Information security can be expensive – but it’s cheaper than the alternative
Just last week, in the UK, well known high street brand Carphone Warehouse/Dixon’s had to release the news to the financial press that it had been hacked. Thousands of users’ personal details had been leaked. And this time, it was the most personal of details which had leaked, credit card numbers and names and addresses.
Data leakage is what the IT industry calls the unintended release of confidential information. It usually occurs as a result of insufficient network security. However, many of the methodologies employed by ‘hackers’ use the weakest link in the security chain and it’s not technology. A great deal of data leakage comes from ‘social engineering’ – that is, manipulating people in to granting access or taking advantage of a person who has not followed the security guidance their organization has provided them.
- Network monitoring
In a sense, each of the activities that follow could all fall under the first thing you should do: Monitor your network. Network monitoring provides a real-time, live view of the activity on and threats to your IT network. Only when you can see what you’re dealing with and detect changes to it, can you start to take the proactive steps we’ve outlined above, to mitigate potential problems.
The concept has been around since the first office networks and there are now dozens of suppliers, some of which you may never have heard of. Talk to your Systems Integrator (SI) and take some advice on the right one for the particular requirements of your organization and employee base.
- Educate people about phishing and its consequences
Even IT savvy people can fall foul of elaborate phishing techniques and 91% of all hacking incidents start with some form of the technique.
Offering regular education which is revisited and enforced through managers reminding and supporting employees’ understanding is the best advice, according to industry advisors. Unfortunately, as they point out, every IT system engages humans at some point.
- Password protect phones
Your smartphone is the single most dangerous piece of equipment you have, from a data leakage point of view. It tracks all of your personal information, something which an increasing proportion of the population now understands. However, it also offers access to the ‘safe’ zone behind many business firewalls and, when used with a mobile data plan (which is almost all the time) your phone can be hacked at any hour of the day or night.
Security industry insights suggest that Enterprise organizations, those of a size, typically of 500 employees or above, now have effective policies when it comes to password protection on phones. Most at risk are small companies – and the smaller the company, the less likely they are to have an enforced security policy about phone access.
- Install mobile device management software at your company
Whichever IT Service Provider or partner ecosystem you use, will have a Mobile Device Management (MDM) product suite that you can install. As IT budgets migrate to mobility services and cloud spending, knowing which assets a company has in the field and what they are being used for becomes exponentially more important.
Mobile Device Management can be expensive. If you think it’s too costly to have an information security policy delivered through MDM – try not doing it and see what that costs you.
- Ban USB sticks entirely
IBM banned the use of USB sticks from their organization, entirely, in May 2018. Why? ‘The risk of reputational and financial damage is too great.’ Said Shamla Naido, the company’s Chief Information Security Officer.
The Pentagon has done the same thing, partly as a result of the enormously damaging Edward Norton story, in which he extracted information so important it impacted National Security using – you guessed it, a USB stick.
USBs are now a core part of how offices operate and transfer information – but there are alternatives. Any IT policy has to be accepted by staff to be useful so work with your team to identify necessary exceptions (even IBM adapted their original statement to allow driver install using USBs in the end) to keep people committed to the cause.
A single scandal can ruin a business in the mind of the public and governments are becoming increasingly severe in the penalties relating to Information Security (infosec.) issues. Simply not reporting a security breach by hackers can now cost an organization millions of dollars.
The ideas on this page are the first steps you can take on the long journey to protect your information from leakage.