Tag Archives: data protection

Cyber security: how can we turn the corner?

Cliff Moyce: 15 April 2016

Companies that manage data rely on customers being confident that their data (including sensitive / confidential / secret personal details) will be held safe and secure. If this backbone of trust is broken, those using their systems will simply stop doing so. This applies at both a corporate and at a consumer level. The particular sensitivities and high level of personalisation and visibility that characterise many modern enterprises make privacy vital for businesses’ continued existence. Despite the importance of customer confidence in data security, there have been several high profile cyber security breaches in the past two years in which enormous amounts of sensitive data were stolen. Hundreds of other breaches have occurred in the same period, they just haven’t made the headlines (in some cases, deliberately so). Companies that have suffered losses of customer data include JP Morgan Chase, Talk Talk, Anthem, Ashley Madison, Patreon, and LastPass. Some of the problems suffered have been so severe as to threaten the future of the company. In 2016 organisations will be keen to ensure they do not suffer the same problem, but how will they achieve that aim? One important step will be for organisations to forget the misconception that data losses are usually the result of technology weaknesses and failures. In fact, it is human failings that are far and away the most common cause of what the press often describes as ‘hacking’. Developing security policies to mitigate the people-risk in cyber security is no longer enough. In fact, it was never enough. Such policies risk being treated as tick box exercises, or are created with good intent but are undermined by a culture of poor practice. Education and training in security policies is essential – but even that can fail if the necessary culture change does not happen. This is where the most important change needs to happen in 2016 to avoid repeating the mistakes of 2014 and 2015. All employees need to be trained and examined on best-practice for cyber-security and data-protection.

One important area that is often overlooked is the risk of individuals falling victim to social engineering outside of the workplace. Their compromised status can then follow them into their organisations. It is vital that all staff understand how email attachments, phishing, and impersonations can be used to install malware devices to personal devices that are also used for work purposes. By this method, login credentials to their corporate network can be lost to ‘bad-actors’. At JP Morgan Chase it was an employee’s personal desktop computer that was infected. When that individual logged-in remotely to the corporate network via the company VPN in June 2014, the malware obtained access rights to the network. Human errors that had happened previously at JP Morgan (including forgetting to update security software on one server out of thousands) made it possible for the hackers to gain control of 90 servers and huge amounts of data, and steal large amounts of money from JP Morgan clients.

If companies invest in the right training and education for their people, it will result in a renewed faith in data security. This would be a breath of fresh air for a world that is becoming increasingly wary of modern enterprise’s ways of working. One ray of hope is that many organisations are now establishing better security standards and looking for new ways to create more private and secure methods of communication and engagement. Hopefully the outcome will be that people will start to feel more confident in using the apps and services that have so much to offer in terms of personal productivity. But will these improvements represent a triumph for everyone? Sadly, no. The unfortunate loser of tighter security and greater awareness will be the advertising industry, though possibly only temporarily. For advertisers, new security standards will mean that they have to invest in less intrusive forms of advertising. Hopefully that will eventually work for them as well as their current methods do currently.

To finish on a cliché: every problem is also an opportunity. With knowledge will come greater online security, more educated users of technology, and (even) more sophisticated advertising!

This article was published originally at http://www.techpageone.co.uk on 15/4/2016

Cliff Moyce