Once again data breaches have made headlines globally, bringing significant negative publicity, impacting consumers who have had their data compromised and prompting the public to question just how safe their personal data is in the hands of others.

I speak from personal experience here; in the last 10 years I have been notified of 5 separate data breaches where my personal data has potentially been compromised, either through the misplacement/theft of devices to criminal events where institutions have been attacked in some way.

The loss or theft of a laptop or storage device is almost always down to human error; either a lapse of concentration or a moment of carelessness that leads to an opportunistic theft. However, whilst human error can be excused in some of these instances, Institutions cannot claim lapses in concentration when they become the target of criminal attacks aimed at stealing personal and private data. Institutions must place their physical/virtual security at the top of the priority list before and not just after a breach.  

What steps should institutions take to protect themselves from vulnerabilities within their external and internal environments? If you need any persuading that the impact of data compromise is high, one only needs to look at the Deloitte report published last month (Beneath the surface of a cyberattack). In addition to the widely accepted impacts of cyber-attacks (reputational damage, investigation costs, notifying customers of breach, increased regulatory oversight, litigation costs and the increased costs associated with retrospective technical improvements), the Deloitte report focuses on the “hidden” costs in the aftermath of a breach, particularly around

• loss of Intellectual Property,
• lost contract revenue and customer relationships
• operational impacts
• Devaluation of brand
• Increases to cost of insurance and debt

Deloitte suggests that the recovery time following a cyber-crime incident could be anywhere up to 5 years.

So where should an institution start to ensure that their cybersecurity is sound? The first area to consider is their external facing systems (websites, online portals) and network accesses (leased lines, routers etc.). These are typically covered by penetration testing as part of an audit function. However, we all know that most organisation only undertake these annually or at best quarterly. Nopsec Labs reported in that in 2014, 22 new vulnerabilities were discovered every day. This equates to 154 new vulnerabilities a week, 660 a month or over 8,000 in the course of a year. Therefore, even running a quarterly penetration test means that between tests nearly 2000 new vulnerabilities could be identified and targeted by cyber-criminal gangs intent stealing your data.

So institutions must become more proactive, and perform these types of tests on a more regular basis. The digital world regularly experiences step changes in the short term, and any industry that stores data should be mindful of that.

External vulnerabilities are only one part of the problem – a company’s internal assets can also be its Achilles heel. As consumers we are regularly reminded that we are responsible for our own security; and ensuring that software patches are always applied, Anti-virus software is up to date and that platforms are fit for purpose.  Within an institution this doctrine should be second nature to ensure that all IT systems, platforms and software are up to date, with security patches applied as soon as they are identified. Only by applying these processes, and monitoring IT assets for exceptions will you reduce the risk of gaps in IT security and lower the risk of being exploited through the application of malware.

By securing your external and internal IT systems, the risk is reduced. However, the next area of vulnerability that must be considered is your employee base. In my next blog I will be looking at how to monitor your systems for exceptions that may indicate that someone within your organisation may have deliberately or inadvertently opened a back door to your systems, your data and ultimately your reputation.