The Information Commissioner’s second report under the Notifiable Data Breaches scheme makes for some sobering reading.
Through April, May and June 242 data breaches were reported by Australian organisations. Add the 63 breaches reported in the shortened first quarter for the programmes inception, and that’s 305 so far this year.
Compare that to the 114 breaches reported ‘voluntarily’ during the full 2016-17 financial year and you start to get an idea about how the true scale of corporate Australia’s data security problems are, and what an important piece of legislation Notifiable Data Breach is.
Interestingly, both the 2016-17 and 2018 reporting periods showed human error was the second highest cause of breaches at 36%, with malicious or criminal attacks accounting for 59%. System error came in a distant third at 5%.
The top five sectors reporting data breaches were:
- Health service providers (49 breaches)
- Finance (36)
- Legal, accounting and management services (20 breaches)
- Education (19 breaches)
- Business and professional associations (15 breaches)
Clearly, despite all of the media reports and dire warnings about the need for organisations to lift their game when it comes to cybersecurity, it seems that things may be getting worse.
A key reason for this is the changing profile of business technology architectures.
Where once people tended to work from one or two locations, and via one, two or occasionally three devices, today’s workforce is highly dispersed, constantly connected via multiple devices, and using many different network types (VPNs, Wi-Fi, WAN, ASDL, 3g, 4g and so on).
In this complex environment, how can you and your organisation avoid a breach?
Top 5 tips to prevent a data breach
1) Do a Security and Risk audit
Most organisations discover they have more security vulnerabilities, not fewer, than they first supposed before conducting a security and risk audit.
Risk management is the process of identifying and managing the security risks prevalent in your organisation and it is a fundamental requirement of many regulations, including the Australian Privacy Act and the European Union’s GDPR.
A security assessment is an activity where an organisation identifies their current security posture, weaknesses and vulnerabilities in their existing followed security policies, processes, practices, staff engagements and technologies. This assessment is an opportunity to be conversant of the security risks in the organisation and plan ways to remedy those vulnerabilities.
An important thing to remember during this process is that it’s not just about your organisation. Proper risk assessments demand the examination of key partners and stakeholders too, to get the clearest view of what a security breach might look like from the air.
Take for example, utility companies. Complex grid networks connecting sensors which are in-turn connected to the web means huge numbers of endpoints, contractors and partners, which could all be vulnerable – especially if they’ve been left and forgotten for years.
2) Improve people’s security awareness
People are almost always identified as the weakest link in the security chain during assessments.
Frequently, this is because of staff negligence, sloppiness, or a lack of awareness of what an organisation’s security expectations are. As such, annual security awareness training needs to be carried out to update and remind staff of their security responsibilities and the organisation’s expectations when they’re performing their everyday tasks.
Brennan IT can help conduct security awareness training within your organisation, by:
- Creating security training material based on your organisational security expectations and industry-adopted best practices;
- Creating a training webinar and a security quiz that will follow the webinar; and
- Tracking coverage and completion of the training.
It might seem obvious, but increasing awareness of security threats and the consequences of succumbing to them takes time and vigilance. That’s because there are so many different types of malware around today, including multiple iterations of the same malicious code which threaten to pop-up at any time to wreak havoc.
Educating staff on how to spot unusual or suspicious activity can greatly reduce the risk of attack. For instance, warning people to never open attachments from unknown sources is a positive first step, as is refusing to share passwords or other credentials over the phone.
3) Security policy documentation
This step can be as detailed and thorough as you like, but the first line of business should be establishing clear guidelines and practises around passwords.
Obviously, simple passwords like ‘password’ or ‘guest’ should be avoided, likewise first names or birth dates as these can be easily discovered by resourceful hackers.
Password guidelines should also be shared with trusted suppliers and other third parties, as weak security links often exist at these touch-points at the edge of the company network.
And none of this is of any use unless companies produce clear documentation outlining security policies and procedures, which is then able to be shared in a secure manner with only the intended recipients.
4) Vulnerability assessment technical testing
The cost of freedom is eternal vigilance.
As mentioned above, malware is constantly morphing and evolving to beguile systems engineers and law enforcement agencies. Security policies and procedures must therefore be tested, monitored and updated constantly for companies to have peace of mind, and avoid under the shadow of the NDB police.
One of the most neglected yet simplest tasks is ‘patch management’; even being just one update behind at any point of your organisation could put everyone at risk. The first place a hacker will think to look is the furthest edges of your network where there tends to be less vigilance around patching, and therefore more chances to gain root or access privileges.
5) Security governance
Finally, security deserves the same attention, resources and accountability as any other part of the business, be it accounting, HR or inventory.
In order for security to get its due, it needs to be encapsulated within a proper ‘governance’ framework. This means identifying and allocating responsibility and accountability at key points in the chain.
These people need to meet at regular intervals to provide updates, discuss and allocate budget, human and other resources to stay ahead of the threats.
A good security implementation is incomplete without a dedicated drive from the senior executives of the organisation. It is expected that:
- A security governance structure is formalised, with representation from key heads of business verticals;
- The governance committee meets periodically to discuss security risks, incidents and concerns; and
- The governance committee drives security enhancement within the organisation.
Brennan IT can help set-up the security governance structure, hold periodic meetings, provide security assistance and guidance for enhancing security and formalize actions from these meetings.
Plan. Do. Check. Act.
Connect with Brennan IT today to begin the discussion about how to develop a security strategy that involves informing everyone about the risks currently out there and their individual role in keeping them at bay, or read more about Managed Security.