When you start a conversation with someone about Information Security, it will almost immediately turn towards phishing, ransomware, hackers, data protection/the GDPR and other common threats.
While these are certainly important and need to be addressed, there are many other threats that people and companies often overlook.
1. The Internet of Things
We have all heard of the Internet of Things (IoT). Basically, it is a nice way of describing how all devices and “things” can connect together. It is an incredibly powerful concept and, over the last few years, it has left the realm of science fiction and entered normal, everyday life. After all, even if you don’t have an Alexa yourself, I bet someone you know does!
While the convenience of having your heating, fridge, cooker, garage door, lights and alarm system all accessible remotely is very attractive, if someone breaks into just one of those things, they potentially have access to everything. If someone hacks into your baby monitor and your laptop is on the same network, is it protected? With so many people working from home at the moment, this is a soft underbelly which attackers can use to target companies. The CFO with the new baby, the CEO who always has the latest gadgets….
With consumers demanding greater and greater functionality and connectivity, vendors who don’t provide this get left behind. The result is a race to be the “latest and greatest”, where security is often the last thing to be considered.
2. Lack of an Information Security Mindset
Information security is a mindset: a mindset that comes from the top down. The C-suite management must buy into it and that buy-in must percolate through the organisation.
Companies can invest thousands and thousands in the latest firewalls and security systems but, if the InfoSec culture and mindset isn’t ingrained in the organisation, it is only a matter of time before there is a breach.
Too often, security is thought of as being a technology problem. The truth is, security begins and ends with every single individual in your organisation. Little things, like locking your laptop when you get up from your desk or wiping off a whiteboard at the end of a meeting, actually have a big impact when it comes to protecting your company.
Every single employee, from entry-level to C-suite, should have regular InfoSec training. InfoSec posters should be visible throughout the office. Regular penetration testing should take place. If employees walk away from their desk and leave an unlocked laptop, remove it from their desk.
Building an Information Security mindset isn’t something that can be achieved in a week or a month or by any specific action; it is something that is built over time by repeated good behaviours and by example from the top down.
3. Data on Mobile Devices
Mobile devices have become an integral part of people’s work lives. Smartphones, tablets etc, are being used more and more for work-related activities and are, in many cases, replacing the traditional laptop. However, these devices were not designed for storing data in the way laptops were. Mobile devices are designed for ease of use and ease of connectivity – things that don’t often go hand in hand with information security. While it is possible to lock down these devices and configure them so that data is stored in the right place, this is rarely done. Moreover, company policies to enforce this practice are even rarer.
The amount of personal and company information held on mobile devices is stunning. Furthermore, the lack of security awareness among mobile device users and the ease with which such devices can be compromised makes for a huge security threat. Yet, many companies don’t even have this on their radar.
4. Physical Security
Often companies spend thousands on their IT infrastructure but completely forget about the physical environment. Do you have access control in place? Is your server room locked? Are your offices (and therefore data) easily accessible from the street? If someone from outside your organisation gains access to your office, are your employees trained and empowered to challenge them or alert security/senior management?
Even if you do have access control, do your employees regularly tailgate into the office? When your employees leave in the evening, is equipment and sensitive data securely put away? It is not uncommon to find organisations, with top of the range network security, whose employees leave sensitive data lying around when leaving at the end of the day, fully accessible to the third-parties, for example, cleaners.
Physical security, and education around physical security, is an essential part of every organisation’s information security armour.
5. Lack of a Disaster Recovery Plan (& Lack of Training for Disaster)
Most of us, instinctively, try not to think about disasters, rather, we focus on success. However, organisations need to plan for all of those “what if” scenarios. In times of trouble, having a good (& tested) disaster recovery plan in place can be the difference between the success and failure of a business.
Many organisations have a “plan” written down, gathering dust somewhere. But, in the white heat of disaster, are you sure it will really do its job? And even if it is sufficient, will your employees know how to follow it? Do they even know it exists?
A disaster recovery plan can cover anything from what to do if there is a flood and employees can’t enter the office, to a ransomware attack where hackers have gained access to your organisation’s systems. Once disaster strikes, it is essential that your employees know how to react. Therefore, regular training is vital.
Given the potential for such disasters to be business-ending, it is essential that every business has a robust, and tested, disaster recovery plan in place.
Paul Delahunty is an experienced Information Security professional who started his career as an engineer with Ericsson, before venturing into the start-up world as Operations Director with moQom (moQom provided Identity solutions). With the experience gained in moQom, Paul co-founded ThorsNet, a Cyber Security and Compliance company. More recently, he re-entered the corporate world as Information Security and Audit Manager for Hostelworld plc.
Paul is currently the Information Security Officer with Stryve.