Will we ever get ahead of the hackers?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/will-we-ever-get-ahead-of-the-hackers/article/429016/

Some of the high profile attacks we've witnessed this year include Github,
Uber, and Chris Froome's personal training data. These attacks, amongst
others, demonstrate the vast scale of the problem that so many have had to
deal with and others fear will happen to them.

But behind the headlines – which often focus on which celebrity pictures
have been leaked, or whether America suspects Russia or China is to blame –
the message is clear: hackers are still one step ahead of many
organisations' security procedures. In spite of this, there are ways that
companies and individuals can protect themselves in order to level the
playing field and ensure hacker dominance is short-lived:

Sharing is key – Becoming a victim of a cyber-attack can be devastating for
any company. Not only can it put sensitive data in the hands of the wrong
people, it can have a damaging effect on its reputation with customers. But
in order to get ahead of the hackers, organisations need to work together
to keep them out. This means sharing information about types of attacks,
defence tactics and best practices.

Recently, the US Congress passed legislation to legally protect
organisations that share cyber threat indicators and defensive measures to
help encourage such practices. The two bills drafted this year offer
liability protection for companies that share cyber threat indicators with
the government. These types of measures are essential because they
encourage knowledge sharing between companies, whilst protecting them from
liability, under current law, for divulging details of a cyber-attack on
their organisation.

Education for all – The best way to combat a recurring problem is to
increase awareness and educate people about why it happened in the first
place. Companies should therefore take the time to share usage best
practices at a customer and employee level. Security risks are often a
result of employee or customer mistakes or actions. But this doesn't mean
the onus is only on them.

As a company, it is your duty to have policies in place to educate your
staff about security. Sometimes cyber attackers will use a method as simple
as sending a piece of malware in an email – as we saw with the Target data
breach. But as hackers become more sophisticated, educating employees needs
to go beyond better password management. Think about how users are
authenticated to use the network for example, and how easy it would be for
a hacker to breach. Login processes that require two-factor authentication
can add an extra layer of security to accounts with users logging in from
remote locations. Although you may have protection around company data
inside the network, employees might choose to use their preferred cloud
applications to manage work documents, which may operate outside IT
jurisdiction, putting your data at risk. Ensure you have a policy in place
which specifies which applications employees are allowed to use or even
better, implement a system that manages and secures the identities of
users, rather than every device they use to access the network. Most
importantly, explain to staff why these measures are important and what
they can do to help, encouraging their contribution and compliance in
maintaining security.

Have a plan – If experience has taught us anything, it's that anyone can
fall victim to a cyber-security attack. There's no excuse then for a
business not to have a security plan in place and arm themselves with the
latest technology – such as encryption, DDoS mitigation techniques and
protection for critical apps.

Recent research revealed that over half (54 percent) of businesses lack
security intelligence to protect against cyber threats. Six in ten IT
decision makers also lack complete confidence in their company's cyber
security policies. Organisations need to act now and put a plan in place if
they haven't already, and ensure they're investing in the right
technologies to protect their business and data.

A change in how we handle and look after information, whether as
individuals or businesses, is inevitable. This might be due to a
behavioural change caused by a massive or highly damaging hack that effects
a large amount of people – for example, the UK's connected heating devices
being hacked in the middle of winter. Alternatively it'll be
institutionally-driven change – 2015 is likely to see the introduction of
the new EU Data Protection legislation, having implications for the ways in
which data is collected, stored, accessed and secured by organisations.
Regardless, businesses shouldn't sit still and wait for one of the above.
Instead, they should take the lead, implementing their own policies and
security infrastructures. Doing so can help us all get ahead of the hackers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!