2014 has been extremely eventful in terms of data breaches and cyber attacks. Many have further exposed the vulnerabilities affecting companies, employees and individuals, and put the focus on cyber security. It is important to remember that companies are made of employees, and employees are also individuals and customers. Everyone is susceptible to a cyber attack and it’s everyone’s duty to fight back.
However gloomy the picture might look now, there is light at the end of the tunnel – in order to get there, we all need to learn from those past breaches.
Here are a couple of lessons I believe are important to note.
Know your risks and vulnerabilities
2014 has seen a surge in zero-day attacks and vulnerabilities such as Heartbleed, Shellshock, POODLE and Inception. Moreover, the underground economy is booming, with hack services, malware and stolen credit card details available at affordable prices.
It is therefore essential that organisations are aware of the risks and vulnerabilities they are facing and implement adequate measures to address them. Regular penetration testing coupled with the implementation of information security standards like ISO27001 will help deal with the evolving cyber threats.
Ensure your supply chain is cyber secure
Several companies have suffered a data breach in 2014 following a supplier’s error, including US hardware chain Lowe’s, Montreal-based telecommunications company Bell and retailer Home Depot.
There is hardly an organisation that does not rely on suppliers, so it is vital that senior executives become more rigorous with their suppliers and trading partners when it comes to information risk assurance. If suppliers are going to have access to a company’s data, then it is essential that they are subject to at least the same level of security as the company procuring their services.
Don’t underestimate the importance of strong passwords
Passwords and password management would appear to be at the heart of the cyber attacks that hit JPMorgan and eBay. Choosing passwords that are very hard to guess and changing them often is essential. Furthermore, never share your passwords or write them down.
Having a strong password alone is not enough, however, given the increase in spear phishing attacks targeted at employees. Implementing a staff awareness training programme is equally important to ensuring employees can recognise phishing attacks.
Demonstrate due diligence to your employees
Losing the trust of your customers as a result of a breach can have serious implications on your business, but losing that of your employees can be equally devastating.
Sony Pictures Entertainment’s massive data breach has highlighted a fact that may have been overlooked with other data breaches – namely, that organisations have a duty of care to protect their employees, too (not just their customers.) An employee at Sony Pictures Entertainment has described their fear and anxiety after the hack in an emotional essay.
Organisations should safeguard their employees’ data as rigorously as their own. How else could they otherwise win the trust of their customers and other stakeholders?
Get the CEO involved in cyber security
Finally, on the background of the hundreds of cyber attacks and breaches that have marked 2014, the need for a top-down approach when tackling cyber security has never been greater. If a company is forced out of business (like booking website Hotel Hippo and software collaboration platform Code Spaces), it is the CEO’s responsibility. If millions of customers’ data has been compromised (as in the Home Depot breach), it is also the CEO’s responsibility.
It is essential that cyber security extends beyond the IT department to include the CEO and board of directors.
While the list of lessons goes on, I hope that both organisations and individuals can focus on the most important ones and tackle them step by step. I, for once, look forward to a more secure 2015.