Don't let your firm be the next big data breach headline

“We’re no longer in a situation where it’s a case of ‘if I am going to get breached’. It’s more a case of how often you are going to get breached and how long those people are going to be in for.”

These are the sobering words of cyber forensics professor Dr David Day.

It is extremely important, therefore, to ensure your data security is as strong as you can possibly make it. This article will outline some of the main causes of data breaches, and how you can protect yourself.

Some real-life examples

TalkTalk, the telecoms company, was hit by a cyber-attack in October 2015. The result was 157,000 customers having their personal details stolen – 15,656 of these customers had bank account numbers and sort codes stolen. The hack was widely publicised in the media and TalkTalk lost around 100,000 customers in the months immediately following the hack.

The hack is estimated to have cost TalkTalk £35m in one-off costs (such as calls into call centres and additional IT and technology costs), when you factor in the costs of lost revenue the damage is closer to £80m.

Then there’s the well-known story of Ashley Madison. A group of hackers acting as internet vigilantes hacked the website and stole the personal details of 32 million account holders. What made this hack all the more troubling is that Ashley Madison offered to fully remove user data from their servers for a one-time payment. It became clear that this was a lie when the email addresses of people who had paid to be removed turned up in the hack.

Users whose details were leaked are filing a $567 million class-action lawsuit against the parent company of Ashley Madison. The brand of Ashley Madison is now irreparably damaged. There have also been reports of a number of suicides linked to the hack.

But my company is too small to be targeted by hackers…

Understandable logic, but consider the following facts:

• A PwC survey found that 63 percent of small businesses were attacked by an outsider in 2013
• 57 percent of respondents to this same survey had suffered from staff-related security breaches
• IBM’s “2014 Cyber Security Intelligence Index” found that 95 percent of all security incidents involve human error. Human error can occur in businesses of all sizes, and is often painfully easy to guard against

Is burying your head in the sand really an effective protection?

Practical ways to avoid getting into trouble

Perhaps the best way to identify basic ways to protect yourself is to take a look at some of the common ways human error causes data breaches.

• 61% of staff use file sharing tools or don’t delete sensitive data
• 26% of incidents involve sending sensitive data to the wrong person
• 30% of staff click on “phishing” messages
• 12% will click on malicious email attachments

Microsoft report that 7.52% of all workstations used for web browsing remain on Windows XP and 600,000 internet connected computers run server 2003. Support for Windows XP was ended by Microsoft in 2014 – meaning that for two years all XP machines have been vulnerable to data breaches. If you’re currently sitting, red-faced, in front of your Windows XP computer – it’s time to upgrade.

Furthermore, every year a list of the most popular passwords is released. This year (2016), the top 5 were as follows:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345

Yes, seriously.

So, based on the above facts, how can you be proactive about guarding against data breaches?

• Reduce transfer of data – removable storage devices should be banned outright or at least banned from transferring particularly sensitive data
• Educate your staff on how to look for phishing emails, remind them to check the email addresses they receive their mail from
• Remind staff to change their passwords regularly and ensure that they are hard to guess – preferably, insist they include at least one number and one capital letter
• Shred files – shred all sensitive files and documents once they are used

But how can you go one step further?

Whilst it is important to plug the basic holes in security, you may wish to improve your security beyond the basic level. But if you aren’t an IT expert, how can you possibly do that?

Is it time to outsource your IT for a cloud solution?

By a cloud IT solution, I am not referring to consumer cloud products such as Dropbox and iCloud. Because they are consumer products, they do not require the same security measures that a B2B solution does. I’m referring to a secure, cloud solution from a provider who makes security their top priority.

Ponder the fact that for many managing directors, IT is not their speciality. Indeed, nor is it their interest. Is updating the latest security patches on your company server likely to be high on your list of priorities? Are you likely to be constantly monitoring your server to ensure data isn’t being taken and that there are no malicious files lurking within it?

In contrast, for a cloud IT company, security is a top priority. They will be constantly monitoring their servers and they will be constantly keeping their patches up to date.

What you’re looking for

If you want confidence that your data is in safe hands, you’re looking for an IT company that can boast the following:

• ISO27001 certified – this is the industry standard of data security and is updated every year. A company with this certification has had to prove they deserve it every year they’ve had it
• Disaster Recovery/Failover built in to their systems
• At least two datacentres available to each customer for failover options
• Redundant/Resilient power and internet supplies at each datacentre
• 2 Factor Authentication options for accessing data
• Logical and physical segregation of customer applications, configuration and data

Accept nothing less.

By implementing the measures I have discussed so far, you can give your business the upper hand in the ongoing battle against hackers, and ensure that it is not your name in the next headlines.