16th July 2020

While the management and cybersecurity team may be tasked with keeping out cyberattacks, every person in a business has a role to play in ensuring information security.

By its very nature, digital information is easily copied, replicated and shared. This is what makes data the “new oil” as it powers all sorts of analytics and data-driven decision making in a business’ transformation efforts.

Thus, it is important that businesses take a more serious look at measures to ensure that their data – in the form of customer information, for example – is kept safe from prying eyes.

Even as they transform their operations to adapt to an uncertain economic situation, they have to pay more attention to information security, a branch of cybersecurity that deals with securing the data used by businesses.

Besides securing a network or computer, businesses should raise their game when it comes to safely handling data, a fluid asset that is arguably more difficult to lock down than a piece of hardware.

This is especially true at a time when employees are working from home. This means information is flowing outside of the traditional office network that resides behind a firewall and other commonly deployed defences.

Everyone is responsible

But first, who is responsible for information security? For the management, this involves devising policies for the business and seeking support should an incident occur.

On another level, the team in charge of security has to develop systematic countermeasures, establish rules and disseminate them thoroughly. They also have to collaborate and respond quickly to incidents.

However, information security is everyone’s job. This starts with strictly complying with the rules. All too often, a security incident occurs at the weakest link – an employee who has clicked on a link that downloaded malware or an administrator who had wrongly configured a network, server or application setting.

However, the same employee is also at the frontline of this fight. If he is aware of the threats and takes some basic precautions, he can reduce the risk of information leakage. So, the weakest link can be the first line of defence.

How an incident occurs

The simplest and most common way that data may be lost is through mismanagement. Perhaps an employee is rushing out to a meeting and simply misplaced his documents. Or an outsider may simply be “shoulder surfing” and glancing at a victim’s laptop screen while he is on a plane.

There are many other ways to lose data, such as the theft of laptops, e-mails sent to the wrong person or even inadvertent disclosure on social media.

A sales representative may think it fun to take a selfie with a customer and share that on his social media account, but the corporate signboard in the background could expose a deal that is not ready to be publicised.

Indeed, the biggest source of information leakage is human factors, which account for 80 per cent of related incidents, according to the Japan Network Security Association (JNSA).

For example, lost or misplaced data accounts for 26.2 per cent of incidents, while mis-operation accounts for 24.6 per cent. In other words, cyberattacks are not the only way that data is leaked.

Precautions for employees

To be sure, there are numerous ways that cyberattacks can adversely affect a business. Some hackers will seek to steal information through an “advanced persistent threat” attack, while others will hijack thousands of PCs and devices to “bombard” a service to bring it down in a distributed denial-of-service (DDoS) attack.

Another common attack, even during the Covid-19 situation, is ransomware. Typically, hackers will break into PCs and servers, lock up the data by encrypting it, and ask for a ransom. Even hospitals and research institutes are not spared during the pandemic.

While many of these attacks require sophisticated tools, such as a DDoS mitigation service that drops the attack traffic or regular checks on servers to keep out ransomware, there are precautions that employees can take.

One so-called “hygiene” factor would be ID and password management. It is a good idea not to share the same login details for different accounts, for example.

Users should also be aware of the sites they often visit. Some of them may be compromised and end up being used to find loopholes in their computers.

It also pays to have good e-mail habits. Simply checking the destination address before sending a message helps to avoid errors. For incoming e-mails, check carefully the sender, who may be a hacker trying to spoof a legitimate e-mail address.

Having the right approach

The first thing to acknowledge is that incidents will happen, despite the best efforts. This means reducing the risk and mitigating the damage of any leak.

First, decide what is confidential information. Store information such as customer data, design documents on a server instead of a desktop PC for it to be more easily managed.

Acquire information with a real purpose, store it securely, then use it only for work purposes and protect it from unauthorised users.

Businesses also have to keep in mind that information security needs to be balanced with ease of use and convenience to users. This often requires their buy-in by understanding their role in the endeavour.

Finally, be prepared to report an incident. There has to be a line of reporting, for example, to a risk management or information security committee or incident response team. This needs to be planned before an incident occurs.

The key is to reduce the damage done and prevent a reoccurrence by quickly investigating the issue and deploying countermeasures. Over time, incidents are unpreventable but the damage they cause can certainly be limited through thorough information security measures.

Raise awareness of information security by undergoing a comprehensive training workshop. Stay tuned to find out what NEC can offer to help.

Images from Pixabay, Pexels and Saksham Choudhary.