Defeatist attitude to cyber security at fault
Companies need to stop divorcing themselves from cyber security, says Richard Pharro
The 2015 Data Protection Best Practices and Risk Assessment Guides show that from January to June last year more than 30 per cent of data breaches involving the loss of personally identifiable information were caused by internal intrusions.
A further 29 per cent were caused either accidentally or maliciously by employees.
These results confirm the very real world of cyber and data security. All too many businesses imagine threats to their data emanate solely out of the criminal underworld, and are therefore beyond their reach or control.
The impact of this is a defeatist attitude: "If would-be hackers are bent on accessing my company's data, what can I really do to stop them?"
Those threats do of course exist and they are growing – yet the most prominent and pertinent threats to business data relate to human error and data hygiene.
CEOs must now become fluent in the language of cyber security and advance the way in which their companies deal with threats. Security officers should be monitoring their internal workings more proactively and reacting to attacks in a much more dynamic manner.
A security framework should protect from the inside out and outside in as well as along the lines of the perimeter, collecting information and contextualising it to provide actionable intelligence.
Assessing internal capabilities and competencies in all respects is a much more effective way of dealing with the new style of threat and this can be done regularly using capability assessment tools.
Organisations have at their disposal dynamic tools, which can empower companies with a tailored, ongoing assessment of their current cyber security ability to highlight areas at risk. This provides a detailed map of how best to mitigate these factors.
The culture of social media and the lax attitude to privacy that goes with it is a trait that is contrary to business protocol regarding the disclosure of commercially sensitive information. Employees now have the platform to disclose this to potentially large amounts of Twitter and Facebook users but these sites are also significant targets for cyber criminals.
A rigorous policy backed up with regular training must be the solution. Companies should also be mindful that analysis of these social conversations can create security intelligence which in the longer term can feed into processes and enhance security levels within the company.
Data security is now clearly a boardroom issue which must be front of mind for those at all levels within the company. As a baseline solution, passwords should be kept updated and sensitive files should always be encrypted. Regular training on phishing and malware can form an integral part of the prevention process.
Clear visibility puts companies in the strongest possible position so capability and assessment tools can provide much-needed direction in this area.
Cyber security is now an essential part of our interconnected business world and requires the full attention of senior management as pressures increase and mobile integration advances.
Richard Pharro is chief executive of APM Group