“The right cyber security advice is out there; it’s up to companies to listen to it” – Damian Walton, Director of Professional Services, IntaForensics
“I suspect that the vast majority of technology users must be at saturation point with the daily barrage of news and media articles regarding the unceasing tirade of cyber attacks being perpetrated against high street names and current celebrities. The perception may be that the threat is interesting, even worrying. Most people leave it there, and never take any concrete steps to reduce or manage the risks. For consumers that is their personal choice.
For a business, however, the effect of data breaches is subject to a “multiplier effect” where a single event can have a serious impact throughout the ecosystem of stakeholders dependent on that business – including employees and their families, suppliers, customers or service users, financial institutions, insurance companies; the list goes on.
An often quoted statistic is that 80 per cent of cyber security risks can be tackled by 20 simple to implement preventative steps. Our experience suggests that organisations undertaking a structured and supported programme improve their security significantly. The UK government introduced a relatively simple “light touch” assessment process in the form of Cyber Essentials and Cyber Essentials Plus in 2014. Having supported companies of all types around the UK, we can attest that this programme proves that even companies with a modest budget can significantly improve their chances of being secure in the face of growing cyber threats.
Being aware and then being prepared to take steps – even modest small first steps – are a far better strategy for most than “wait and see” or designing the cyber equivalent of the Maginot Line with complex and expensive technical solutions, and are crucial to any company.
Changing technology = changing threats
We live in an era of perpetually accelerating change observed by mathematician Vernor Vinge. Nowhere is this more visible that in information systems and interconnectivity. We are witnessing the electronic equivalent of the post-war arms race, with the rewards being unimaginably vast. Unfortunately, basic security is frequently an afterthought and our desire to create an environment where our every need can be achieved by the press of a button or the downloading of an app is undoubtedly exposing us to financial, moral and, occasionally, physical danger.
This new world has created a new language – ‘Internet of Things’ (IoT) has become a common phrase. In very simple terms, it refers to the expanding ecosystem of common ‘appliances’ that now have the ability to connect to the internet – think kettles, heating systems, doorbells and cars, although the list is constantly being added to. In a similar vein to the maxim “what goes up, must come down”, if a device is capable of network connectivity, the obvious corollary is that the network enables connections to the device; meaning that the device can be attacked, hijacked and used for nefarious purposes. It may simply be targeted as a means to an end, i.e. as the vulnerable gateway into a much larger organisation, or it may be the specific object of a hacker’s attention such as a mechanism by which to deliver a ransomware demand.
What can we do?
Businesses can take several tangible steps to protect themselves and their stakeholders:
- Understand potential internal and external threats.
- Think “security by design” when designing processes or implementing new technologies.
- Design and test your security arrangements – consider penetration testing of your networks, run business recovery planning and appoint a retained incident response partner.
It is also important to remember that you don’t have to do this all on your own. You are not alone, there are experts out there who are willing, able and equipped to provide individuals, businesses and private organisations with a range of support activity, incident response and post-attack investigation services.
Security versus compliance
Some business sectors are already a long way ahead in their efforts to remain secure. The major payment card brands mandate that all entities who store, process or transmit cardholder data must be compliant with the requirements of the Payment Card Industry Security Standards Council (PCI SSC) Data Security Standards (DSS). Depending on the transaction volumes of the organisation, this compliance might take the form of a self-assessment or may require independent auditing and validation from an accredited Qualified Security Assessor (QSA). The actual requirements reflect current threats identified against payment card environments and a substantial number of the requirements are fundamental common-sense processes, i.e. complex password enforcement, firewall configuration and a “least-privilege”access regime.
If, however, a business is attacked and payment card data is stolen, a thorough investigation will be required and can only be conducted by an accredited PCI Forensic Investigator (PFI) company of which there are currently only 22 in the world. In addition to the financial cost of the investigation, consideration must also be given to the other intangible expense – loss of productivity, reputational damage and long-term effects on the business. In such cases, it is vitally important to secure the services of a professional, diligent and empathetic PFI company.
It is no use simply treating the PCI DSS requirements as a compliance checklist. The whole essence of the Standard is security. Think security, implement security and maintain security.
Don’t bury your head in the sand
Some simple guidance in conclusion must include:
- Plan ahead – if the worst happens, it is far better to have a planned response ready to go.
- If you need help planning, understanding the risks or ensuring the right technical responses are in place, ensure you get help.
- Retain what external assistance you might require in the event of an incident and get contracts or arrangements in place before any incident occurs
If you suspect that such an incident has occurred, you have the opportunity to engage a specialist digital forensics service provider who will conduct a post-incident investigation.
Their actions might include deleted data recovery, examination of access log files and timeline analysis to establish culpability.”
– Damian Walton, IntaForensics