While several brands have faked hacks into their own social media accounts for publicity, the more malicious threat of hacking for companies remains.
In the Global State of Information Security Survey 2014, a worldwide study done by PwC, CIO magazine and CSO magazine, it was found that there was an 18% increase in average financial loss due to cyber attacks.
Yet, many organisations do not have plans for responding to insider threats.
Tan Shong Ye, partner at PwC told Marketing that more than 50% of the cyber-attacks are only detected after three months of the actual hacking. This indicates that organisations are not vigilant enough and think that cyber-attacks will not happen to them. Often, he added, common causes that lead to hacking are companies’ complacency and unawareness.
Also based on several internal surveys on penetration testing exercises performed, 90% of the time, the mistakes that allow the testers to hack into the account are those that are easily preventable.
Protecting your brand
Nonetheless, to protect your company, Tan narrowed down his tips to 10 steps companies should put in place to protect themselves:
1. A written security policy
2. Back-up, incident response/recovery and business continuity plans
3. Minimum collection and retention of personal or sensitive information with physical access restrictions to records containing personal or other sensitive information.
4. Strong technology safeguard for prevention, detection and encryption including remote wiping of stolen mobile device.
5. Accurate inventory of where sensitive data, including personal data of employees and customers, is collected, transmitted and stored; including third parties that handle that data.
6. Internal and external risk assessment of privacy, security, confidentiality and integrity of electronic and paper records.
7. Ongoing monitoring of the data security and privacy program.
8. Personnel background checks.
9. An employee security awareness training program
10. Compliance program to ensure that employees and third parties implement the security policies diligently.
He also added that the loss of control over one’s account can then lead to vulnerabilities such as identity theft, loss of voluminous data and lastly “phishing”.
Phishing is another popular cyber-attack method that is hard to protect from because it is targeted at the laymen and not computer systems, added Tan.
When someone puts an attractive offer, such as an interesting news or article on an email, a web page or a social network site that attracts the user to "click", he could be attempting phishing. The “hacker” in this situation could be leading the unaware user to a fake web page that looks exactly like a banking site or a popular commerce site which can then lure the user into giving him your password, credit card details.
Cloud Based Services
Tan added that today, with such ease of transfer of data from one mobile device to another and to cloud-based storage like Dropbox, Google drive and iCloud, a simple mistake or careless error can lead to the loss of huge amount of data.
Seconding Tan was is Shaun Walsh, SVP of marketing and corporate development, Emulex who added that from a security perspective, companies providing enterprise cloud applications usually provide security and data privacy capabilities equal to or exceeding those of most enterprises. However, the same is not true of most “end-user” cloud applications such as Dropbox, which expose enterprises to security vulnerabilities.
And this might result in a gap in security allowing for hacking.
“Analysts predict that 40% of servers will be deployed in the cloud by 2020, and the majority of the data centers will be comprised of virtualised servers, networking and storage,” Walsh said.
“When breaches occur where data gets out into the public domain, and these are extremely serious and can have a profound impact on customer brand preferences,” he said adding that it is the duty of security operations teams then to find and eradicate root causes rather than just respond and resolve issues on an individual basis.
Rise of portable devices
Bringing one’s own device to work has also increased sharply in the past three to five years mainly because of the increased advances in the smartphone era and the multiple the various portable devices available today.
Some organisations have handled this by having two “tiers” of mobile devices: Corporate-owned assets whose contents are strictly controlled and the employee’s own devices which only have “guest” access to the enterprise’s wireless LAN.
According to Walsh, a good starting point is to perform a threat appraisal around mobile devices and devices that employees are allowed to bring in.
He urges companies to ask questions such as: If a device is compromised, or if a compromised device is brought into the network, how will you identify it, quarantine it, and “clean” it?
Also, how will that differ for company-owned devices versus those owned by employees and/or contractors?
Companies should also consider what data is at risk on mobile devices.
While email and company directories are clearly at risk, there are also other sources of information such as intellectual property and lists of customers which may be at risk.
“When it comes to a security strategy overall, it is not just the ability to detect intrusions, it is managing the privacy of data shared with corporations, physical access to that data, and a thorough understanding of regulatory and privacy issues,” Walsh added.