In case of attack: protecting your business
Increasingly sophisticated cyber-attacks are seeing businesses’ data compromised, hitting reputations as well as revenues. According to analyst IDC, the global market for cyber security solutions will grow to $870m by 2017, fuelled by a surge in attacks on businesses last year.
When corporate information is compromised, it can be devastating for a business. If a customer’s information is leaked, firms can be forced to pay fines as well as losing clients through a damaged reputation.
An increasing number of devices in the workplace has seen many businesses lacking adequate, across-the-board security. Adding to this is the trend for remote working, with employees using shared home devices to access company data in multiple locations.
education is key
While it is impossible to mitigate risks entirely, those who educate staff will lay the foundations for a secure business. “Most of the time it is the human who is the weakest link,” says Jean-François Audenard, Orange Business Services Cyber Security Advisor. “Security processes or procedures are often outdated or not implemented the proper way. A great number of companies do not have IT security sensors or alarm systems in place, so they can remain compromised without being aware of it for months.”
David Emm, Senior Security Researcher at Kaspersky Lab agrees, saying: “There is a technological part and a human component. It often starts with mishandling through instant messaging (IM) or email. On the technology side, the working environment is changing and it’s more of a challenge for IT departments to secure the smartphones and social networks that people use to enhance business.”
One of the most common types of cyber-attack is distributed denial of service (DDoS), which targets sites hosted on high-profile web servers, such as those used by banks and financial organizations.
But the starting point is often a spear-phishing attack, a targeted email that appears to come from a trusted source. Emm says: “Someone goes after a particular target and they do their research - they look at how many offices the business has and often start with the head of marketing, taking easily available information from the web.”
Spear phishing is sometimes an attempt at financial gain, but not everyone who attacks wants to take money. Cyber criminals might wish to embarrass the business in some way, or they may disapprove of its ethics. This practice known as ‘hacktivism’ and made famous by groups such as Anonymous.
Although most attacks tend to be speculative, Kaspersky estimates that around 10% are targeted in this way. “I think that will grow,” says Emm.
When data is compromised, it is important to act quickly to limit damage as much as possible. “Not detecting a compromise in a timely manner can lead to greater impact and loss for the company,” says Audenard. “If the incident isn’t handled in a proper way, important forensic information may be lost and estimating what has been stolen may be difficult to determine.”
Education is therefore integral during the whole buying process to prevent attacks before they hit. “Our customers are aware that solutions exist, but they’re not familiar with the available options and what needs to be implemented or not from a technical standpoint,” says Audenard. “We’re still speaking with businesses who are thinking an Intrusion Prevention System (IPS) is the solution against DDoS attack; this is absolutely false for massive attack.”
Responding to a security incident requires skills and resources that few companies have in-house. One approach is security-as-a-service. As cloud use surges, more businesses are turning to outsourcing for security, according to analyst Gartner. The firm says cloud-based services will generate revenues of $4.2bn in 2016 and cloud will become the delivery platform for 10% of total IT security enterprise product capabilities by 2015.
“With security-as-a-service, businesses have a unique and new opportunity to mitigate risk in an efficient manner as it gives them the ability to activate the required security functions only at the exact and precise location they need, and only for the duration they need to get protected,” says Audenard.
Many security breaches are caused by a lack of understanding around passwords. Staff often use the same password across a number of devices, making them easy to target at home and then in the workplace. This is driving a strong demand for identity management solutions, which can assess who exactly is trying to log on to a system and refuse anyone deemed suspicious. Orange offers a service called Flexible Identity, a cloud-based solution which can be used to manage account provisioning and authentication in central way.
For those who have already suffered a breach, it’s also beneficial to seek advice from consultants such as those from Orange Consulting, who can assist with forensic activities or help improve defenses based on experience gathered during an incident.
As the cyber landscape widens, businesses must to take into account that they could be compromised – whether through a large scale DDoS attack or targeted spear phishing – and prepare themselves. But security starts with prevention, and part of that is educating staff about potential risks.