Unsecured and unaware: Why your business needs cyber security policies now!

The federal government has begun the process of introducing Notifiable Data Breach legislation, which will require many businesses and organisations to notify customers at risk of serious harm due to “unauthorised access” to personal and financial information.

It is a small step in the right direction and is sure to increase the exposure and discussion of security and privacy breaches.

Unfortunately, the new legislation will catch many small businesses and organisations flat-footed; hands up if you already have a good security policy in place. I didn’t think so

Good clear policies are the cornerstone of developing a strong and secure business

So, let's take a moment to talk about cyber security: Why it’s important; how it affects everyday businesses; government departments; and organisations. More importantly, we’ll take a look at what positive steps you can take to improve your own security, reduce your risk of cyber attacks and protect yourself from data breaches.

In this two-part series we are going to take a look at the foundations of good cyber security: Business rules and security policies.

Part one will examine the background of security issues and the changing tide of privacy and information security.

In part two, we’ll help guide your security policy development by providing you with a simple framework for thinking about your organisational needs and how you can mitigate risks.

While mass data breaches are a serious problem, they’re not necessarily any more destructive than a small breach of private user data

By the end of these articles, you should understand why security matters, why there’s no such thing as a “small breach”, why every breach needs to be handled with due care and responsibility, and some non-technical tips for developing, improving and implementing your own business security policies.

These articles will also help you facilitate your own security discussions. I also hope to provide a resource that you can bookmark, and check back with from time to time (a security health-check so to speak).

How did we get here?

2) We’re going to get hit anyway, there’s not much we can do about it.

For many it seems that cyber security problems are insurmountable, and attacks inevitable. This type of thinking is dangerous and plays in to the hands of hackers and malware authors. The reality is that there’s plenty you can do to raise the security bar, and protect your business and your reputation.

Step back and think about all of your information technology concerns: Chances are you’re running servers that are under capacity; operating systems that haven’t been updated; systems that have been developed in house but are no longer supported; unmaintained websites; a mess of shared folders used for ad-hoc file sharing; shared administrative logins and passwords.

Perhaps you recognise some of these issues; maybe you recognise all of them. These issues create an environment primed and ready for a cyber security breach.

IT isn’t the strong suit of most businesses. Furthermore, IT resources are often stretched, so allocation of resources to anything other than a crisis just doesn’t happen.

Identify your information assets, access requirements and security capabilities

The lack of security focus in businesses and organisations is a real problem. At the moment, we seem to be happy to turn a blind eye to security breaches.

We collectively allow incidents to occur, and apologise for the consequences later. This lackadaisical acceptance of mediocre security feeds back on itself by reducing security through inaction and rewarding hackers with easy targets.

So, with no momentum, and no imperative, it seems many have adopted a strategy of doing nothing — why waste resources and effort improving the security of your organisation?

With limited security capital, even motivated businesses are often paralysed, wondering how to begin addressing their security issues.

The tide is turning

reaction to the Australian 2016 Census

Clifford Stoll weaves a fantastic tale in The Cuckoo’s Egg, in which he tracks a hacker through the computer systems of Berkeley University. Much of the book talks about the openness of computer systems. Easy access and an open door policy were widely regarded as a virtue by system administrators and academics alike.

Over time, the calibre of hackers increased, and the motives of some hackers changed: From curious research, to espionage and malicious damage. The easy accessibility and connectivity of these Internet connected computers turned from virtue to liability, almost overnight.

So, while the most recent network and data breaches seem to be zero-consequence events, public perception and regulators are starting to catch up.

The tide is turning, and unless all organisations step-up to protect themselves and their clients, they could soon find themselves on the rocks — facing either a PR nightmare, or in breach of our new privacy laws.

An ‘insignificant’ breach

All breaches need to be handled with the appropriate level of care and sensitivity.

I’ve personally seen the effects an ‘insignificant’ data breach can have on small businesses. What initially starts as the exposure of a mailing list can quickly open the door to malware, ransomware attacks, phishing and similar scams.

The Australian Competition and Consumer Commission’s Scam Watch website is a great resource for understanding the latest trends. Most of the ACCC’s Scam Watch recommendations break down to a combination of: awareness and education; protection of computers and networks from malware and viruses; and, most importantly, clearly defined business policies and procedures.

Implementing a few basic security safeguards and business rules can go a long way to help protect your business and your clients.

Learn from the past

If you’ve read about malware attacks, or know of businesses that have been hacked, try to learn about the types of problems they’ve had with their breach, and recovery.

The more you understand about the history of security breaches, the more prepared you’ll be to protect yourself and your organisation.

While technology failures such as ineffective virus scanners, or broken firewall rules certainly play a part in data breaches. If you have good security policies, then you’ll be well positioned to cope with cyber security threats.

How to begin?

Cyber security is an issue to be taken seriously, but what is needed is a deliberate, methodical approach — the sky isn’t falling (not today at least). Work to understand your business technology landscape. Identify your information assets, access requirements and security capabilities. This will show you what you have and what you need to protect.

Once you’ve identified what’s important to you then you’ll need to identify your problems. While there is a significant technical element to troubleshooting and securing networks and devices, many of the problems facing smaller businesses and organisations are due to lack of clearly defined policies.

Good clear policies are the cornerstone of developing a strong and secure business. This is because your policies will drive everything from what computers and devices you select, to how your servers and email are configured.

It’s important to get the balance between security and accessibility right. If your security policies are too strict, you’ll quickly find that your users (staff, management and even clients) will find ways to circumvent them.

Sometimes security policy failures are a sign that they’re restricting your business activities too much. Other times these failures are a sign that your users don’t share your security values.

Your goal: Raise the bar on security

  • Understand your business environment. What data do you need to operate your business; what data do you need to protect; who should have access to the data; what technologies do you have at your disposal; what are the ramifications of a hack or malware infection; and, what budget (if any) is available to improve your security defences.
  • Run non-technical “what if” scenarios. For each of your information assets and technologies, ask yourself. “What if this data is accidentally erased?”, “What if this data is stolen by a disgruntled employee?”, “What if this server is hit by lightning?”
  • Develop and document security policies to address the most serious “what if” scenarios. Your policies should be written in short and easy to understand non-technical statements that capture your goals and requirements.
  • Implement the policies using whatever technologies or expertise you have at your disposal. Working with your IT team, get them to find solutions that minimise the risks of these events.
  • Rinse, and repeat on a regular basis.

Security is a process — start now

If you don’t know where you come from, then you don’t know where you are, and if you don’t know where you are, then you don’t know where you’re going.
Security policy 101: How to develop security policies for your businessQuick and dirty guide to security policy creation.

Nikolai Hampton holds a Master's Degree in Cyber Security and is a director of Impression Research. He consults on matters of privacy, security, digital forensics, and incident response. His focus is on the correct application of cryptography. He is passionate about educating business on complex security issues. Follow Nikolai on Twitter: @NikolaiHampton


Copyright © 2016 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
Shop Tech Products at Amazon