One of the three main risk scenarios highlighted in this year’s edition of the World Economic Forum Global Risks report is digital disintegration. On the basis that cyber-attackers now have the upper hand over organisations trying to defend their data, the authors of the report contemplate the possibility of “Cybergeddon”, whereby the internet is abandoned by businesses.
However, many businesses continue to underestimate the threat, believing that they would be of little interest to fraudsters. An urgent change of mindset is called for, says Florian Stahl, lead information security consultant at MSG Systems in Germany. He offers nine tips to bolster thinking around data security.
1. Don’t underestimate the severity of the threat. Many managers are not fully aware of the risk or that the extent of the damage that could be caused by a cyber-attack or breach has increased dramatically in recent years. The complexity of the risk is another reason it is often underestimated.
A common mistake that many companies make is to think that their data are not of interest to cybercriminals. But external attackers are moving away from the really big companies that have already implemented robust information security systems and are starting to look at smaller companies instead. Attacks on smaller organisations still have the potential to cause large-scale damage since they often have relationships with, or host systems for, larger companies.
2. Breaches can often go undetected. There already may have been incidents, in your company or your client’s, that have gone undetected. For example, if data are copied, they remain in place, which is not as noticeable as a breach in which something is removed altogether. Many companies do not have advanced monitoring or logging systems, so they often cannot detect attempts by external actors to access or manipulate the data.
3. Be aware of the emerging threats, but don’t ignore the old ones. For example, unsecure web applications still pose a significant risk. A process needs to be established within the company to ensure patches are applied when required.
4. Consider security from the inception of a project. When developing new solutions and software, security should be taken into account from the initial stages of development. If vulnerabilities are considered only at a later stage, firewalls, anti-virus and detection systems can still be put in place, but they may not provide a completely secure system. Addressing security later, rather than sooner, also will increase costs.
5. Make it a C-suite issue. Stahl suggests that responsibility for information security be moved from the IT department to the C-suite. While the necessary countermeasures should come from this level, individual departments should also take some responsibility for the information they work with and think about the potential threats to that data, as well as the implications if the data are manipulated or fall into the wrong hands. The IT department often lacks awareness of the business case behind each set of data.
6. Train all staff on cybersecurity, not just the IT department. Threats to your data can also come from inside the company. Data leakage is defined as the release, dissemination or theft of informational assets without proper authorisation. Unintentional data leakage is mainly caused by insiders who may not be aware of the risks. This includes, for example, employees who want to finish some work at home and either put sensitive files on an external platform such as Dropbox, email it to a personal email account or mistakenly send an email containing confidential information to the wrong person. However unintentional it may be, this type of leak can still cause damage to your company.
Classifying your data into confidential, internal and public categories is a significant step towards protecting it. Only public information should be permitted to leave the company. Clear classification provides criteria by which employees can decide whether they should be sharing information with a partner organisation, for example. The decision can otherwise be difficult for employees to judge.
Policies and processes are important, but they don’t help unless they are implemented in practice by all staff members, not just the IT department. Therefore, employee awareness of the threats that exist and how to deal with them is crucial. Management cannot control every element themselves.
7. Implement technical solutions. Given that people make mistakes, it is hard to eliminate unintentional data leakage completely, but it is important to reduce it to a minimum. In addition to educating employees about the risks, organisations can implement technical solutions such as data leakage prevention software that filters all traffic that leaves the company, whether email or internet traffic, and raises an alert when credit card numbers or a particular keyword or pattern is detected.
8. Identify the data “crown jewels”. Stahl advises that companies focus on protecting their most important data first. This category, which makes up about 5% to 10% of the company’s data, is also referred to as the “crown jewels” because, if it were to leak, it would cause significant financial or reputational damage to the company. This category should be encrypted and access to it restricted.
9. Ask questions. Although finance professionals may not be directly involved in development or migration projects, they can, and should, ask questions to verify whether information security has been taken into account on these projects.
—Samantha White (firstname.lastname@example.org) is a CGMA Magazine senior editor.