I have heard many CSO’s, information security and IT managers over the years bemoan the fact that they are just not given the authority or budget to properly secure their systems and I can quite understand their frustrations, especially in today’s challenging threat landscape.
The thing is that the management of most organisations are tasked with increasing profits, reducing costs and improving efficiency (Either all the above, or parts thereof). Traditionally the problem with Information Security/IT Security/Cybersecurity is that it had no obvious return on investment to the management, board, or shareholders, so has been the poor relation to other parts of the organisation with regards to resourcing and funding.
Poor data and system security practices in many organisations seem to be endemic and we are seeing so many breaches hitting the headlines through poorly configured, unpatched and out of date technology that it would be laughable if it were not so serious.
All that said, I believe that paradigm is beginning to shift. With the class action being brought against BA, the maximum fine ever being issued by the ICO to Equifax, the potential fines from the Financial Conduct Authority to be levied against Tesco Bank and much more going on, I believe people may well be beginning to sit up and take notice.
There is no real return on investment with Cybersecurity apart from peace of mind, such as that you get with an insurance policy. However, with the various regulatory authorities such as the Information Commissioner and the Financial Conduct Authority taking personal and financial data breaches seriously and applying penalties that have teeth, can we really ignore the security of that data as we have in the past.
Additionally (and more importantly) the individuals whose data is being breached are being affected terribly through impact to their credit scores, identity theft and monetary loss. Their human rights are being affected through lack of care, or negligence from those organisations that are not taking the issue seriously. This is not right.
The Solution (or part of it anyway)
The good news is that most of the breaches that happen are caused through poor training, policies, processes and procedures. Most of which are inexpensive to implement and can stop organisations from becoming low hanging fruit to the bad guys (internally, or externally), or employees who accidentally cause a breach through lack of knowledge.
Below are some suggestions on things organisations can do to improve their security and data protection posture without having to spend a fortune:
- Training – Train your staff in the basics of data protection and cyber security. This should be done in the best way that suits your organisation and can be done face to face, or online. The authorities look unfavourably if there has been a breach and not even the basic levels of training have been done.
- PPP – Implement good processes, policies and procedures around securing systems and processing data. There are a ton of free resources at sites such as:
- Engage – Engaged employees are far more likely to handle data in a way that is secure. I have seen organisations use things like the “Parking Ticket” system where if an employee leaves their screen unlocked, someone will put a post-it note on the screen with strike 1 on it. The strikes are added up at the end of the week/month and the person with the most buys the beers/cakes for the rest of the department. Anything like this, that is a bit of fun, but conveys a serious message is good.
- Patching – Ensure that you have a regular program of patching your systems and ensure that someone is assigned responsibility to ensure that this happens. Equifax allegedly had a web-application vulnerability that had a patch available for more than two months before their massive personal data breach.
- Optimisation – Have your IT team, or managed service provider review your firewall, router, secure web gateways etc to ensure that the rule sets and security features are rationalised and optimised for security. I have seen many of these with glaring holes in due to poor configuration that does not conform to best practises.
- Configuration – Ensure that any systems you have are configured properly. In most cases the vendors would be happy to help health check and provide advice on how best to configure the solutions within your environment.
- Get Your Money’s Worth – If you have features and functionality that can aid security in your environment, ensure they are turned on. Many solutions include encryption, or multi factor authentication within their core feature set, but are often not turned on be default. If you are paying for the solution, then get the most from it.
- Access – Ensure that only the right people have access to what they need to do their jobs by looking at things like active directory audits.
These are just a few suggestions of things that can be done at low cost/no cost within organisations to stop them from becoming low hanging fruit and I hope they prove useful to you.