Keeping Your Information Secure
This post is based around TIG session ”What Every Executive Needs To Know About Information Technology Security” by Peter Campbell and the 2015 Verizon Data Breach Investigation Report.
To start off here are the slides from the TIG presentation, it’s in plain english and covers the topic in an easy to understand fashion.
And here is a link the the report
The Data Breach report is a hefty document but is extremely well written and accessible, it’s well worth spending an afternoon reading this document. I appreciate that this report is built on hard data and they include their methodology as well as some suggested courses of action.
Something Peter Campbell talked about but was not covered by the slides or the report is the importance of of having a data breach policy. Security incidents are unavoidable, having a plan in place ahead of time can reduce their frequency, help prevent them from becoming data breaches, and reduce the severity of breaches that do occur.
It’s a gross oversimplification but if you don’t have time to read through here are two things you can do to greatly reduce your chances of a data breach
Educate your staff
Keep your systems updated
The most security incidents are a direct cause of human error within your organization. Sometimes someone clicks on an attachment in a phishing email, others they leave their laptop unattended at a coffee shop, other times people add unsafe machines to the office network, however it happens good education and training can go a long way to mitigate it.
From the report
“We looked at organization demographics to see if one department or user group was more likely than another to fall victim to phishing attacks. Departments such as Communications, Legal, and Customer Service were far more likely to actually open an e-mail than all other departments. Then again, opening e-mail is a central, often mandatory component of their jobs.“
Keeping your systems updated can be a bit of a pain at times, however doing so will shield you from a lot. According to Risk I/0
“We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE [Common Vulnerabilities and Exposures] was published”.
The bulk of hacking that happens can be likened to trawling, they aren’t looking for anything special, just machines. People who are not picky about which system they compromise will go after the easy targets of unpatched machines, why put in the effort to crack an updated machine when there are millions of other easier targets to be had. If someone is looking to compromise your network specifically then in addition to covering technical exploits you will need to watch out for people using social engineering, if you are in this position then you will need to spend a lot of time training everyone in your business.