If you were asked if your business was secure, how would you answer?
I suspect your first thoughts might be :
- We have good locks on the doors
- All the windows are closed before we leave
- We sign in and escort all visitors
- All equipment is security tagged
- We even have a security guard at night
- Oh and we’ve got a firewall for the IT system.
Unless you work in the field of IT, the last point always seems to be exactly that: the last point. The other points are very necessary parts of security protocol, and even requirements for some security accreditations, but in today’s society these measures are taken more to stop opportunists from getting their hands on a laptop to sell down at the pub.
The priority of the last point, however, has changed dramatically. It doesn’t matter whether you are a large multi-national corporation or a small, start-up business. If you hold data that somebody thinks may have value, you are a target!
The value of data
Cybercrime costs UK businesses £21bn per annum
This is not just what is stolen; but also the loss of business or credibility that comes from informing customers that their data has been compromised. How would your customers react if you told them that their financial data or personal information had been taken by persons unknown?
Due to the sheer volume of data now stored within the World Wide Web, cybercrime has become one of the most profitable sources of theft. It has been said that some organised crime gangs now make more money from cybercrime than any of their other “business” ventures.
My data’s not important .
You store your data for a reason. If you think it’s valuable enough to keep, then so will others. Email addresses are highly sought after by spammers and marketing people. If you hold credit card information, then you should already know the value of that data.
Criminal records, addresses, dates of birth, national insurance numbers; think about the information you are asked to supply to open a store card!
“But I’ve got a firewall,” I hear you cry. A firewall is a good start, but you cannot just rely on a piece of hardware. How has it been set up? Did the administrator delete the default account details or just set up a new admin account? We find a lot of organisations with good infrastructure and the best kit money can buy, but it only takes one misconfiguration, one open port attached to an old vulnerable piece of software or legacy system, and all that hard work and money was in vain.
I am not saying that the IT people who install this equipment are doing a bad job, far from it. This area can be a mine field with all the different settings and variations available. Sometimes a scan of your system from the outside can show problems that may not be picked up from looking at the administration screen. An independent scan of your system can tell you what is visible to the outside world, and, more often than not, tell you what versions of software or hardware are attached to a less secure network.
It is not only your file system that needs to be secure. Websites often get overlooked when it comes to security. Do customers enter details on to your website? Does it have a database attached to it? Unless written correctly, the best looking websites can leave you vulnerable. Weak websites can allow hackers to get information from the attached databases, change content or just sit and monitor who does what. This can be very dangerous, especially if you have customers logging in.
All businesses large or small should have security testing as part of their security policy. Testing should be carried out at least annually or when a significant change is made to your infrastructure. Of course, this is the minimum you should be doing to give yourself and your customers the reassurance that data is being treated in a secure manner.
Regular, good quality testing will identify (and provide fixes for) common security vulnerabilities in your servers and web applications and help prevent opportunist hackers from successfully attacking your systems.