By adopting a holistic security approach, Ward Solutions can help ensure your firm is not grabbing the headlines for the wrong reasons
The news agenda is regularly dominated by cyber security, usually for all the wrong reasons. Major data breaches, email phishing scandals and downtime of important services regularly grab the headlines.
The organisations at the centre of these scandals, which have included household names like Sony, JP Morgan and TalkTalk, suffer enormously in terms of financial loss and reputational damage, not to mention the distraction from the organisation’s core business activity.
TalkTalk’s widely publicised breach last month, which saw around 157,000 customer accounts hacked, is reportedly costing the company approximately €50 million.
The attraction for cybercriminals is clear. In the well-developed cyber black market ecosystem, financial information like bank account details can be sold for €150 – €200 per account. Credit card details usually go for between €10 and €25.
In the case of some of the bigger data breaches, such as US retail giant Target in 2013, upwards of 40 million credit card details were reported stolen. The profit potential for the ‘bad guys’ is glaring.
It’s important to realise that the breaches and scams we read about make up only a sample of the cybercriminal activity taking place on a daily basis. Numerous fraud issues and smaller breaches take place every day that might be classified or don’t make the news agenda.
Recognising the information security lifecycle
Ward Solutions is Ireland and Northern Ireland’s largest information security provider. Our experience has taught us that organisations which adopt a holistic security programme approach are best protected.
Information security is a continuous journey, not a destination that can be arrived at. We encourage organisations across Ireland to realise this and move away from a primary preventative-based approach, which usually centres on IT controls only.
We work with businesses to fully secure their assets and incorporate an information security lifecycle, which focuses on people, processes and technology, with the primary goal of minimising risk to the business.
In our experience, adopting a ‘human firewall’ approach is very effective and can actually yield the best ROI for information security spend.
This involves investing in an organisation’s team so that they are fully aware of – and continuously trained on – the most likely risks. This will help them know the best ways to avoid cyber threats and mitigate damage when they occur.
We lead by example in this regard by investing €400,000 annually on continuous training and development. All of Ward’s team members spend at least five per cent of their time engaged in research and development, understanding evolving threats and developing new responses.
Understanding the risks
The first step in developing an information lifecycle and protecting a business is to identify its critical information assets, the risks to those assets and the potential impact of those risks on the business.
We then put in place the necessary prioritised controls and processes to minimise the risks and mitigate the potential damage – the preventative strategy.
Prevention is not enough, however. Business and IT leaders need to accept that the occurrence of security incidents and events are inevitable, whether it’s fraud, data and service loss or breach.
A recent report from threat intelligence agency Recorded Future shows that almost half of FTSE500 companies had credentials exposed on well-known ‘paste sites’ used by hackers.
Our own independent research this year highlights that 48% of Irish organisations have experienced personalised spear phishing attacks, which is just one type of threat.
In many cases, organisations don’t even realise cybercrime has taken place for months, sometimes even years after it has happened. Ongoing security monitoring and detection is so important as it helps discover the breach faster and reduce exposure time and damage.
Planning and learning from mistakes
Worryingly, many organisations don’t have a sufficient plan in place for when inevitable incidents happen.
Most have a plan, usually to address compliance requirements, but therein lies the problem. As it is just to satisfy a legal requirement, plans are rarely kept up-to-date and even more rarely communicated, understood or performed in the case of an incident.
An inadequate response to an in-motion security event can significantly aggravate the damage arising from an incident.
Worse still, even when the maximum impact of the damage has been felt, many organisations don’t conduct a full investigation and develop measures to ensure it won’t happen again, and that they learn from the incident.
Organisations that have fallen victim to cybercrime need to undertake appropriate analysis of the cause, or causes, behind it and foster a culture of honesty, transparency and continuous improvement.
A culture of blame is not the answer. This can lead to quick fixes, hiding the full impact of what happened and missing important elements of the root cause.
Being honest and transparent and committing to making it right helps to rebuild customer trust and repair reputational damage.
Embodying this culture leads to people within the organisation being more likely to flag risks or weaknesses before they become incidents, or flag incidents before they become full-blown catastrophes.
Adopting an information security lifestyle approach
Developing and implementing this approach requires the skills and services of a highly competent and experienced information security partner like Ward Solutions.
We can move organisations from a reactive posture, where too little – or too much – money is being spent in the wrong area, to a holistic approach that aligns security spend with risk and likely threats to the business.
We recently invested in a new Security Operations Centre (SOC) in Dublin, which includes best-in-class threat monitoring, risk assessment and incident response technologies, helping us to define and deploy the right solutions to embed this approach in our customers’ businesses.
The reasons for adoption are clear – it leads to reduced risks and costs to the organisation in the event of a security incident; reduced reputational damage; revenue assurance; reduced insurance costs; improved credit worthiness; and competitive advantage.
For further information on how Ward Solutions can help you protect your business, visit www.ward.ie or call 01 642 0100.
This article originally appeared in the Sunday Business Post, Connected Magazine