By Neil Ford
Neil Ford writes about all aspects of information security for IT Governance Ltd, the international provider of best-practice information security solutions.
According to IBM/Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, the average global cost of a data breach is now US$3.79 million. Although high-profile cybersecurity incidents affecting large organizations like Ashley Madison and the OPM – to use two recent examples – garner great media interest, it’s important not to overlook the fact that small and medium-sized companies also face critical cybersecurity risks every day. Cyber attacks are global, automated, and indiscriminate, targeting every organization that owns or uses electronic information.
Put simply: if you’re connected to the Internet, you’re vulnerable.
Small businesses are mistaken if they think they’re too insignificant to attack. Even if you don’t store financial information such as customer payment details, the data you do hold – such as username and login credentials, employee payroll details, proprietary data, or client information – is valuable to someone. For example, even though your website may not be obviously valuable in itself, the information it holds could be used as a means of attacking a larger organization in the supply chain.
Perhaps most alarmingly, it’s statistically likely that you’ve already been successfully attacked but don’t know it. The majority of intrusions aren’t detected for months – more often when patterns are noticed in stolen data usage that link back to the breached organization. The 2015 Trustwave Global Security Report found that 81% of data breach victims did not detect the incident themselves, and Mandiant/FireEye’s M-Trends 2015 report found that the median number of days that threat groups were present on a victim’s network before detection was 205. For reference, it takes criminal hackers an average of seven days to exploit a vulnerability according to NopSec’s 2015 State of Vulnerability Risk Management report.
So, what should you do?
People, processes, and technology
The first thing to note is that cybersecurity is a business issue, not an IT issue. Many companies mistakenly believe that technology solves all their cybersecurity problems, but solutions like firewalls, and anti-malware and antivirus programs, though obviously important, only provide partial protection. A robust information security management system (ISMS) should address people and processes as well as technology.
The principle is the same as with physical security: there’s no point spending thousands on monitored alarms, window shutters, and sturdy locks if no one knows to lock up when they leave the office at night.
Passwords are a common point of intrusion. Far too often, default passwords are left unchanged, or weak and easily cracked passwords are employed by lazy users.
If another website has been compromised and login details have been stolen, criminals will automate attacks using these username/password combinations to see what else they can gain access to. Password reuse is rife, so the statistical chances of criminals gaining access to multiple sites with a single set of stolen credentials are vast.
Likewise, default passwords for servers and software are frequently left unchanged, and can be exploited by criminals with little to no effort. Misconfigured installations are exposing petabytes of data according to recent analysis by BinaryEdge.
Direct cyber attacks are not your biggest problem, however: the biggest risk you must address is the threat posed by your own staff and suppliers who – whether maliciously or, more likely, inadvertently – expose your systems to cyber criminals.
The IBM X-Force Threat Intelligence Quarterly, 2Q 2015 report 2015 found that 95% of insider breaches were found to be the result of human error, such as clicking on malicious links in phishing emails. When every employee can endanger a company with a single mouse-click, staff training is essential.
This will ensure that your employees are fully aware of the information security threats they face and can act quickly and instinctively to phishing campaigns, spam emails, malicious websites, and the like.
Access control and privilege management
Privilege management processes must also be followed to ensure that access to critical systems and information is limited strictly to those who need it. According to Verizon’s 2015 Data Breach Information Report, privilege abuse accounted for 55% of insider threats.
Patch management is another major problem. Many organizations’ websites use common, off-the-shelf content management system (CMS) platforms, software, applications, and plugins, which often contain vulnerabilities that can be exploited by hackers. Although patches for vulnerabilities are frequently released, few organizations manage to install them within the recommended time.
Verizon’s 2015 Data Breach Investigations Report found that over 90% of attacks exploited known vulnerabilities for which patches were already available: “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007 — a gap of almost eight years.” According to Trustwave’s 2015 Global Security Report, 98% of tested web applications were found to be vulnerable.
The international best-practice approach to addressing cyber threats
For organizations that want to address information security threats properly, ISO 27001, the information security management standard, sets out the requirements of an ISMS (information security management system) – a holistic approach to information security that encompasses people, processes, and technology, and addresses all of the points illustrated above.
An ISO 27001-compliant ISMS enables organizations of all sizes, sectors, and locations to mitigate the risks they face with appropriate controls, limiting the inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.
It requires staff to be adequately trained, their access rights to be suitably controlled, and a best-practice approach to information security to be adopted throughout the organization.
If you’re concerned about your organization’s susceptibility to insider security threats, you need to ensure that everyone in the organization behaves responsibly.
Cybersecurity isn’t just for the IT department – it’s for everyone.
For more cyber security techniques for businesses
IT Governance Ltd. provides a large selection of cyber security and IT-related titles to Safari. For more on this topic, check out “Information Security Breaches: Avoidance and Treatment Based on ISO27001, Second Edition” and “CyberWar, CyberTerror, CyberCrime and CyberActivism, 2nd Edition.”