A Word from our Chairman on Information Security
Wed, 01 Nov 2017 10:54
Right now, it seems as though breaches of cyber security are constantly in the news. Hackers recently stole the personal details of 143 million people from the credit agency, Equifax, leaving its customers wide open to identity fraud and theft. This summer, a third of the UK's National Health Service systems were hacked, leading to patient care being compromised. And even Yahoo has admitted that the email addresses of all its 3 billion users were hacked in 2013 and 2014 - many more than it originally admitted to.
Events like these mean big trouble for the organisations concerned, including heavy financial losses, reputational damage, and worry and inconvenience to victims, users, and customers of the company. So, what can be done to prevent these data breaches? The truth is effective cyber-security is a must if you want to stop hackers trying to get into your systems.
Cyber-security measures are designed to protect systems, networks, and data from criminals and pranksters who want to gain unauthorised entry. A lot of this protection goes on without users of electronic devices being aware of it. It can even be built into the devices themselves in the form of firmware during assembly. There is also specialist software, e.g. anti-virus programmes, which look out for distinct types of threat to your systems. Finally, there is the users themselves – probably the weakest link of them all. Let's consider this concept in terms of your home: a home can be designed and built to keep people out (think high fences, dead-locks, and CCTV). Many homes these days have burglar alarms, which we can think of in the same way as security software, i.e. they deter intruders by making it difficult to enter without an invitation. On the most part, these security measures are very successful at keeping predators at bay (although let's not forget the recent incident where a computer cleaning tool was hacked to install malware onto two million users' PCs), so … just how do hacks keep happening? The answer is that many breaches come from the inside. In fact, a Verizon Data Breaches Investigation Report published in 2014 found that 88% of insider threat incidents included misuse of user account privileges.
Are you at risk? Yes, if you find out that any of the following practices exist in your organisation:
- Non-existent or inadequate user account management
- Administrator accounts being used for non-administrator tasks.
- A non-existent or poorly documented process for user access permissions.
- Passwords never or infrequently changed
- No policy requiring unique usernames
- Failure to implement a strong password policy
- Inadequate or no training on cyber-security
The first step towards improved cyber-security is to carry-out a thorough risk assessment. Once identified and their possible impact assessed, appropriate and robust solutions to mitigate the risks found should be implemented. It's a mistake to think that security will be enhanced by technology solutions alone. Adequate processes, procedures, and competent, well-trained staff are also crucial.
There are frameworks that you can use to mitigate risks. Complying with ISO 27001, for example, provides best practice in information security and compliance with regulatory requirements. Implementing Cyber Essentials, a programme developed by the UK government, gives guidance on 5 key control areas of secure configuration, firewalls and gateways, access control and privilege management, patch management and malware protection, and offers an excellent starting point for mitigating key cyber security risks.
DeltaNet International can help as well. We offer a wide range of courses covering many cyber and data security topics all designed to educate and prepare your staff on how to keep information secure (check below to find out more about the courses we offer).
Even basic awareness training can significantly improve the cyber-security of your organisation and prevent the financial and reputational losses that come along with unauthorised access to your devices and systems.
In summary, by putting a combination of technology, processes and procedures, and staff-training in place you'll be on the way to keeping your information and data secure.