The consequences of suffering an information security breach are well documented, and sadly the frequency with which they occur is showing no sign of slowing down. The most prominent threat, also known as ‘bad actors’ are not shying away any time soon. These individuals and criminal (often state-sponsored) organisations constantly adapt and change, while becoming more sophisticated in their attempts to exploit governmental, corporate, and consumer vulnerabilities.
The short-term consequences of an InfoSec breach can include direct fines imposed by regulatory and enforcement agencies, such as the PCI Security Standards Council or the Information Commissioner’s office. This month, the ICO reported that it had fined British Airways £20 million (UK Pounds) for failing to protect the personal and financial details of more than 400,000 of its customers in a breach incident that occurred in 2018. Other short-term costs can include fees associated with the forensic investigations required to establish root cause and subsequent investment needed to mitigate identified risks in security posture.
Longer-term consequences, of course, will include loss of customer trust and reputational damage, both of which are often difficult to recover from depending on the scale of the breach suffered.
With these threats and consequences in mind, businesses must adopt a security-first approach which is endorsed at board level and implemented throughout all aspects of business operations. The good guys need to up their game, stay alert, and do everything that is economically possible to implement suitable controls to monitor and block these threats.
What actions can be taken?
At the heart of cyber security lies our aim of protecting the Confidentiality, Integrity and Availability (CIA) of our information assets. This includes physical hardware such as servers and laptops, as well as electronic assets like customer data. This can be achieved through a range of initiatives that collectively share the common goal of improving the overall security posture and mitigating the risks of CIA being compromised.
Security policies and controls are safeguards to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. They can be classified into several areas which include:
Human error is still the leading cause of data breaches and according to a CybSafe analysis of data from the UK Information Commissioner’s Office caused 90% of cyber data breaches in 2019. Some of the common causes of InfoSec data breaches linked to human error include:
Your staff are at the frontline representing your business and processing personal and business data on a daily basis. In conjunction with technical controls, regular Cyber security training for staff is an effective way to educate employees and protect critical InfoSec assets.
Cyber risk management is a cyclical process of identifying, analysing, evaluating, addressing and monitoring your organisation’s cyber risks. Having a robust process in place to manage this cycle will ensure that you are well placed to mitigate the threat of cyber security risks to your organisation.
Businesses should all take the cyber threat risk seriously and put in place budget, resource, processes, and controls that are appropriate for their business and specific risk appetite. Often, it will require board level and senior management endorsement and support to fully realise an effective cyber security strategy, where security really is first.
Accreditations and certifications like ISO27001, SOC 2, and Cyber Essentials can be effectively used as a framework for cyber security best practice. They are also a great way to demonstrate commitment and competence in the field and offer assurances to your customers with respect to your ability of safely handling critical InfoSec assets.