Category Whitepapers and Guides
Welcome back to the second instalment of this two-part blog series, where we’re looking at what consumers and companies can do to help keep data safe. Today it’s all about companies – we’ll be focussing on why it’s important to have layers of security and the steps organisations can take to minimise the risk of a data breach.
We previously touched on the fact that cybercrime has surged during the pandemic – but now we’re going to get into the nitty gritty of why.
The pandemic panic meant that organisations that maybe hadn’t even considered remote working as an option before, were forced to have remote solutions… and fast! Companies were under pressure, in the limelight and needed to consider the safety of their employees. Perhaps this led to some security controls and processes being overlooked? More quick fixes and botch jobs?
The BBC reported that ‘in the rush to set remote working practices up, even simple data protection practices were ignored’. A data breach survey undertaken by Hayes Connor shows that 1 in 5 people didn’t receive any data protection guidelines while working from home and 2 in 3 companies are failing to get both password protection and encryption security policies in place. Perfect for cyber criminals seeking to exploit the chaos of the on-going crisis.
Could the rise in cyber criminals be due to the fact that it’s just easier to hack companies these days? Computer Weekly reported that people were increasingly turning to cybercrime to make money ‘easily and quickly’ during the pandemic, and with so many brits being left furloughed or unemployed it might have been their only option.
“Unfortunately, many people fell on hard times, with many unable to find employment”, says Sean Wright, application security lead at software firm Immersive Labs. “While not an excuse, it’s understandable that some may turn to cybercrime to make some money to survive.”
Even pre-pandemic, cyber-attacks were common, and some can have detrimental consequences for organisations involved. One that stands out clear in my mind is the attack on the NHS back in 2017. Over a third of UK Trusts were disrupted by ‘WannaCry ransomware’ – essentially, IT systems were infected with malware and users locked out until a ransom fee was paid. Thousands of NHS appointments were cancelled due to the attack and the National Health Executive reported that this incident cost the NHS £92million through services lost during the attacks and IT costs in the aftermath.
Another big organisation to fall victim to ransomware more recently is British clothing brand, FatFace. Acting like a legitimate security testing service, Conti ransomware gang put FatFace’s security systems to the test and were able to exfiltrate 200GB of data before encrypting machines. Conti then offered some advice to the IT team at FatFace on how they could strengthen their security to prevent cyber-attacks in future… after collecting a mere $2million ransom of course! (Computing)
Although lessons are learnt by any organisation experiencing an attack, there are a handful of ways that these incidents could have been prevented… Let’s have a look*.
Info Security reported that in 2019, 90% of data breaches in the UK were caused by human error. Is this down to employees being lazy and lax with security best practices? Or are staff just not aware of the data protection regulation processes? Most likely the latter and it’s your job, as an organisation, to raise awareness and ensure your employees are trained up in all things cyber-security.
They need to know how to avoid a data breach, what suspicious activity is, what a data breach actually looks like and what to do if a breach has occurred. The best practice is to ingrain this cybersecurity education into your company’s compulsory training. A common way to do this is through virtual e-learning where knowledge is taught and tested. Check out the National Cyber Security website for more information.
There is a big misconception that ‘one size’ fits all when it comes to security solutions, but no one system has ever been entirely successful in preventing data breaches. The trick here is layering. The layering of different security systems helps to prevent gaps. Think of it like stopping a leak… the more duct tape you put on, the less likely the water (in this case, hackers) is going to seep through.
We’re not saying adopt every security solution going, and you should definitely research your options to find what works for you and your company. Perhaps take a look at a few of our partners that specialise in various fields within security from container vulnerability management (Aqua Security), network and anti-virus tooling (Trend Micro) to security monitoring (Splunk).
Whatever you decide is the best fit for your company you should also test – don’t wait for a security threat to come around the corner to see if your defences hold up.
Alongside testing, it’s also really important to configure your solutions correctly. You could throw all the money in the world at the biggest and best solution, but if it’s not configured correctly, you could have a security risk on your hands. Taking the time to configure your solutions correctly also allows your IT team to get to know the new system and understand what tooling they’re working with.
Picture this. Your employee knows all the websites she’s using – tapping into podcasts and catching up with friends on social. She knows she’s not on an illegal website downloading the latest and greatest films at 1:00am. But what she doesn’t know, is that her 13-year-old son borrows her laptop to do just that. We can’t assume that our employee’s personal equipment is going to be 100% secure – even with all the right software downloaded.
Hayes Connor reported that 2 in 3 employees who printed documents at home in 2020 admitted to putting these documents in the bins both in and outside their house. More potential data breaches that could have been avoided by providing employees with a shredder. Professional shredding company, Shred-it, discusses the importance of shredding personal or identifiable information to avoid falling victim to bin raiders. Bin raiding is when a thief goes through bins to steal data, which can then be used to commit fraudulent activity, identity theft, data breaches… you name it!
A leisure centre found themselves in hot water earlier this year after customer details were allegedly found in a bin, prompting an ICO investigation (BBC) – begs the question, should we be as scared of bin men as we are of hackers?
Alleviate the burden on your employees by giving them the equipment they need to do their job properly and minimising the security risk to your company.
As previously mentioned, testing your security solutions regularly is really important. It allows your company to prepare for multiple eventualities and test the strength of defences in place. Whilst this testing will catch the majority of security risks, it’s important to have a backup plan. If the worst happens, an organisation needs to be ready and educated on what the next steps are. One example could be if your web or data servers fail, you’ll need to think about back up servers, who to contact if this happens, whether you need to communicate this with clients/customers – something to bear in mind when developing your incident response playbooks and contingency plans.
It’s all well and good having a theoretical plan B, but have you tested it? Does it work in action? Or will you fall at the first hurdle? Testing your defences and responses regularly is essential to minimise your risk of a breach and ensures employees know the process should any issue arise.
As with anything, the more space you use the more costly something will be. Want a 5-storey mansion the same size as a football pitch? This is obviously going to cost more than your average terrace house. Space = money, so it’s in your best interest to purge the data you don’t need. This will save you money on cloud or on-premises storage.
If that isn’t enough to motivate you to ditch the useless data, GDPR also states that you cannot keep data for longer than you need it. So, you need to think, is there a specific reason to keep this data for the future? Is it important enough to keep? If not, then get rid. This helps to reduce the possibility of the data you collect becoming irrelevant, excessive, inaccurate or out of date (ICO).
If you were to have a data leak and information that you didn’t even need anymore was out in the open, you’d really be kicking yourself for not deleting or anonymising it in the first place… Be proactive, stay organised and reduce the company’s risk.
So, what have we learnt?
The pandemic has been a big change for all of us. For some companies, it’s highlighted the cracks and the need for more secure security procedures. But pandemic or no pandemic, organisations need to focus more on the steps to keep their company secure – security shouldn’t be an afterthought.
We hope you’ve enjoyed this second instalment of the two-part blog series discussing what consumers and corporations can do to help keep data safe. Missed the first? Check it out here (LINK).
*The above security tips are guidelines only. Building security into your DevOps strategy (DevSecOps) or navigating the increasingly sophisticated cyberattack minefield requires equally sophisticated tools, approaches and knowledge – all ECS can help with!
Reach out to the team today.
Hi, I’m Louise Fenn and I’m from sunny Yorkshire! Up until now, I have spent my career working in healthcare – but I thought it was time for a change. I joined ECS in April 2021 as a Content Marketing Executive, with a keen interest in writing and design. I’m really enjoying my time at ECS and I’m excited to deepen my knowledge of the world of tech.