However, businesses own employees are increasingly becoming the root cause of these breaches, as cyber-criminals use hacking techniques to exploit vulnerabilities in both applications and humans. These vulnerabilities are costing the average UK business £2.9 million, as threats such as Phishing, Malware, DDoS, and social engineering rise significantly.
GCI’s Head of Security, Craig Stirling, is no stranger to these incidents: “GCI’s dedicated Security Incident Response Team are seeing a significant increase in cyber-security incidents as a result of human error. In 90% of cases where we’ve assisted organisations with breaches, an employee has clicked on a suspicious email and provided their credentials, compromising not only their email account but the whole integrity of the organisation.”
In today’s technology landscape, security isn’t something that can be ‘ticked off’ a worklist. The security threat is ever-evolving and with the risk of financial and reputational damage, plus GDPR implications, organisations need to prepare for the likelihood of a breach with an Incident Resolution plan. “From my experience, despite every CEO and Executive telling me it is highly unlikely that these emails will contain personal data – 99.99% do. Critically, this triggers a 72-hour notification window to submit the breach to the ICO as part of GDPR… and if their obligations aren’t met, then large financial fines can be enforced.”
5 top tips to protect your organisation from security breaches:
- Invest in a cyber immune system
As cyber-attacks grow by scale and complexity and security teams struggle with budgets and resource, teams are struggling to respond to threats fast enough. It is therefore critical that businesses take a holistic approach to security; looking at solutions that combine people, processes and technology to ensure they are identifying and remediating incidents as quickly as possible. GCI’s cyber immune system is an example of this; combining advisory services, advanced threat management, vulnerability and compliance management, and security incident response services for complete end-to-end incident resolution.
- Educate your employees
With 1 in 5 SME’s not investing in training their staff, employees remain the weakest link in the cyber-security arms race. Ensure your corporate security policy outlines how to handle critical data and passwords, what to do in the event of a breach, the authorised applications employees should be using, and best practice for cyber-security.
- Enforce password rules and Multi-factor Authentication
Create a formal policy which manages risks and includes clear rules about using strong passwords and procedures for properly handling, storing, and sharing passwords. Additional security measures such as Multi-factor Authentication can also enhance access to sensitive data by requesting login information from independent categories of credentials to successfully verify the user’s identity.
- Get GDPR compliant
The more data you have, the greater risk you are in the event of a breach, so avoid keeping old client information and delete any data that you don’t need. Failure to implement and maintain essential security practices can significantly reduce your businesses legal defensibility in the event of a data breach.
- Plan ahead
1 in 10 firms currently don’t plan for human-error related breaches. Implement a cyber-security Incident Resolution plan that puts procedures in place to help you investigate and comply with GDPR should you experience a breach. Access to the GCI SIRT team is free and can be included within this plan if required.