If we asked any of the IT departments that we deal on a daily basis about their current priorities, they would all unfailingly say that protecting their company against cyber attacks and data breaches is top of the list – particularly now that GDPR is finally in force.
However, despite high awareness of the risks in terms of reputational damage, regulatory penalties and commercial losses, it’s evident that a surprisingly high proportion of companies – from SMEs to global corporations – are burying their heads in the sand when it comes to shoring up their cyber defences.
Here are 6 ways that we see companies failing to minimise their chances of suffering an information breach.
- Neglecting security until it’s too late
This is a far more common story than you would imagine. The reason? Until they’ve been targeted by cyber criminals, many companies still won’t recognise the very real likelihood – and potentially devastating impact – of a security breach. They think they can get away with not spending money until a crisis occurs.
Firstly, if there was a system to rate the cyber security threat at an individual company level, it would be severe – an attack is highly likely. Nearly half of all businesses in the UK were hit by a cyber attack in the last 12 months, with 38 new ransomware attacks being reported every day. Secondly, as we tell clients – prepare for disaster, recover faster!
- Thinking you can prevent breaches
In the security world, preparation doesn’t mean prevention. We are all engaged in a constant battle with ever-more sophisticated cyber criminals, and attacks are going to happen. Your security strategy should focus on defence but also response. Early identification and containment is absolutely vital. Once an attacker has infiltrated a laptop or email system, can they then roam freely around your entire network? Think of them like physical intruders, who will try any route. You’ve designed the building so install fire doors to slow them down!
- Not defining your business-critical data assets
Many organisations, especially those who have been hit by a breach and are in panic mode, haven’t covered off one of the basics: defining information assets and ranking them by priority in order to conduct a proper risk assessment. In essence, this crucial step is about understanding what you hold, its importance to the business and specific security risks. Only then can you make informed decisions and put the right measures in place.
- Not testing defences appropriately
It’s well-recognised that companies should conduct an independent review of their information security posture every 12 months. But we find that a security testing strategy needs to be more flexible than this. A rigid annual review can expose you to vulnerabilities if you’ve installed new software or servers, for instance. Ideally, a pen test should be carried out after any significant change to your IT infrastructure.
- Over-relying on tech
Security is a process, not a product – and to mitigate the risks associated with social engineering, this is a fundamental lesson to take to heart. Overlooking the human angle will cause even the most advanced technical barriers to crumble. Train your staff, refresh that training, embed it into HR procedures and regular team meetings, put policies and procedures in place – and check that they are followed. Clients often tell us that they have the tightest security policies known to man – yet nobody is monitoring how well staff understand and adhere to them. Remember that the workforce is your frontline defence.
- Resistance to change
Is the IT or senior management team open to challenging existing ways of working, such as by bringing in external security advisors? It’s important to be honest with yourself about the capacity and limitations of your in-house resources. There is no room for being defensive or territorial in IT security – in fact those attitudes could lead to very serious problems, particularly under the GDPR which makes data protection everybody’s business. Risk assessments and decision-making needs to be objective – and sometimes that’s easier to hear from a third-party.
Of course, many of these fundamental processes are a requirement for ISO 27001-certified firms, but even then we find that there is often an emphasis on box-ticking and meeting initial standards, which tend to lapse over time. An effective information security framework needs to be continually refreshed and honed – with a security mindset embedded into your company’s culture at every level.