When the term “high security” comes to mind, you probably think of a mile-high fence encasing endless corridors of locked doors. You wouldn’t be wrong; information is always stored in a way designed to keep the wrong people out, whether it’s in a datacentre or a law firm.
Networks and databases are kept fire-proof, bomb-proof, bullet-proof; but this isn’t fool-proof. Security can take every physical measure possible, and still leave your network wide open to attack.
It’s time to talk about cyber security, and why it should be equal priority with physical security.
What’s the risk?
“If I’m attacking you in a cyber-sense, I can be somewhere else in the world outside of your jurisdiction, and I’ve probably compromised four systems in between. So, getting back to me is nigh on impossible.”
So said a speaker at TechUK’s data security event last year, which was held under Chatham House Rules – anonymously – in order to protect the attendees and speakers. They discussed the development of Big Data, and its implications for cyber security; is the cloud a help or a hindrance to cyber security?
The jury’s still out, but what we learned for certain is that cyber security is not a high enough priority for many companies.
A 2015 report by the World Economic Forum states a frightening statistic: that 90% of companies call themselves insufficiently prepared for cyber attacks. When cyber crime is already costing the world more than US$400 billion each year, this is nowhere near good enough.
Furthermore, Cyren’s Cyberthreat Yearbook last year stated that cyber attacks on businesses have increased by 144% in the past four years. In addition to this, the American National Security Agency put the cost to victims of cyber attacks at up to US$40,000 per hour.
In fact, when it comes to attacking a company there is no better way than from a computer safely tucked miles away and behind layers of masks. For a cyber criminal, “the risk is low but the reward is high.”
What should I look for?
There are two major types of cyber crime: data security breaches (such as the loss of personal information or trade secrets) and sabotage (denial of service attacks and basic systems disabling).
Both types of crime cost the victim much more than just whatever the criminal took. Cyber crime can cause commercial losses, PR problems, and open up a company to regulatory action; all things that will result in loss of clients and reputation.
Where is the security going?
It turns out that many all-inclusive security companies play into the psychology of protection: the security needs to be visual to feel present. For example, workers at a law firm might feel better protected by masses of chrome and biometric scanners than by a firewall in their computer.
However, CBSIT specialises in cyber security, not physical – we won’t glam up the walls of your office just to make more money.
It can be hard to hear of recommended security teams because many companies don’t report their status as victims of cyber crime. This is because data protection is a board-level responsibility.
“Similar to financial and reputational risk, cyber security risk affects a company’s bottom line… It can harm an organisation’s ability to innovate and to gain and maintain customers.”
What can I do?
When it comes to safety of any kind, it’s layering that matters – back-up upon back-up.
“The more layers that a centre can provide between the individual and the data hall, the greater the likelihood of reducing the risk of a physical breach.”
So says Greg McCulloch, a co-location security provider, in a media advisory. He recommends at least eight layers of physical protection, and then plenty of cyber security.
Others recommend moving as much data as possible to the cloud, so that more resources can be assigned to cyber security over storage facilities. Third party cloud providers certainly cut down on the need for physical security, but using them means being very sure of your cyber protection: big stores of centralised data are a very attractive target for a cyber criminal.
Internet connectivity is a huge asset for a business, but to ensure that it remains safe for work – that is, free of unauthorised access and/or maintaining service to clients – networks need security. They should be monitored 24 hours a day, seven days a week; preferably by humans.
“Nothing makes up for the presence of a human element”. – Greg McCulloch.
Do you need advice on putting together a cyber security policy for your staff? Why not let us help?