With data breaches up 75% in the last two years according to data from the ICO, businesses should be on the lookout for potential threats now more than ever. Most will look to advanced technology to help protect themselves from cyber attacks that could access restricted data, but what some may forget is the importance of going back to basics. One of the key ways to understand how to protect a business is to recognise why and how data breaches occur initially. In doing so, IT leaders can implement the most relevant security procedures and systems to ensure that they do not fall victim to a breach.
While there are many potential causes of a data breach, interestingly enough, two of the most crucial to be aware of and act upon relate to people – social engineering and human error. By recognising how these threats can put businesses at risk, IT leaders can be confident that they are implementing the most beneficial processes to help prevent attacks from occurring or having impact.
Social engineering – the what, why and how
Social engineering is a broad term to encompass all types of malicious activities that are conducted and achieved through human interactions. Some of the most common examples include phishing emails, baiting (where victims are offered incentives to reveal information), and tailgating (where someone without authentication ‘follows’ another employee into a restricted digital area). But while these are all examples of digital social engineering, it can also include something as simple as a letter pretending to be a service you use, asking you to change to new – fake – bank details. Go along with this information, and you’d soon discover you’re the victim of a scam.
If an organisation has a platform that partners and customers can access, one action that they can take to protect these users is to introduce a security system that requires a random selection of characters from a password to be entered when logging in. The same process is used by banking websites to ensure that only the correct user can access their account online. Not only does this let the business know that only the authorised user is able to gain access, but this also gives partners and customers confidence that the site they are accessing is protected and secure.
But it’s not just external security that businesses need to be concerned about. In today’s world where cyber threats can be found left, right and centre, the majority of businesses should already have sufficient spam filters in place to protect their own employees from receiving malicious emails. However, even the best filter in the world will still let the occasional email through, and this is where the issue of human error becomes important.
How to train your humans
The ICO report also found that the majority of self-reported data breaches are caused by human error, with these incidents seven times more likely to occur than those caused by hackers. With this in mind, IT leaders should make training their employees the focus of their cybersecurity efforts.
The introduction of the General Data Protection Regulation (GDPR) earlier this year has led to an increased awareness amongst workers of the importance of keeping private data private. But businesses need to ensure that they are providing adequate training to support their employees’ learning and understanding of how cyber attacks can infiltrate a computer system, and how to make sure that they don’t.
Something for IT departments to consider is achieving ISO accreditation in the ISO 27000 family; these standards reflect a company’s commitment to maintaining a high level of security, and one that reputable service providers will adhere to. For partners and customers of managed hosting providers, for example, having this confirms that the business is consistently maintaining its training of its employees, as well as updating its reporting systems internally. Partners and customers can therefore be assured that their managed host has strong security measures in place that will help to protect their sensitive data from attack. Additionally, with the goalposts of suitable security processes constantly moving, having ISO information security accreditation keeps companies on their toes as they work to ensure that their measures are up to scratch.
Another benefit that GDPR has created, in amongst the challenges that IT teams are facing to be compliant, is the requirement for organisations to not keep hold of data any longer than absolutely necessary. While this causes more work for many, the advantage of this process is that organisations hold less data on their systems, and therefore should a data breach occur there is less information that can be hacked. With this in mind, organisations would do well to ensure that their employees are fully up to date with GDPR regulations, and the new processes around data that need to be upheld.
Every company employs people, so it’s important to recognise that these security measures apply to everyone. By taking into consideration the most common forms of cyber attacks that may lead to a data breach, businesses can ensure that they implement the most relevant processes and systems to help maintain a strong line of defence. Working with a managed hosting provider that is not only ISO accredited but also offers a comprehensive set of security features is an essential way to begin improving cyber security – because when all else fails in your business’ security, your MSP will be there to make sure no attacks slip through the cracks.
Compliance Director
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.