We urge businesses to proactively protect themselves against cybercrime. KPN’s announcement that a server with confidential customer data was hacked is a mere example of the continuous threat from cyberspace.
Last year several prominent businesses and governments have seen their security breached and data compromised.
Looking behind the headlines, I have two main concerns – the first about the way organizations construct their defenses and the second about the way they react when disaster strikes. It seems like organisations don’t have a plan in place on how to prevent cybercrime, or appear not aware of the risks that are facing their businesses.
I feel that organisations that hold confidential information, either from their own customers, or maintain that of others have a big responsibility. And they should carry it. A sense of urgency is crucial. Do you ever ask yourself: How much data do I actually have? What are the risks if this data is stolen? Think about personal details, but also about business secrets like formulas, plans or technology that reflect years of R&D investment.
And we should not bypass the risks of damage to the brand and image. An example of this going bad is the Dutch company Diginotar that was declared bankrupt in September 2011 when losing highly confidential data due to a cyber-attack, but mainly because they had not adequately secured the data and had not communicated about the abuse that had been going on for several months . On the other side there is also the example of security firm RSA that through thorough actions and openness in communication came out stronger .
The need for a security plan and proactive approach
We must warn organisations for the growing need for a security plan and a proactive approach that reaches beyond the annual updates of the firewall software, and offers her customer the means to effectively and cost efficiently optimise the security of their data.
This is what Aernout Reymer, BT’s CSO of EMEA says, “When looking at the main security issues in the EMEA region, are very familiar to the security community in other countries. On a daily basis, we’re faced with attacks carried out not only by those with a criminal-commercial agenda, but increasingly, by me-too activists looking to promote a cause, make a statement, or cause damage to reputations and profits. This cyber threat has very much become a cyber-reality, and I see no signs of it abating.”
The urgency for effective and efficient security is further strengthened by current trends in our business life:
- The boundaries of the business IT networks are fading, illustrated by the use of multiple devices (PC’s, laptops, tables and mobile phones) not all of them provided or maintained by the business itself , but that are connected to the business’s IT network via a mobile or WIFI connection.
- The movement to cloud based services. Not allows ‘the cloud’ for universal access, it also often introduces centralisation of data.
- IT departments lack the time, budget or manpower to secure all systems. Often awareness of the risks and with that the support from board level is lacking.
- Data, including e-mails, is rarely encrypted.
- All software code has bugs, and always will have.
Like with chess I see it as their responsibility to look ahead and to every time the opponent makes a move, to block their path. For this the skills of so-called ‘ethical hackers’ are leveraged; they act and think like hackers, and use the latest and greatest tools available out there, yet they do not go beyond detection and reporting of issues found. This is how we strive to stay ahead in the game. But even grandmasters don’t win every time.
No one size fits all
The security needs for digital data can be different depending on the organisation as well as on the data that requires protection. The ones that see the need for adequate data security go for a proactive approach and a tailored security policy. Next to the threats from outside, like hackers, there is also the need to secure that come from within the company. Think about the confidential information leaking from a company, often without notice. I see here a big responsibility for ICT services providers to offer their customer suitable solutions – to ensure that corporate as well as private information are protected . Because as the social and economic value of our networks continues to increase, so too will the incentive for people to attack them.
So ask yourselves the brutal questions:
- Is confidential data stored in your company?
- Are you aware of confidential data leaking from your company?
- Do you have a policy defined what confidential data is?
- Do you have the means to control this?
To obtain insight in what confidential information is leaked from the company, BT Advise offers the Data Leakage Prevention (DLP) Health Check. With this scan you will gain insight in what security-risks your business faces. Based on these defined risks BT Advise helps to take adequate measures and to create or update a security plan.
Together with you the DLP Health Check determines what confidential information is. This is done based on legislation, like the Dutch law for the protection of personal data (Wet Bescherming Persoonsgegevens – WBP), and industry standards, like that from the Payment Card Industry (PCI). Following that there will be analysis done for a set period of time of what information is distributed via servers, laptops (including USB ports) or even printers.
Want to learn more? Please contact Griet Bruyninckx (griet.bruyninckx[at]bt.com).