When an organisation experiences a security breach, it can be a chaotic and unsettling time. Apart from stirring up emotions that wouldn’t be out of place in a Matrix movie, it also should remind leaders to think about introducing long term implementations that can lessen the chances of it happening again
CREDIT: This is an edited version of an article that originally appeared on Business Advice
Responding to a when it happens is one thing, but implementing long term strategies to ensure it doesn’t happen again is even more important.
Here’s what three business leaders have to say about ‘planning for the future’ where cyber-security is concerned…
“Educate staff about phishing” – Alistair Sergeant, CEO, Purple
“Some of the world’s largest data breaches have resulted from phishing emails because staff members simply couldn’t tell the difference between legitimate or scamming correspondence.
“Investing in educating staff members on cyber-security risks, and the potential impact any breach can have on their own personal data, will help them understand the severity of phishing and ensure they are united in protecting the organisation too.
“Cyber-thieves and hackers have become increasingly intelligent. Implement simple, but effective changes and businesses will significantly increase their cyber-security measures.”
“Ensure staff are visible on what needs guarding” – Marco Rottigni, Chief Technical Security Officer EMEA at Qualys
“Rather than looking at the latest and greatest security technologies, you have to go back to basics and reduce what can be attacked in your organisation. This involves cutting down all the exposed areas that an attacker can interact with over the internet; this can be achieved by paying more attention to IT hygiene and improving the awareness of all users.
“What does this mean in practice? Getting an accurate list of all the IT assets that you use, from endpoint devices through to software installed and additional services, like cloud accounts.
“After all, you cannot defend what you do not see; you need to keep dedicated sensor ‘eyes’ on these assets. This can be achieved using sensors that can collect data from all their IT assets. There are free tools available that can provide this service, so the cost should not stop companies doing this.
“Once you have this visibility, you need accurate information. Without accuracy, you run the risk of overwhelming your resources and staff with a tsunami of events to investigate and, unless you want staff to burn out or quit, this isn’t going to work. Prioritise the most important fixes that are riskier first – you can use information from your security partners to help you here.”
“Get the general training in” – Darren Hockley, MD, DeltaNet International
“It’s true that most cyber-security breaches originate from external sources – e.g. hackers and cyber-criminals. However, the biggest threat to digital security is, in fact, internal; it comes in the form of employees who – however unwittingly – leave their businesses vulnerable to attacks in the first place.
“This can occur due to gaps in knowledge, complacency, or just a general lack of confidence when it comes to cyber-security best practice and dealing with threats like phishing and social engineering.
“This is why protecting your organisation, and keeping confidential data safe, doesn’t just rely on the latest high-tech, often expensive, software; rather, it begins closer to home – with ongoing awareness training for staff, and a compliance culture that’s clearly communicated from the top.
“Awareness training is key when it comes to battling the sort of errors in judgement which cyber-criminals hope we’ll make at work, e.g. downloading a document from an unknown email source or reusing passwords across multiple accounts and devices. Remember that, as unbelievable as it sounds in 2019, amongst the top reasons for organisational data-breaches and losses is members of staff using weak passwords!
“Even though we’re all well-versed in the dangers these things pose, without continuous awareness training to keep threats fresh in our mind, it’s all too easy to fall into the criminals’ trap – particularly if we’re busy at work.
“This risk is especially high in organisations that only offer cyber-security training once – say, at induction – or those that use outdated training courses/methods, merely for box-ticking, which don’t engage staff.”