I recently read an article in the @TheEconomist (April 8 edition) entitled The Myth of Cyber Security, a somewhat depressing article on the poor state of cyber security globally. The author discussed numerous reasons behind the current problems:
- Software complexity and speed of development
- Users failure to protect themselves
- The technology industry’s inability to self regulate and accept liability for product flaws
The last point drawing comparisons to the car industry in the early 1960’s. It was not until the government forced their hand on safety did the industry’s attitude change. The author considered that perhaps additional government intervention could be beneficial to the technology sector. Examples included increased reporting requirements for companies that are hacked, forced default password changes and legislated timeframes for fixes to "at risk" products.
I’m not so sure. Unlike the car industry, the technology industry is in a never ending battle with entities and individuals trying to gain unauthorized access to data and intellectual property either for extortion, sabotage or theft.
In 2016 we have seen interference with electoral processes, approximately $80 million digitally stolen from the Bangladesh central bank and a DDoS attack on the Australian census to name but a few. Ransomware activities continue to trend upwards with the cost of unlocking the device at up to US$1,200. Read article Cloud Computing - Food for Thought.
Toolkits for malware, ransomware and trojans can be bought for between US$200 and US$1,800. So just 2 successful ransomware attacks are enough to recoup the most expensive kit and start generating profit from that point on. You might also like, Information Security Risk Management: An Interview with Peter Walker, Chief Information Officer.
The battle will never end, so rather than rely on government intervention, we should be continuing to promote and adopt best practices wherever possible:
Basic steps to follow?
- Educate your staff (and your family!) – Often home security is less than that imposed by work, leaving us exposed.
- Use available tools for better password management – eg: Lastpass, Roboform, Dashlane and have a robust password policy. No sharing, repetition and an appropriate length and mix of characters as the bare minimum.
- Perform a business impact analysis and document the recovery steps.
- What if ransomware is encountered?
- What if your website is hacked?
- Test your business continuity plans continually. The days of an annual BCP test are long gone.
- Conduct penetration tests on key applications, networks and infrastructure.
- Ensure robust firewall, antivirus and intrusion detection processes are implemented.
At Protecht we have adopted the principals of the Information Security standards ISO 27001 and are certified by an independent body to ensure controls are operating as expected. Ask yourself if it would be worth considering if your business should do the same, if it has not already? Equally, if you are looking for new technology service providers the questions above should be asked of them to ensure that they take your security seriously.
We live in a technology addicted era that comes with its own unique set of risks. To participate in it, we need to remain vigilant and continue to work on our defenses. Given our experience of going through our ISO certification process, Protecht is able to help you implement an appropriate Information Security Management System within the Protecht.ERM system.
If you are interested to know how and why more and more companies are using Protecht.ERM to manage their risk frameworks including their information security, please contact firstname.lastname@example.org.
To read the ATO story, please click the yellow button below: "Implementing efficient risk information management systems can reduce red tape".