Play it safe when it comes to cyber security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://utilityweek.co.uk/news/play-it-safe-when-it-comes-to-cyber-security/1144702#.VY2ASvlViko

Security compromises are becoming an inevitable reality for organisations.
Over recent months we have seen the number of these attacks continue to
rise. From the Sony cyber hacking attack late in 2014 to the more recent
Costa Coffee club breach, it is not only clear that the threat landscape
has changed, but also certain that it will go on changing.

While an organisation can protect itself and its customers by reducing the
opportunities for an attacker, it must also invest to ensure its business
is resilient. This means balancing the controls that protect, with measures
to detect, contain and recover from an incident.

The utility sector faces a two-fold problem. Companies are concerned not
only with the consequences of industrial control or data acquisition
systems being compromised, but also with the fact that the security of
business data is an increasingly vital issue. Over the past few years this
industry has suffered a huge loss in public trust – for two reasons
specifically. First, price and a lack of radical competition in the
marketplace are emotive issues for consumers. Second, consumers place
significant personal information with their utility suppliers and if that
supplier is hit by a data breach, a consumer’s service, in addition to
their personal information, could be at risk.

Because of this, it is no surprise that, according to research from
Fujitsu, nearly one-third (32 per cent) of consumers said that they have
“little or no” confidence in utility companies to manage their data
securely, while one in ten feel that their data is used by utilities to
extract more money from them. In addition, only 6 per cent of consumers
strongly believe their utility company gives them a better service by using
their personal data. These results do not paint a good picture for utility
companies.

The challenge for utility companies – and other businesses too – is to
become more resilient and better manage the costs that would result from a
breach. Cyber insurance cover is not new, but is a topic that continues to
maintain importance in the news agenda. It is a valuable tool to transfer
risk as part of a company’s risk management controls, particularly in
situations where there is a legal or a regulatory requirement for data
breach notification, because it is expensive to notify customers of a data
breach.

The recent research from Fujitsu also found 80 per cent of IT
decision-makers believe more stringent data protection laws are needed in
this data-driven world, while nearly two-thirds (61 per cent) welcome
larger fines for data protection negligence.

It is interesting to note that more stringent laws, such as the forthcoming
EU Data Protection regulation, which will impose new breach notification
requirements and increased fines, are helping to fuel the market for cyber
insurance in the UK.

It is important however, to remember that cyber insurance is only one tool
and, like all insurance, the cost is based on risk. For insurance to be
affordable, a company has to demonstrate that it understands and manages
the risks it faces. In doing so it applies exactly the same principles that
have always underpinned good information security.

Risk can be reduced substantially by attending to the basics of cyber
hygiene, as outlined in guidance such as the government’s “Ten Steps to
Cyber Security”. Basics such as ensuring systems are patched and protected
with good passwords. To start to get a deeper understanding of risk, a
company needs to know four things:

•    what information it has, where it is held and what it is worth;

•    what the most important systems are that run the company business;

•    who will be affected, and how, if that information is compromised;

•    who the enemy is, what are they doing and what is their motivation.

Not all organisations need to cover everything and from this basic
understanding of risk a company can identify priorities.

By following with clear and appropriate policies and robust controls that
support the use of applications, portable media and devices – especially
within businesses that allow people to use their own devices for work
purposes – organisations can ensure data is appropriately protected. Beyond
this,  organisations need to bring security into the culture of their
organisation to make sure everyone is playing their part.

In today’s world, all businesses are at risk of a data breach. It has never
been more important to do everything you can to keep personal data safe.
Maintaining the trust of customers has never been more important in a
market where competition is getting fiercer and the customer experience is
paramount. So protect your customers but also be prepared so that you know
what you will do to maintain that trust should the worst happen.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!