Cybersecurity is no longer a mere compliance matter. It is one of the primary business imperatives that financial services firms must address. According to the latest 2014 Verizon Data Breach Investigations Report cyber espionage is on the rise and use of stolen or misused credentials is still the leading way cybercriminals gain access to corporate information. With 511 incidents, there’s more than a three-fold increase in cyber espionage compared with the 2013 report.
Businesses of all sizes should adopt a scenario based approach to security in order to fully understand the extent of their threat landscape. This entails considering all the different threats and imagining how they might play out. If you can explore in detail the potential impact of each scenario, you can then begin to build a true understanding of how your organisation is structured to cope. For example, what happens when a personal device that contains business data is lost or stolen?
BYOD strategies are accelerating and whilst this can result in greater work productivity and a boost to staff morale, it can lead to increased security threats or breaches. The question is how can this trend be regulated and to what extent can an organisation dedicate and reinforce processes when it’s the employees who own the devices?
Many organisations are struggling to update their security software and policies, so whilst technology exists today to wipe out or disconnect access to business data when a device is reported stolen, it doesn’t mean lapses won’t occur. Businesses need to ensure that policies are enforced across all staff using the BYOD scheme. The rise of the mobile workforce using various mobile devices is now beginning to show how threatening such a scheme is to a business’ security and intellectual property, and protecting against this has never been more challenging.
So whilst many organisations believe that they have what they believe to be sound security measures in place, the reality is that often these are implemented in a piecemeal way with solutions only addressing specific needs. However, more often than not, a disjointed approach is not sustainable and a holistic approach is one that organisations should favour. Security should never be considered in isolation from the business. Instead, security should protect and enhance business processes and risk must be properly identified across key business areas.
Companies should be creating and continually making adjustments to their security policy, implementing any additional tools and processes needed to address threats. They also need to regularly review policy in line with changes in the environment, whilst evaluating themselves against the current policy to see if they have routinely followed procedure. If there seems to be a distinct lack of engagement with the organisation’s security policy, questions need to be asked as to how they refine the policy and whether the decision is taken to change or add tools to help with compliance around security.
The security landscape is constantly in flux with more advanced threats continually being generated. No organisation will ever be 100 per cent secure; any security and or policy must be agile enough to deal with the changing threat landscape.
- Any good security policy should include things like using strong passwords that include numbers and letters; not sharing or displaying passwords; and only opening email attachments from reliable sources.
- You should also encourage staff to use the web responsibly, and stay vigilant when contractors and outsiders are in the office.
- In terms of IT, you should monitor access to the network, including memory sticks and other plug-in devices, which can be used to steal company information.
- The sky is the limit when it comes to implementing security software, but there is a minimum level of security that any business should have. This includes: antivirus software to catch viruses and Trojan horse programs; anti-spam software to control spam which could contain malicious code or links to hacker web sites; and anti-phishing software to detect financial hacking techniques
Security has to be considered in the round. If asked the question ‘is our data secured’ mostly the answer will be yes because the organisation has put security tools in place. However, it’s not simply a matter of ‘yes’ or ‘no’ when it comes to security, it’s about asking and understanding ‘so what exactly happens when’… Only by exploring such questions will you know if your organisation is primed to handle all security eventualities.
By Jon Milward, Head of Marketing & Partnerships, Northdoor.