Are you in the dark when it comes to cyber security?
How much would it cost your business if one of your direct competitors could see exactly how much you were charging customers, or if they had full access to your research and development projects? What about if they could browse through your latest financial information, grab a list of every customer you have had interactions with and their contact details? What if those details were then made public on the internet for everyone to view? How much business would your company lose through reputation damage, being undercut by competitors and losing suppliers?
We have seen many examples of actual and suspected breaches recently which have hit the media. The Government has recently made significant steps to mitigate the risk by introducing the mandatory data breach legislation, which requires companies to disclose when any data is lost to the affected customers and the privacy commissioner. It has been demonstrated that companies who are on the front foot and address data breach issues when they occur in a timely manner, significantly better than companies who ignore or cover them up, so the legislation is a step in the right direction.
The unfortunate reality is that in a world where businesses and people are constantly connected and online through computers and mobile devices, there are greater risks arising and opportunities for the hackers. So, what can your business do to mitigate the risks and opportunities?
The first line of defence is the ‘people’ – this may seem like a backwards approach to what seems like a technical problem, however, in the real-world social engineering in its various forms is significantly easier than most of the real ‘hacking’ techniques. Why go to all the trouble of digging through great tomes of IP addresses, ports and vulnerabilities, trying to find some way in, when you can just call and pretend to be from
the IT team, or one of your suppliers, and obtain the password? Making your people security conscious and aware of what to watch out for and letting them know who to talk to if they have a concern can massively reduce the risk to the organisation. Other things like educating users about password reuse and how to identify scam or spam emails will also help.
The second line of defence relates to the ‘technical’ aspects – this still includes people components, including ensuring you have the right team in place (including outsourcing arrangements), sufficient budget and appropriate processes to escalate issues and concerns directly to the business owners if required. These need to be challenged constantly and VInet has provided independent IT technology and security audits which have been proved to be very beneficial in this regard. Have you also considered the networks of your suppliers, and in turn their suppliers? Asking questions of your suppliers about the state of their IT systems might not seem like a very interesting conversation but remember anything you share with them has the potential to become public information. Asking a few questions, or encouraging them to undergo an IT audit, could turn out to be a cheap insurance. Other technical aspects to consider could include:
• Ensuring there are appropriate firewalls
• Encryption of hardware
• Ongoing security updates being undertaken
• Secure Wi-Fi and network access
• Appropriate Business Continuity Plan and Disaster Recovery Plan
• Physical security of IT assets e.g. server
Cyber security is something which has traditionally been left to IT specialists. However, the risk has become so heightened that it needs to be owned and mitigated throughout your organisation, from business owners, executive management and employees at all levels.