What is concerning is that it is well established large companies that should have better security, and some are leading-edge tech players that appear to be vulnerable. If Facebook can be attacked and breached how well are you protected?
In 2017 alone, over 18,000 vulnerabilities were recorded in the United States National Vulnerabilities Database.
IT environments are becoming increasingly complex and events like patching, are often an essential occurrence. If a hacker can expose a single vulnerability your systems can soon be compromised. However, most hackers will work on often well-published vulnerabilities.
The UK Government make it clear on their website and it is well worth reading the guidelines in detail.
“You must follow rules on data protection if your business stores or uses personal information.
This applies to information kept on staff, customers, and account holders, for example when you:
- recruit staff
- manage staff records
- market your products or services
- use CCTV
This could include:
- keeping customers’ addresses on file
- recording staff working hours
- giving delivery information to a delivery company
- You must make sure the information is kept secure, accurate and up to date.
- When you collect someone’s personal data you must tell them who you are and how you will use their information, including if it is being shared with other organisations.
- You must also tell them that they have the right to:
- see any information you hold about them and correct it if it is wrong
- request their data is deleted
- request their data is not used for certain purposes”
This is then reinforced if you are FCA accredited;
“Data security is not purely an IT problem, nor is it just a problem for large firms. Firms of all sizes should think carefully about how they secure their data. Having good data security policies and appropriate systems and controls in place will go a long way to ensuring customer data is kept safe. However, you need to make sure your employees understand the policies and procedures and your firm keeps up-to-date when people move on.”
However, having IT vulnerability management in your business today, to maintain and bolster your security is as essential as keeping control of the cash flow.
Vulnerability management may seem like a huge undertaking for a small business, but it does not need to be.
Having risk-based, proactive monitoring of staff to make sure they are accessing or changing data for genuine business reasons, and that they all use good password standards and do not share or write down their usernames and passwords is just the beginning.
The FCA offers comprehensive guidelines and you should work through them to ensure you comply;
“If you have employees who work from home or use laptops and portable devices such as USB sticks and CDs to store customer data, you should be vigilant about the risks of loss or theft. Unencrypted customer data should never be stored on these devices.
Unsecure backup and storage of customer data leave you at risk. We expect you to review your data backup procedures regularly and consider threats from all angles, including the transit or upload process and ultimate place of storage. If your data is held off-site by a third party, you should encrypt it and make sure you carry out regular due diligence.”
During this unusual time with so many of us working from home, it is well worth understanding what security your employees have on their domestic networks.
The FCA also recommends broader security measures
“Customer data can be compromised in various ways and you should also:
- look at the physical safety of your business premises
- have a sign-in book for visitors, with onsite supervision
- conduct enhanced recruitment checks
- conduct credit and criminal record checks on people with access to data
Outsourcing to a third party does not mean you have outsourced your obligations to look after customer data. Therefore, you should carry out due diligence on third-party suppliers before hiring them, try to establish what their vetting procedures are, and ensure that they respect your firm’s security arrangements.”
Being proactive with your vulnerability detection and remediation is the most important action you can do to keep your systems safe. To make it effective requires time, commitment, and resource. It can never be a one-off exercise these days, as the threat is constant, digitally agile, and increasingly sophisticated.
Having a plan and a solution will need reviewing regularly. It has to be comprehensive and cover the whole operational environment, giving you critical insight into your business’s topology;
- Asset inventory
- Software inventory
- Compliance monitoring
- Security intelligence – constant monitoring, analysis, and correlation of user behaviour
- Intrusion and anomaly detection and alerting on network, host, wireless and cloud environments.
- File integrity monitoring
- Platform management and support
- Daily monitoring of system health
- Incident management
- Remediation prioritisation and coordination
- Forensic Analysis
There are very competitively priced specialist providers that you can turn to, who can automate the required alerting and provide the continuous vulnerability monitoring, but you need to remember that ultimately you are responsible for making sure it’s all working and you have controls in place to manage the people access.
The 16 Point Security Check List…
- Understand in detail what Data is at risk
- Understand in detail what IT equipment is vulnerable
- Understand the importance of having up to date licencedand supported software
- What is covered by the IT and Solution vendors you use
- How regular and how secure are your data back-ups
- Have clear IT usage policies well communicated and documented with your employees
- Ensure all your devices are properly firewall-protected
- Where needed make sure you have sufficient UPS protection
- Make sure your networks have the strongest encryption you can implement
- Anti-virus everything and keep it updated
- Keep detailed records of all your equipment
- Have comprehensive records of all passwords and a password configuration and change policy
- Have a clear policy on all recoded media
- Monitor for unauthorised usage
- Only collect data the business really needs
- Have a disaster recovery plan and test it!
Post-Covid the digital economy is only going to gain momentum. Protecting your business in this digital economy is key. With the average cost to a SME of a cyberattack between £35k and £65K, it is well worth the time invested.
Finally it is critical to ensure you have the right digital partner who takes security seriously. ODO was created as an ORACLE SaaS Cloud-based solution to reinforce security, allow the ease of scalability and provide a solution with real sustainability.
Time to optimise your fleet.