4 Security areas you should focus on
Over the past few years we have not only seen an increase in the number of cyber-attacks, but also a disturbing upward trend in the sheer amount of data that has been stolen. The maliciousness of the attacks has also reached the point where data is not only being stolen, but also deleted.
Cyber crime is escalating and it’s essential that organizations know what’s happening out there, so they can be proactive in their response to these cyber threats.
Just look at these estimated numbers:
- Home Depot – 56 million cardholders affected
- Target – 40 million cardholders and 70 million others affected
- JPMorgan Chase – 76 million households affected
- Sony – 33,000 private files resulting in 47,000 social security numbers, personal information of employees and contractors, financial data and feature length movies being stolen
It should go without saying that companies are going to be focused on security more than ever in the future. In fact, Gartner (1) has predicted that global spending on enterprise IT security will reach up to $76 billion (in 2015).
Attempting to prevent attacks by increasing spending on intrusion detection and data loss prevention is, however, only addressing part of the solution. Cybersecurity is a broad and specialized field and one that requires constant attention.
4 Key security areas to focus on
1. Vendor Management
If you are using third parties/vendors to manage any part of your IT, then ensure that their security protocols align with yours. In both the Target and the Home Depot attacks, hackers gained entry to the core systems via a third party exploit.
2. Educating users
Phishing is not only a product of stolen data, but it has been used in at least one of the recent major hacks. Target’s systems were compromised due to a third party vendor opening and executing malicious code via a targeted phishing attack.
It is especially important when running an email program, whether for eMarketing, transactional or eBilling purposes, that consumers be aware of the potential of phishing emails.
Educate customers on what emails they can expect to receive, versus what to look out for when suspecting phishing. This communication needs to happen often, as the threats themselves mature. It also needs to be consistent and communicated across multiple channels (including your app). People are busy and distracted, and if your messaging isn’t frequent and consistent, they’re likely to slip back into old habits.
This doesn’t just mean keeping them up to date with the latest tactics used in phishing attacks, but also reminding them what the organization will never ask them to do in an email.
3. Technical Controls
Authentication controls such as DKIM and SPF are no longer optional and should be accompanied by a DMARC policy to further combat phishing attempts.
Read more about DMARC:
- Striata to implement DMARC – a new standard for email authentication
- 10 things you should know about DMARC’s battle against email fraud
4. Response Management
While the aim is to never have a system compromised, there is never a 100% guarantee of this. Communication to stakeholders, including customers is imperative after a breach to avoid further attacks. Often in these hacks, personal data including email addresses are part of the stolen assets.
We’ve learned that cyber criminals are opportunists, for example, when Air Asia QZ 8501 went missing, it took around 24 hours for phishing emails and posts on social media linking to malware to be seen in the wild.
If you are still unsure or have any security concerns – we will gladly assist. Let’s chat…
- Gartner Press Release, “Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware” August 22,2014
Get in touch with us
Keen to find out more or get an expert's opinion?