Preventing Large Company Data Breaches
With the rise of digital technology, businesses are becoming ever more vulnerable. What can be done to prevent large company data breaches?
The Challenge of Preventing Large Company Data Breaches
Businesses today face a daunting range of digital security threats – from DDoS attacks and ransomware to the prospect of all-out cyberwarfare. As digital technology encroaches further into our lives, we are becoming ever more vulnerable to large company data breaches.
The Internet of Things presents a significant new attack surface – and devices have all-too often lived up to the nickname of the ‘Internet of Poorly-Secured Things’. The technology has enormous potential – but, by putting vehicles, machinery and more online, it adds the ability to compromise connections, where access simply did not exist before.
Illustrating the potential danger, security firm Darktrace cited the case of an American casino that was hacked via an internet-connected fish tank, which offered a backdoor into the network.
Migrating to the cloud also presents a new technical challenge for security with an emphasis being that entry points are not left unguarded or all security settings set correctly - quite possible in complex hybrid and multi-cloud environments.
Complex IT Infrastructures Increases the Risk of Large Company Data Breaches
For large businesses, especially those that have expanded through acquisitions and mergers, the complexity of their IT infrastructure naturally increases the potential risk. A global business may well have hundreds of sites tended to by thousands of staff in combination with an ecosystem of agencies and suppliers. Given this kind of landscape, it’s easy for issues to slip through the cracks or for sloppy work to leave entrances ajar.
Alex Hamerstone, the TrustedSec Governance, Risk and Compliance Practice Lead addressed the challenges that this situation presents. “When companies merge; acquire other companies; or are themselves acquired, they have a lot of work to do not just in combining processes, corporate cultures, and business functions, but also their information and technical systems,” said Alex.
“Ideally, organizations will have assessments performed (by either their own staff or third parties) of the technical systems and the security of those systems prior to the merger. This allows them to devise a plan for system integration as early as possible. It can also affect the decision to merge or the financial elements of the deal, as an acquired company may have poorly designed or outdated IT systems, which may take significant additional resources to merge,” Alex said. “The key is to have a strong plan in place, ensuring that system integration is plausible. In some cases, this means the two organizations are operated separately for a longer period of time than anticipated while an integration plan is developed.”
“[In the case of mergers and acquisitions it’s] highly important for CISOs or Chief Privacy Officers to... identify sensitive digital assets and the infrastructure hosting those assets that the merged companies will have – and [to] oversee creation of and oversight on user directories, identity and access management controls and privilege access permissions,” added Michael Suby (MS), ICT VP of Research, Frost & Sullivan. “Data Leak Prevention [DLP] also becomes an important control element too... Attention should also be placed on administrative passwords to network routers and switches. Cavalier IT practices at one company (e.g. using default or a single administrative password over multiple routers and switches) should not creep into the merged companies' standard operating practices.”
As a prime example of how the details matter, the Equifax hack was apparently caused by the security team’s failure to apply a single patch, against the Struts bug. The company’s former CEO, Richard Smith, even claimed that this was the fault of a single employee.
Have Processes That Work for the Company not just the IT Department
Given the extreme gravity of security threats (see the Equifax hack), businesses should of course ensure that there are processes in place to check and double check work – so large company data breaches can never be the fault of a single individual.
Processes are critical for security – but procedures will only ever be as strong as the people using them. If the security team demand 15-character passwords incorporating symbols or mandate monthly password changes, then staff will inevitably write them on sticky notes and attach them to their monitors.
Training, Training, Training - the Key to Data Protection
“The approach to preventing breaches needs to be multi-faceted,” said Alex. “It may sound cliché, but there really is no single silver bullet. Employee training can help but it should be one part of a broad approach. Technical solutions such as network segmentation, logging and monitoring, enforcing least privilege access, etc., are essential, but employees still need to access information and systems to do their jobs. As such, it is essential that information security training is part of the overall information security strategy. It is important to keep in mind that training must be effective, not just designed to check a compliance box.”
“I work with a number of large companies” said Alex. “One of the most important aspects of training for elementary security issues is ongoing refreshment. Companies are improving in this respect with things such as annual information security training events, phishing testing and email reminders/newsletters.”
“There is some debate in the information security industry as to the efficacy of information security training, but with so many large company data breaches being traced back to social engineering, training is essential in my view,” said Alex.
Indeed, there is undoubtedly an increased amount of attention being paid to ‘insider threats’, noted Chris Rodriguez, ICT Senior Industry Analyst at Frost & Sullivan – which is perhaps only natural, given that the most likely sources of a breach are a business’s own staff, according to PwC.
The Global State of Information Security Survey 2018 found that:
• 30% of incidents are the fault of current employees
• 26% are due to former employees
• 23% due to hackers
• 20% competitors.
So What’s to be Done?
“[Solutions include] DLP, NAC [Network Access Control], email security, firewalls and advanced malware detection solutions,” said Chris.
Digital security is now a main agenda point in many boardroom meetings and the potential high GDPR fines offer an even more persuasive argument for robust security measures.
Dixons Carphone recently admitted that it had suffered a breach affecting 5.9 million sets of card details – and that it had failed to make this public for a year. With GDPR in place, large company data breaches like this will be a much bigger problem for businesses that don’t quickly address them.
The threats aren’t going away but by being proactive and prioritising the human element, organisations can create solutions that work.
Browse Our Latest Tech RolesCurrent Vacancies
Empiric is a multi-award winning business and one of the fastest growing technology and transformation recruitment agency's specialising in data, digital, cloud and security. We supply technology and change recruitment services to businesses looking for both contract and permanent professionals.
Read more (pdf download)
Empiric are committed to changing the gender and diversity imbalance within the technology sector. In addition to Next Tech Girls we proactively target skilled professionals from minority groups which in turn can help you meet your own diversity commitments. Our active investment within the tech community allows us to engage with specific talent pools and deliver a short list of relevant and diverse candidates.
For more information contact 02036757777 To view our latest job opportunities click here.