and improve security. This comes after the shocking
revelation nearly 87 million Facebook users had their data harvested and
used by Cambridge Analytica, without their knowledge.
Customers have every right to know who has access to their data, how it’s
being used and whether it’s adequately protected and one thing’s for sure,
there is a long way to go when it comes to winning back consumer trust.
A stricter notification regime is coming with GDPR, where every qualifying
company must report significant breaches to the supervisory authority
within 72 hours, inform individuals of a breach with high privacy risk for
them and maintain an internal data breach register.
Don’t make the same mistake as Uber, who tried to conceal a large data
breach (affecting 57 million customers) for almost a year before Bloomberg
finally broke the story. The best advice, (and more importantly your legal
obligation!), is not to keep a breach schtum as this will just cause
further damage to your already dented reputation.
Transparency should be a central principle of your cyber security culture
and this extends to your customer base. If you’re unlucky enough to
experience a breach, your customers should be told straight-up as soon as
possible.
You need to inform them of the estimated date of the breach; provide a
jargon-free summary of the incident; information on the nature of the data
stolen and the measures you’ve taken to limit the damage.
Another good thing to include is a list of actions they can take to
mitigate any further damage (e.g. changing passwords and logins or
installing software updates).
The benefits of today’s technology do not come risk-free and unfortunately,
data breaches are just part of the reality of doing business in a thriving
digital society. However, building a culture of cyber safety into the core
of your organisation can help minimise risk and protect your reputation, so
if the worst does happen, you’ll be prepared no matter what.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180430/0321bd51/attachment.html>
More information about the BreachExchange
mailing list