Take security seriously
The end is nigh. More and more data breaches are happening each day and more information is being stolen than ever before. Attack vectors such as distributed denial of service (DDoS) and Ransomware are on the rise. The former taking out half of the Internet last October when global DNS server Dyn got hit by a huge DDoS attack[1].
Now is not the time to bury our collective heads in the sand, although that has been the defensive tactic of many thus far. UK businesses need to sit up and start taking the requirements for information security seriously. It simply can’t be ignored any more. This awareness must be a three pronged attack by the media, the industry and the Government.
Larger fines
There are plenty of stark warnings in the media, however, the C-suite have until now often been reticent to take them seriously. Coming into force 25th May 2018, the General Data Protection Regulation (GDPR) could be the regulation that makes them sit up and take notice. The regulation, backed by the European Parliament, the European Council and the European Commission, intends to strengthen and unify data protection for individuals within the European Union (which for the immediate future, at least, we remain part of).
The fines for those companies in breach of the regulations will rise, going up to 20 million Euro or 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. This rise has quite rightly put GDPR on the agenda of even the most technophobe CEO.
A security DNA
Security must run through the very DNA of any organisation wanting to compete in these digital times. Yet, most manufacturers – particularly those from a hardware background – are trying to incorporate more and more complex technology on top of already insecure legacy systems. Information security can no longer be an afterthought but rather should be built into the software development life cycle (SDLC).
It is also imperative to implement the correct security architecture and keep it up-to-date. Technologies such as social networks and the Internet of Things (IoT) have changed the business landscape beyond recognition in the past decade and there is no reason to believe this pace of change will suddenly come to a stop. Put simply, the pace of technological change and the complexity that comes with it is the greatest enemy of security today. We always have to play catch up with the bad guys as they find new ways to infiltrate and now is not the time for complacency.
The need for cyber breach drills
Most offices hold regular fire drills and businesses need to treat cyber breaches in the same way. To ensure everyone within the business, from the board to the proverbial shop floor, understand what they need to do to mitigate the impact of a breach, simulations need to be run.
Cybersecurity should be everybody’s responsibility, not just the C-suite. One of the best tactics is to have a number of security advocates within the organisation, to ensure it is up-to-date on emerging cyber security trends and education runs throughout the business. It is, though, also important someone is ultimately held responsible for cybersecurity.
No-one wants to be next
As we have seen over the last 12 months, all industries are vulnerable to cyber security breaches. The negative headlines suffered by the likes of TalkTalk means nobody wants to be the next unwitting CEO to be attacked.
In this day and age, the repercussions of a breach are deep reaching. Whether they are in the form of direct losses such as theft, indirect losses such as brand impact, or productivity losses such as critical system outage. A cyber breach can bring a business to its knees to the point of no return.
In the firing line
Now is not the time to take chances. The threat of a breach is still not being taken seriously enough by many and there needs to be an end to the “it will never happen to me” mentality. In our experience, there’s not enough money being invested in the right places, especially by those responsible for the protection of personal information and valuable intellectual property e.g. healthcare, finance and defence sectors. With ever more stringent regulations – such as the aforementioned GDPR – senior teams need to take responsibility and know they themselves are in the firing line if a breach occurs.
Only by integrating security experts throughout the SDLC and wider supply chain can we address the growing scourge of cyber breaches. The use of quality specialists can help to plug any potential loopholes from the beginning, limiting security and privacy risks from the outset.
By Stephen Morrow, Principle Security Consultant at SQS
[1] https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet