There is a common misconception that technology poses the biggest security risk to business, but it is just one part of the problem. On 14 April, I gave a presentation at the Cyber Security Show in London to explain what companies do that leave them vulnerable to breaches, and how they can lessen the risk.
Time for a Policy Update
One of the areas where companies are leaving themselves vulnerable is by having a lack of security policies. One would think that all companies have policies across their business to prevent something bad happening. In reality, many companies don't put policies in place until something bad actually happens. This month, CompTIA released the Trends in Information Security research, which showed that companies that had changed their security policy were most likely to have done so due to breaches or new technology. Awareness creates action, which is invaluable for tightening security. However, companies should use policies to create awareness — by routinely implementing, updating and communicating them — rather than wait for it to happen through a cybersecurity breach.
Take the recent high profile Target hack. That all boiled down to a stolen vendor ID, through a phishing email. Target did not have the policies in place to secure that entry point, because it was away from point of sale so there was a minimal perceived risk. However, the hacker used this to gain entry and then worked his way through to Target’s point of sales. Target may be able to afford the 46 percent drop in sales they saw after the attack but an SME would never survive.
Balancing Security and Ease-Of Use
It’s true that implementing stringent policies is hard to balance with ease of use and practicality. Many employees now use their own apps and devices at work, which can make the entire IT landscape much harder to manage. After security firm McAfee installed wifi for its staff, they discovered in their first audit that the company’s 10,000 staff members had 60,000 devices on the wifi network. Clearly, managing all these devices poses quite a challenge and doing so without hampering staff productivity even more so.
Our latest research found that just over half of the companies surveyed (52 percent) say greater interconnectivity has complicated their security. As organisations have embraced cloud computing and mobile technology solutions, they have extended the security perimeter, creating new considerations. And with the rise of the IoT we find that lots of devices are not built with the security of an IT system but are connected to them.
Technology is moving fast and every company is more at risk now. Companies need to ensure their security systems are keeping up. If you only do a security audit ever five years it will become outdated very quickly.
Companies also need to be more proactive about testing their resilience in this increasingly complex environment. Our Trends in Information Security research showed that most businesses are satisfied with their own security. I would argue that is only because they haven’t been hit yet. People take risks to save time and money but if something happens, they could lose significantly more than what they saved.
Making Employees Part of the Solution
The same research showed that whilst human error ranks low as a serious concern, companies report that 52 percent of issues in data security are due to human error. Reasons for the issues include carelessness, failure to follow policies and failure to get up to speed on new threats. Clearly, more training is the answer. Only 54 percent of companies in our survey offered some form of cybersecurity training to staff.
Fully certified personnel are by nature more vigilant but security now must be a concern for everyone, and training should follow suit. For this reason, CompTIA is gearing up to launch CyberSecure later this year, a programme to provide fun and engaging training to all staff at the point of induction.
CyberSecure aims to make employees part of the solution not the problem by getting every employee’s knowledge up to a base level and make security considerations routine.
Todd Thibodeaux is president and CEO of CompTIA.