Cyber Security has presented itself as a major thorn in the side of many companies in recent years, which has demanded firms go the extra length to mitigate any potential risks.
This Round Table addresses some of the trends of the past year as well taking a look at what the future holds. Olga Finkel, Partner, has recently been selected, together with another eight experts from around the world to offer her opinion on the prevalent issues surrounding the topic.
The Round Table was organised by Corporate LiveWire, who set a number of topical questions for the experts to comment on.
Below is an extract of the Round Table, depicting Olga’s opinions on the questions.
What are the main cyber security trends we should be keeping an eye on in 2014?
Finkel: One should always strive to be several steps ahead of up-and-coming security risks. I believe that the main emerging threats are social engineering attacks that use social networks like Facebook where an innocent looking friend or connection request can be the prelude for a social engineering scam; advanced persistent threats (APTs) and precision targeted malware where long term quiet attacks are used to gain unauthorised corporate network access and steal information, a small chunks at a time, of over a long period of time (and therefore more difficult to detect); internal threats due to malicious users and the increase in usage of personal smartphone devices for both work and personal uses; and attacks that focus on vulnerabilities in HTML5 browsers.
Can you outline some of the more successful measures firms are taking to mitigate risks?
Finkel: Risks can be mitigated by having a data-centric governance plan that evaluates the employees’ roles and their data needs and maps them to data types and virtual machines, therefore limiting the rights strictly on the need-to- know basis. The business context is also important: identifying the paths of information utilisation within the organisation, the weakest link in the internal procedures and understanding a profile of likely attackers is vital to take the appropriate security control options. Knowing your data users thoroughly and monitoring suspicious data access behaviours also allows security resources to be used in the most effective way.
Can companies adequately protect themselves against cyber threats without devoting significant expense and human resources to security?
Finkel: A risk-based approach in conjunction with adequate data access limits can help focus the expenditure of financial and human resources for the best positive impact on security. While it is said sometimes that using cloud computing may increase uncertainty and the security risks and uncertainty, in my view, when implemented correctly, switching to cloud computing can increase the overall data security and at the same time significantly decrease the cost, especially when using providers that have dedicated and experienced security teams that are unlikely to be at the disposal of most typical companies and users.
What procedure should a firm take when outsourcing or contracting work which contains important data and security, be it hosting their website or obtaining passwords to secured information?
Finkel: Outsourced and contract workers may represent a significant security threat that many firms are inadequately prepared to handle, especially when dealing with sensitive data. Outsourced providers must be vetted carefully and ideally come referred from a trusted third party or be directly known and trusted by a number of the firm’s personnel. When dealing with sensitive data, background checks may also be appropriate. Strict limits and monitoring/ logging of such personnel’s actions needs to be implemented, with data encryption measures and the use of password safes utilised to reduce the risk of unauthorised access, copying and use of information.
How important is it that organisations include cyber security in their insurance policies?
Finkel: As cyber security breaches are becoming a major risk for modern data centric organisations, it is beneficial to cover this risk in an appropriate insurance policy, which can cover data loss incidents, business interruptions and network outages. However, while an insurance policy can cover the financial risks associated with security breaches, including the damages caused to third parties, no policy can ever bring back lost data or recall back leaked sensitive information or erase potential reputational damage. Accordingly, insurance policies are not a substitute of, and should always work in conjunction with, data security policies and processes that minimise the risk in the first place.
How important is incident management and analysis when something does go wrong?
Finkel: Incident management and analysis are absolutely vital when something goes wrong. Incident notification and emergency and escalation plan activation is important to have a quick mitigation of an incident followed by a quick resolution. Analysis and follow up is needed to ensure that the organisation learns about vulnerabilities and updates its risk matrix assessment, and also understand the underlying reasons and context that enabled the incident to take place in the first place. Finally, the results of such analysis should be used to update policies and processes to prevent further or minimise the incidence of similar incidents to occur in the future.
For the full Round Table, please clickhttp://www.corporatelivewire.com/round-tables.html?id=cyber-security-2014.