Opinion: Business Security - Securing your business data

How would your customers react if you told them that their financial data or personal information had been taken by persons unknown?

If you were asked if your business was secure, how would you answer?

I suspect your first thoughts might be :

  • We have good locks on the doors

  • All the windows are closed before we leave

  • We sign in and escort all visitors

  • All equipment is security tagged

  • We even have a security guard at night

  • Oh and we’ve got a firewall for the IT system.

Unless you work in the field of IT, the last point always seems to be exactly that: the last point. The other points are very necessary parts of security protocol, and even requirements for some security accreditations, but in today’s society these measures are taken more to stop opportunists from getting their hands on a laptop to sell down at the pub.

The priority of the last point, however, has changed dramatically.  It doesn’t matter whether you are a large multi-national corporation or a small, start-up business.  If you hold data that somebody thinks may have value, you are a target!

The value of data

Cybercrime costs UK businesses £21bn per annum 
This is not just what is stolen; but also the loss of business or credibility that comes from informing customers that their data has been compromised.  How would your customers react if you told them that their financial data or personal information had been taken by persons unknown?

Due to the sheer volume of data now stored within the World Wide Web, cybercrime has become one of the most profitable sources of theft.  It has been said that some organised crime gangs now make more money from cybercrime than any of their other “business” ventures.

My data’s not important

You store your data for a reason.  If you think it’s valuable enough to keep, then so will others.  Email addresses are highly sought after by spammers and marketing people.  If you hold credit card information, then you should already know the value of that data.
Criminal records, addresses, dates of birth, national insurance numbers; think about the information you are asked to supply to open a store card!

“But I’ve got a firewall,” I hear you cry.  A firewall is a good start, but you cannot just rely on a piece of hardware.  How has it been set up?  Did the administrator delete the default account details or just set up a new admin account?  We find a lot of organisations with good infrastructure and the best kit money can buy, but it only takes one misconfiguration, one open port attached to an old vulnerable piece of software or legacy system, and all that hard work and money was in vain.

I am not saying that the IT people who install this equipment are doing a bad job, far from it.  This area can be a mine field with all the different settings and variations available.  Sometimes a scan of your system from the outside can show problems that may not be picked up from looking at the administration screen.  An independent scan of your system can tell you what is visible to the outside world, and, more often than not, tell you what versions of software or hardware are attached to a less secure network. 


It is not only your file system that needs to be secure.  Websites often get overlooked when it comes to security.  Do customers enter details on to your website?  Does it have a database attached to it?  Unless written correctly, the best looking websites can leave you vulnerable.  Weak websites can allow hackers to get information from the attached databases, change content or just sit and monitor who does what.  This can be very dangerous, especially if you have customers logging in. 

Regular testing

All businesses large or small should have security testing as part of their security policy.  Testing should be carried out at least annually or when a significant change is made to your infrastructure. Of course, this is the minimum you should be doing to give yourself and your customers the reassurance that data is being treated in a secure manner.

Regular, good quality testing will identify (and provide fixes for) common security vulnerabilities in your servers and web applications and help prevent opportunist hackers from successfully attacking your systems.

Join the CSO newsletter!

Error: Please check your email address.

Tags firewallsOpinionssecurity testingIan Hyndmanattacksdata privacydata breachcybercrimebusiness security

More about etwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Hyndman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place