In the last 12 months a plethora of high-profile data breaches have occurred, of which 50% were caused by inadvertent human error (up from 31% the year before).
This has highlighted the need for organisations to ensure they have a robust security strategy, as well as strong internal employee controls.
However, despite the fact that in 2015 alone three-quarters of large organisations suffered a staff-related breach and nearly one-third of small businesses experienced similar incidents, many companies are taking risks by underinvesting in data protection.
Last year, 90% of large organisations and 74% of small businesses suffered some form of security breach. Yet of these firms, nearly four in ten (39%) didn’t undertake any further investment in cyber security as a result of the breach.
>See also: A cyber security roadmap
It would seem some firms know the security risks involved in not adequately protecting themselves, but are not prepared to undertake the necessary investment to try and prevent it.
When organisations take this course of action they often fail to quantify the full cost of what a data breach means (particularly in terms of damage to reputation and customer churn) and engender a culture that leaves them extremely vulnerable to attack.
Where are the access points?
Certainly from a technology perspective, unpatched computers and mobile devices make it easier to infiltrate an organisation, but generally the weakest link is almost always human error.
And the majority of breaches are the result of some form of credential theft, whether it’s gaining access through a weak password or though targeted social engineering.
The onus is on an organisation to ensure that the human error element is minimised by technology such as using biometric or two-factor authentication. For example, a PIN that is sent to a phone to confirm access, or fingerprint scan.
Given that 75% of individuals use only three or four different passwords across all of their accounts, two-factor authentication is now a necessity to reduce the potential for human error and keep company data protected.
Building a strategy
To mitigate the internal risks that lead to issues such as company and customer data exposure, a three-pronged approach needs to be taken at an executive level: protect, detect and respond.
To protect themselves, senior management within organisations need to maintain a stance whereby it is assumed that employees (despite good intentions) are the entry point to the majority of breaches, and employees need to be addressed directly and provided with security education and training.
Training around phishing campaigns, advising against “ABC123” passwords and ensuring that your software is updated regularly with the latest security patches all sounds like simplistic advice, but its effectiveness should not be underestimated.
Whilst organisations can guard against breaches by implementing advanced security features like next generation credentials, biometrics and multi-factor authentication, it’s important to consistently remain vigilant.
In a world where cyber attacks are, on average, detected around 243 days after the initial breach took place, continuous monitoring of networks for attacks, vulnerabilities and persistent threats is required.
For instance, when an employee is logged in, whether at work or at home, there should still be processes in place to protect them from cybercriminals. This can include malicious websites and phishing attacks, which can lead to a breach of their employer’s network.
>See also: 11 trends that will dominate cyber security
This way, when the worst does happen, or it is suspected that it has happened, how the organisation responds and how quickly it acts will limit the potential damage caused.
Key questions should be answered before a breach ever occurs so that a seamless response and a process can be put into action and a swift resolution brought about should the worst happen.
Planning to fail
Developing a plan and an owner to keep that plan up-to-date is also an important step, as well as knowing who the key emergency contacts are in every department.
In a breach situation, departments don’t want to be wasting time pulling together names and phone numbers in engineering or PR.
They should also spend time thinking about what the best approach to a breach will be – will they just pull the plug immediately or run a limited email service? How will the team find out where the hackers are in the system and what will they do with them once the information has been obtained? Will they shut them out immediately and report them to the authorities, or monitor their actions, learn from their behaviours and figure out where and how they got in?
By thinking about potential ways of dealing with a breach, it becomes clear that simply shutting up shop and locking out intruders might not always be the best approach.
Even with the best security in place, organisations must always be prepared for a breach and be ready to react quickly using the information and services it provides.
Sourced from Stuart Aston, national security officer, Microsoft UK