The latest government ‘cyber governance health check’ and a survey of the UK’s top 350 companies revealed that more than two-thirds of boards have not received training to deal with a cyber incident. IT security experts commented below.
Mike Simmonds, Managing Director at Axial Security Systems:
“Ignorance of basic security practices and operations that must be at the top of every companies ‘to do’ list.
“The government has taken the need for education very seriously and have set up accessible bodies to educate at every level of a business, but it is still incumbent on the business leaders to oblige their staff to follow and certify themselves against this training – and re-visit the skills that they have learned on a regular basis – it is vital to stay current.
“Cyber-security is the same as road-safety. It should be taught from an early age, you never stop learning and practicing what you have learned, and it needs to be taken very seriously. When you think that ‘it will never happen to me’ it probably will, or in the cyber-world, it might already have happened, but you have yet to notice.”
Brian Vecci, Technical Evangelist at Varonis:
Protecting your customer’s and partner’s data might seem like a low bar to meet, but according to a recent survey of IT leaders in the UK, Germany, France, and the US — where GDPR can apply if you’re doing business with European consumers — 75% of companies say they’ll struggle to be ready by the deadline. It sounds crazy, but it will take years for some companies to make sure this data is secured properly. More than half–52%–say they can’t even find personal information or have any idea who’s got access to it, who’s using it, or when it should be deleted. Even more say they can’t meet GDPR article 17, the “right to be forgotten,” meaning they can’t go out and delete your data if you asked.
GDPR may help elevate data security and privacy at the top of organisations’ to-do lists, but many organisations are struggling with just knowing where it all is. The threat of heavy fines may help change the economic equation and spur organisations forward, but increasing threats like insider breaches and cyberattacks like ransomware have been helping many organisations make these kinds of changes for years. GDPR mandates some basic, common sense controls for data that organisations will benefit from following whether they’re subject to penalties or not. Just knowing where that kind of sensitive data is, building privacy and security into the design of the system, limiting who can access it all and monitoring everything will mean that you limit the potential damage of any kind of break or attack and you’ll know far faster when something goes wrong.”
Marco Cova, Senior Security Researcher at Lastline:
Andre Stewart, VP EMEA at Netskope:
“Businesses must undertake their due diligence. Beyond preparing for an incident, they should be monitoring access to data across both the cloud and on premise. As critical data continues to spread beyond the traditional perimeter network and employees increasingly look to cloud services to get work done more efficiently, this vigilance will become even more important.”
Laurance Dine, Managing Principal, Investigative Response at Verizon:
“Indeed, this has been a consistent theme of Verizon’s annual Data Breach Investigations Report over the past 10 years. We’ve seen time and again that the majority of data breaches could so easily have been prevented if basic measures and protocols had been in place. For example, we often see that around two-thirds of breaches are traced back to weak, stolen or lost passwords; which could easily be prevented using two-factor authentication.
“Ultimately, we’ll continue to experience the same old problems until organisations start to take cybersecurity more seriously; treating it as a business-level concern, rather than an IT problem. The fact that less than a third of boards receive comprehensive cyber risk information clearly shows that this just isn’t the case today.”
John Smith, Principal Solutions Architect at Veracode:
“The government’s Cyber Governance Health Check has highlighted the serious concern among executive board members for the increase in supplier liability when data breaches occur. With Gartner reporting that over 42 per cent of CEOs have begun digital transformation in their business, the consumption of software and applications has risen dramatically – underpinning an increasing number of business operations. However, this introduces increased risk into the organisation, with software vulnerabilities constantly targeted by cyber criminals to insert malware or leak data. And while businesses can mandate secure application development and security testing into their own business, the risk of a supplier being exploited with this attack vector is high.
Organisations need to introduce governance and controls to ensure that best practice application security is rolled out across the entire company and its associated partners. This is something that the manufacturing industry, for example, has been particularly strong at – as existing controls have helped them to enforce the mandate anywhere they have an application – both in their own company and with their suppliers. And this kind of security process need not aggravate suppliers or partners, indeed some forward-thinking companies have actually paid for the necessary appsec solutions to help their partners and suppliers become compliant with their company policies.
With GDPR on the doorstep, businesses in all industries need to look at how they can ensure that the software and applications that their suppliers are using meets their own security standards. Only this way can they ensure that their suppliers and partners aren’t risking their compliance, and perhaps more importantly their security.”
Dr Malcolm Murphy, Technology Director for Western Europe at Infoblox:
“10 percent of boards surveyed still don’t have a plan in place to respond to a cyber-incident – making themselves instantly more vulnerable. In light of the devastation caused by global cyberattacks already this year, all companies need to ensure they have a thorough plan of response as a matter of urgency.
“DDoS attacks in particular can significantly disrupt an organisation’s services and when this happens a plan of action forms a vital part of the defence. Such attacks are often used by criminals as a smokescreen for other nefarious activity such as data theft or extortion, and organisations need to have a clear process in place to assess the extent of the breach and prevent any further damage.”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.