With technology dominating the world, we are seeing increases in security incidents on a daily basis. This may be a result of a sophisticated Malware attack, a good ol’ Virus or even an inside job. What we do know is that companies and individuals need more training and education surrounding this topic. The attacker(s) of this world mainly blanket target companies with the hope of exploiting a security gap and obtaining what they want. This method requires very little effort and is automated by making use of dedicated exploiting software without ‘the need to be present.’
IT departments face the ongoing challenge of playing catch up to the attacking community. New methods of breaking into a system, bringing one down or simply exploiting a new gap in the network are being developed on a daily basis. With this in mind, it’s no wonder that humans are the weakest link as there is only so much security awareness training that can be done before it starts to affect the employee’s day-to-day job. In addition, training material is often behind the times and the users will not learn about the new attacks until months after those attacks have been ‘let loose into the wild’.
We have all read articles and surveys that state humans (or employees) are the weakest link in most networks. This is often the case because people are not consistent in their adoption of security measures and often breach the most basic of principles. Here are a few examples:
- Sharing login credentials
- Sharing private client information on social media
- Using unencrypted storage devices e.g. USB keys
- Emails sent to the wrong person or distribution list
The list could go on and on but we get the idea. This doesn’t only apply to the use of corporate networks but also the external threats, such as phishing emails, social engineering etc.
The more serious offences involve the handling of Personally Identifiable Information (“PII”). As a Data Processor, you have agreed to adhere to the security standards for protecting any personal information you hold on an individual. Here are a few examples of incidents regarding PII data that have been reported by companies:
- When laptops get lost or stolen and are unencrypted
- Lost mobile devices
- Lost or stolen electronic files not reported as missing
- Loss of physical documents
The loss of this data should be reported to the Information Commissioner’s Office (“ICO”), who will conduct a thorough investigation, potentially resulting in a fine. This investigation will involve not only the IT department, but also the HR department, a legal representative and a Privacy Officer. As we know, security is not always the most pressing priority when it comes to running a business and many employers would prefer to take a gamble that ‘it will never happen’, but there are a few relatively basic and fundamental steps that should be taken to protect a company:
- Security Awareness Training
- Encrypting any data in transit or stored off-site
- Destroying any sensitive or confidential data securely
- Requirement for longer and more complex passwords
- Procedures that detail when and how to report any ‘strange’ activity on the system
- Enhancing the corporate Acceptable Use Policy (AUP) including defined security procedures
However, such preventative measures do not provide a fully secure environment. When a security incident does occur, an employer needs to know what remedial steps to take and the old adage ‘prevention is better than cure’ has seldom been more pertinent.