Information Security Breaches – What’s the best security practice?
Do you know what Information Security Breaches are? Do you know the value and impact they can have?
According to the Information Commisioner’s Office (ICO), A data breach basically means “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored”. In my view, it is simply when someone illegitimately enters a private, confidential or unauthorized perimeter.
It is now an offense for a business if they do not notify the ICO of any data breaches as it has become a law that this information should be shared. It is blatant that this is to increase the awareness level of Information Security breaches for other companies so they step up their security practices to prevent these types of problems from occurring.
Examples of Information Security Breaches
One example of many Information Security breaches that comes to mind is the huge company AT&T who are paying $25 million due to a security breach from employees that occurred in 2013-2014. Employees unlawfully retrieved network information and other personal data which could help unlock AT&T mobile phones. These employees passed on this information to unauthorized third parties who appeared to deal with stolen phones and needed them unlocking to sell on the markets. Further information can be seen on the Data Breach Today website.
Another example is a customer of Google who decided to download a free game from the Play Store and then later upgraded to a full paid-for version. Within 18 months, over 600 transactions were charged to her bank account without any notification or permission from the customer and they were performed through the Play Store. The customer alleges that hackers exploited Google’s inadequate security and managed to do this. She also claims to have contacted her bank, police and Google directly to advise that these transactions were in fact unauthorized and should be reimbursed but has not got her money back. Read the full story on The Register.
Skill gap which heavily contributes to breaches
Cyber-security pros blame breaches due to a gap in skills. According to the The seventh annual (ISC)² Global Workforce Survey, “There will be a shortage of 1.5 million information security professionals by 2020” which goes to show that the lack of these skills will have a damaging impact on businesses and the preparation for chances of Information Security breaches will be seriously low.
Security breach levels decreased slightly compared to last year but are now much more costly according to a survey conducted by PWC. It doesn’t come as a surprise that Information security professionals come at a price to protect the business, but can you really afford to put a price on the value of your data?
Internal Security Practices
Eventually, it comes down to what preventative measures are in place to reduce chances of Information Security breaches instead of recovering from one, as it may cause irreversible effects. According to Information Age, “2015 is set to see a huge rise in the number of IT professionals taking action to address insider threat in their organisations”. It gives people encouragement to know that IT professionals are not just planning, they are actually implementing real practices to help secure firms and be more prepared for people trying to attempt Information Security breaches.
10 Key Practices to prevent Information Security breaches
1. The Information Security Officer
The first step towards establishing any type of security program it to hire an Information Security Officer, or (for smaller businesses) a current employee who has the availability to take on further duties. In addition to time, the business must clearly define the expectations of the Information Security Officer or determine if the individual is capable of fulfilling the role.
2. End User Acceptable Use Guidelines
A detailed policy should exist explaining what employees can do with their workstations. Employees should be clearly instructed as to what is considered business use and the risks of using the workstations for other non-work activities such as downloading software should be explained.
3. Data Classification and Retention
Lighten your load by classifying exactly what type of data you need and how long you need it. A breach is upsetting, but there is something worse and that is stolen data that you didn’t even need to keep!
4. Password Requirements and Guidelines
Your employees may not remember the required passwords. The more complicated the requirements are to ensure security, the higher the chance they will note it down somewhere and risk exposing it to others. Therefore, establish a strong password policy and maybe provide a little additional training to explain why the policy is set this way to gain employee acceptance.
5. Physical Security
Information doesn’t move itself. Specific rules stating who can physically access your offices and how they gain entry, can decrease the chances of an unauthorized individual who can steal information. The proceeding step is to ensure that your policy states how physical information is securely stored and destroyed.
6. Software Updates and Patches
What is a software patch? If you’re sat there scratching your head, understand that if you don’t keep updated on system patches and upgrades, you will be left wide-open for the basic hacks. If you never update (which you should), your vulnerabilities are increased phenomenally. Your best practices to prevent Information Security breaches should clearly document software update procedures and frequency of these updates.
7. Third Party Management
“You’re only as strong as your weakest link”. Make sure you provide strict vendor guidelines to vendors before you provide confidential information and check how this information is treated when in the custody of the vendor as their lack of information security can heavily impact you.
8. Wireless Networking
It is clear that this has saved many companies time and money in comparison to cabled networks. As some of you may decide what type of network connectivity to adopt, ensure that you constantly take into account that you will need a strong encryption standard to ensure there is no abuse.
9. Employee Awareness Training
It is important to ensure that each one of your employees has a basic form of knowledge to be able to identify an opportunity in regards to Information Security breaches. This will increase the bar in relation to the minimum level of security to help reduce any easy attempts of security breaches.
10. Annual Updates and Reporting
Lastly, ensure that all your hard work isn’t turned into trash by constantly keeping security practices and policies up to date as it is imperative to minimize threats and risks. However, as these are changing daily, you also need to stay in the loop constantly otherwise you increase the chances of Information security breaches. An annual review is very good practice as it shows a consistent structure in the way measures are implemented and can be useful when planning future changes.
Create a Successful Policy
The most successful policy to prevent Information Security breaches will be one that blends in with the culture of your organisation instead of the addition of a vital requirement. By doing this, the security presence of your organization is increase with little effort and it helps reduce the chances of your organization being another Information Security breach casualty on the hit list.
I hope this Information Security blog was useful for you and if you would want to go to basics, the following link will provide you with an introduction to “What is Information Security“?. This may help form the stepping stones in order to prevent yourself from ever being the victim of an Information Security incident.