Between April and June 2016, the Information Commissioner’s Office opened 545 new data security cases (22% more than in the previous quarter), 50 of which were cyber incident reports. The three most common cyber incidents were:
- Cyber security misconfiguration (28%) – unauthorised people accessing and viewing personal information because of incorrect security settings and a lack of user access management.
- Exfiltration (26%) – unauthorised access and transfer of sensitive information from the data controller’s system to another location controlled by hackers.
- Phishing (18%) – a form of cyber attack based on bogus emails targeting and tricking staff into disclosing login credentials and other valuable information.
These three categories of cyber incident show us how cyber criminals exploit flaws and vulnerabilities that are both within and beyond our control – anti-malware software and firewalls can control and block unwanted traffic, but staff behaviour is impossible to control. They can be influenced, though. That’s why any cyber security strategy should take a holistic approach.
People, processes and technology for a sound cyber security strategy
An effective cyber security strategy based on people, processes and technology can dramatically reduce the risk of cyber threats and mitigate the consequences.
- People – the cyber security strategy depends on awareness of cyber threats and best practices that reduce the risk of inadvertent incidents. Staff awareness courses should be rolled out periodically to keep all employees up to date with the latest news and developments in cyber security. Discover our suite of staff awareness e-learning >>
Moreover, companies need specialised staff who can plan and execute the more complex activities demanded by the cyber security strategy. These specialists need training to strengthen their skills and competences. Discover our cyber security qualifications and training courses >>
- Processes – the most efficient way to keep track of internal processes and documentation is through an information security management system (ISMS) based on the ISO 27001 international standard, which is the key to an effective security strategy. Download our free paper “Implementing an ISMS – A really quick introduction” to learn more >>
- Technology – once cyber risks have been identified, the next step is to implement appropriate measures to prevent or mitigate their impact. Secure configuration, boundary firewalls and Internet gateways, access controls and administrative privilege management, patch management, and malware protection are the five security controls mandated by the Cyber Essentials scheme, and can prevent around 80% of Internet-based threats. Download the free guide “Cyber Essentials for SMEs” to learn more >>
Being cyber unsecure costs you more than being cyber secure. The money you spend on recovering from a cyber attack can be better invested in a sound cyber security strategy based on people, processes and technology.