[BreachExchange] Securing your company culture

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 5 20:06:05 EST 2018


It's very easy to blame technology for many of today's problems but it's a
particularly convenient scapegoat when it comes to a security breach.
However, the fact remains, it's usually a human lapse or lack of focus of
some kind that makes a system vulnerable. This is why it's vital for a
business to secure its culture, as well as its data.

Even for those involved in IT security it's easy to imagine that the
serious incidents happen to somebody else. Recent major breaches such as
those reported by Equifax, Uber and Deloitte leave only a feeling of
schadenfreude. However, although big name cases attract publicity, a UK
government report[1] says that half of all UK businesses experienced a
cyber-attack in 2017.

Often breaches occur because the security team has not had time to apply
and test security patches in timely manner. Or employees ignore the need
for ‘strong' passwords. It seems that the Deloitte breach occurred when an
administrator's account was protected only by a single password with no
‘two-step' authentication.

So, while implementing the right systems is important, organisations must
also instil the right attitude within the business so that employees
understand the importance of data security and don't put the organisation
at risk with the way they manage and handle data.

In an age where easy access to data is the norm, this is not
straightforward. Businesses must ensure that employees never compromise
security in exchange for being able to access the information they want,
when they want it – however frustrating this may be. There is a need for
education here. Take the manager that needs to deliver a presentation the
next day and wants to store it in an accessible place. There is a natural
inclination to save the slides in multiple locations – on the company
laptop, on a file-sharing application and on a memory stick, perhaps, with
the rationale that if one location fails, the others can serve as back-up.

Such an approach creates its own problems and users need to be made aware
of the issues and concerns. If the laptop is left on a train, it could be
easy prey for anyone with the skill and inclination to break into it. The
file sharing application could potentially be compromised also, while USB
sticks are frequently lost. Simply by taking the data outside of the
corporate infrastructure, you are bypassing all the security measures and
potentially putting sensitive information at risk.

It's a clear demonstration of how so many businesses can make themselves
vulnerable by effectively sleepwalking into data breaches. So, what's the

Technology should always be part of it. Anti-virus and anti-malware
software needs to be implemented and kept up-to-date. Data leakage
protection can also be deployed, providing electronic tracking of files, or
putting systems in place that stop users arbitrarily dropping data out to
unauthorised cloud services. Adaptive authentication, in which risk-based
multi-factor authentication helps ensure the protection of users accessing
websites, portals, browsers or applications, also has an increasingly key
role to play.

Businesses need to reinforce the message that employees must take a
responsible approach to managing and protecting data. They must be aware of
the potential security threats and do all they can to mitigate them - from
keeping care of devices they use at work to ensuring their passwords are

Making sure every employee knows the consequences of non-compliance with
regulations such as the General Data Protection Regulation (GDPR) being
important. If they know that penalties can be as severe as £20 million or
up to four percent of total turnover – and consequently jobs could be at
stake – the threat is no longer abstract but a real, personal concern.

Finally, encourage them to adopt the assumption that a serious incident
could happen anywhere, at any time and to any business – and that it's
never merely ‘someone's else's problem'.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180205/49817f77/attachment.html>

More information about the BreachExchange mailing list