Take your IT effectiveness to the next level with cost-effective services proven to deliver rapid results ... call us now.
Recent publicity of customer data security breaches in well-known companies has heightened public awareness of the issue and a recent blog post by Melanie Franklin of the Change Management Institute commented on one aspect of the challenge for corporations, which deals with creating and maintaining awareness of employee responsibilities (https://www.linkedin.com/pulse/cyber-security-business-transformation-melanie-franklin). Having worked in numerous organisations in IT and change / transformation leadership roles, I have seen the risks and responses close-up. Reflecting on my experience, here are five recommendations for managing what is a significant and multi-faceted risk. This is a risk that impacts all businesses and organisations handling customer and supplier data, irrespective of their size.
In the brief recommendations below, I distinguish between cyber security and information security. Cyber is an aspect of information security risk and is focused on the threat from attempts to gain information via online activity. Information security risk is broader, and covers attempts to physically remove information from an organisation’s location without its knowledge or approval.
1. Threat monitoring should be continuous.
For an SME or larger organisation, cyber security threat monitoring should be an ongoing activity. Whether that’s deploying effective anti-malware and firewall products on personal devices and internal servers, or entrusting your organisations data to a cloud services provider, the activity should be continuous and up-to-date. Cloud services providers are likely to face constant attempts to breach security and effective ones will deploy state-of-the-art defences to complement constant vigilance.
2. Actively manage the risk.
All organisations are actively managing business risk. Cyber & information security risks to the operation and reputation of a business should be afforded the same focus and significance as treasury (fiscal) risk. Where set up, it should be a standing item on the risk committee agenda. What’s more, with the myriad of vulnerabilities and sophistication of the attack threat, mitigation and response should be the focus, as opposed to elimination.
3. Embed the individual employee’s responsibility.
Continued effort should be taken to ensure an appropriate level of staff awareness is maintained across the entire organisation. This should be reinforced through an explicit information security policy, the compliance with which should be stated in the employment contract of all employees. For temporary workers, contractors and suppliers, compliance should be explicitly stated in contractual agreements.
4. Don’t let the cyber and information security threat impair doing business.
The IT function, or more specifically the IT security officer or department, would always favour a ‘lock down’ approach to all devices that are connected to external networks, or capable of reading unchecked media (CD’s, DVD, s or USB devices). However, with today’s distributed and often ‘virtual’ ways of working, this could end up becoming ‘disabler’ to doing business. A balance needs to be struck between ‘lock down’ and flexibility. Some ways in which this balance can be maintained include: employee education around cyber security risks and best practices to minimise them; the enforcement of security checking for all detachable storage devices, including music players, mobile phones and tablets; the implementation of secure virtual private network (VPN) access to an organisations internal networks, protected by two-factor-authentication.
5. Secure sensitive customer information, or better still don’t hold it if you don’t need to.
There is no excuse for failing to encrypt customer data that is held on internal systems, irrespective of the limit to legal obligations. It provides an extra layer of security in the event of a compromise. Moreover, unless it is a specific requirement for the business activity, there should be no need to store complete customer financial data on internal systems.
There are specialist payment providers on the market that can be used, who work with ‘tokenised’ or encrypted customer payment information. Where businesses do capture customer financial and other personal information as part of a business transaction, either through devices such as chip-and-pin readers, or (as still happens) over the phone, it is imperative that the regulatory requirements are understood and implemented. Handling card payment data is subject to Payment Card Industry (PCI) standards, which are explicit. If data is lost due to non-compliance, the reputation, operational and financial impact can be devastating to both the organisation and customers who may be subsequent victims of fraud.
Peter Maddigan is Managing Director of Insubric Limited.
Want to learn more about how to protect your systems and data from cyber threats, or industry and regulatory standards for handing customer data?
Contact Peter at Insubric: peter.maddigan@insubric.com
