Whatever type of company you are, it’s reasonable to assume that there will be parts you’ll overlook without realising it. The general recommendation is that you do audits and checks regularly to mitigate them. The reason for that is that it can be easy to make assumptions because the tools at our disposal have improved or because security is more of a hot topic now than before.
These kinds of blind spots can come from several places, one being the cloud, said Angela Madden of Rits Group, as people can end up assuming they have a level of protection they didn’t sign up to.
“Around cloud, you think that you have signed up to a certain level of security, but the third party is not doing it,” she said. “You’re not getting visibility because you don’t ask for metrics on a regular basis.
Another potential area that businesses can overlook is the certifications or credentials a company may have. While having ISO 27001 or similar credentials is the sign of a company that prioritises security, it’s worth checking to see whether these credentials are still in date, and not the company trying to coast on past glories.
In the worst-case scenario, your service partners could end up being a back door for attackers to get into your systems. There is more than one way for an attack to get into a company’s systems, so it’s worth doing the necessary checks to see who’s keeping up with security standards.
“Depending on what the service is, you award a contract to somebody based on a certification, whether it’s PCI certification or ISO certification, whatever it might be and you don’t verify it,” she said. “It might be an annual certification process, but you don’t verify it every year, you just evaluate it the first time you’re doing the evaluation. Then you find yourself in a situation where they’re no longer certified and it may impact the services that you’re subsequently offering.
“It’s all very well people doing their due diligence initially and having their contracts and all the rest, but it’s nearly more important that they do some level of assurance on a regular basis, at least annually, on their service partners.”
On the bright side, businesses are more aware of the risk and responsibilities they have with regards to security. Much of that is down to the greater coverage breaches and vulnerabilities get in the general media.
In the last month or so, situations like WhatsApp’s recent vulnerability, security mishaps like Facebook storing millions of Instagram passwords in clear text, and new vulnerabilities in Windows XP and 7 are all in the public consciousness, and businesses are aware of the damage they can cause.
Unless you’re a small or brand new company, it’s safe to assume that a breach will make the news in some form. When that happens, you want to make sure you’ve put the necessary measures in place so that your reputation is protected and your customers know you’ve taken the measures needed to protect their personal data.
“Organisations are much more aware and it’s because of the publicity that we see,” said Madden. “The big WhatsApp issue (and) Microsoft coming out to say there’s another vulnerability that could potentially be worse than WannaCry hit the news. Anybody who has been breached, it’s news. It’s not just the industry or people in IT, the general public is now aware of all of these things because they’re constantly being told.”
One of the most common ways a company can be breached is through a phishing attack, where bad actors try to trick you into clicking a link or downloading an attachment by impersonating official emails, and that can trip up time-poor employees.
That’s where good practices come into play. Being aware of the tactics that attackers might use – and in some cases, the things that official companies will never do – can help you and your employees navigate some of the more prominent types of phishing attempts. Thankfully it’s something the average person is getting better at recognising, and shows that you don’t have to be an expert to follow good security practices.
“You see online banks saying they will never ring you and ask you for passwords or the rest. Everybody is more aware and it’s not just IT and the IT security industry, the average Joe Soap is aware . . . they’re more tuned in,” said Madden. “It doesn’t mean they’re brilliant at security, but they know what they should be doing, whether they’re all doing it now or not is another thing.”
Much of what businesses need to protect against, be it third parties not securing their own services or phishing, come back to doing a risk assessment. If you don’t know what you’re exposed to, then it’s difficult to protect yourself against attacks or incidents that go wrong. It all comes back to awareness and knowing where your strengths and weaknesses lie. Once you have that, then you can start analysing what exactly will happen in the event of a breach and plug the necessary gaps.
“Take the likes of GDPR, if it all goes pear-shaped, what is the potential impact on the data subjects in terms of their rights?” said Madden. “You’re back to doing a risk assessment to determine what the risks are. From that, you can put your processes and things in place.
“Maybe there are things you can do yourself internally in terms of the data and then look at how long is left to go. If it’s six or 12 months, you may decide if we can put some additional controls around the data yourself. In the meantime, we might live with that risk or you might decide to go out to tender earlier than you had planned with a different supplier.
“There are a lot of different options there, but the first thing to do is a risk assessment to determine the extent of your exposure if you can’t get those contracts signed.”