Roger Lo, Senior Manager of Risk Advisory, BDO, on what firms and employees can do now to safeguard their digital data
Data protection has become a must for companies of all sizes, especially in recent times. With cyberattacks on the rise, and hackers becoming more sophisticated in their ways, protecting an organization – and its digital information – against potential breaches can sometimes feel like a never-ending game of cat and mouse.
Take ransomware, which is a type of malicious software that hackers have been using since 2013 to hold digital information. Arguably, it hasn’t been taken seriously enough in terms of its impact on a company’s critical data and IT infrastructure, and has therefore become a top choice of malware for criminals. In 2020, the total amount of ransom paid by the victims reached nearly US$350 million in cryptocurrency. This is a 311 percent increase over 2019, according to a crypto crime report from software company Chainalysis. While there is a lot of money at stake, cyberattacks like these can also take a serious emotional toll on those involved.
So why isn’t every company protected? Firstly, protecting a company against a hack is costly. It is labour-intensive to perform a root cause analysis, for example, and assure its whole IT infrastructure is no longer vulnerable. This requires IT security experts, and not every company has one. Then how can we protect data and a company’s critical IT infrastructure? While information security will inevitably require investment, it’s better to be prepared in the first place, as the benefits will far outweigh the potential damage caused.
Protect against data breaches, and also detect cyber threats
Businesses can develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event before it takes place. With reference to the United States National Institute of Standards and Technology (NIST) Cybersecurity Framework 800 series, businesses should first have control of and access to their digital and physical assets. They should also have processes, procedures and policies put in place to secure data, maintain baselines of network configurations and operations, and to also repair system components in a timely manner. These controls are not only very useful for large businesses but also those new to information security, such as small- and medium-sized enterprises.
Examples of protection controls include:
- Increasing staff awareness through education and role-based training.
- Ensuring information security protection is consistent with the business’ risk strategy to protect the confidentiality, integrity, and availability of information.
- Implementing necessary information protection, processes and procedures to maintain and manage the protection of information systems and assets.
- Protecting business resources through maintenance, which includes remote maintenance activities.
- Using protective technology, and ensuring the security and resilience of systems and assets are consistent with policies and agreements.
Businesses should also implement the appropriate measures to quickly identify data security events. The NIST Cybersecurity Framework also suggests businesses should set up continuous monitoring mechanisms that detect suspicious activity so that other threats to operational continuity are contained. A business should have visibility into its networks to anticipate a data breach incident and have all information and resources at hand to respond to one. Continuous monitoring and threat-hunting are very effective ways to analyse and prevent cyber incidents in the first place.
Examples of protection controls include:
- Ensuring anomalies and events are detected, and that their potential impact is identified by conducting reviews of audit logs on a weekly or more frequent basis. The log should include sensitive data access, including modification and disposal.
- Implementing continuous monitoring capabilities to monitor information security events and verify the effectiveness of protective measures including network and physical activities.
- Ensuring that the company implements recovery planning processes and procedures to restore systems and/or assets affected by information security incidents.
- Implementing improvements based on lessons learned and reviews of existing strategies.
- Internal and external communications are coordinated during and following the recovery from a data security incident.
Are you prepared for better information security?
Developing an information security programme is not a one-off effort; it needs to evolve within the ecosystem in which it exists. It is also no longer just an IT issue, as this evolution requires a variety of stakeholders to contribute. For example, accountants, who are domain experts in business, can help to assess IT risks by looking at various business cases and processes. With this assessment, an information security strategy can be established.
But bear in mind that it can be difficult to achieve 100 percent protection, as a determined and skilled hacker can and will eventually compromise a system to a certain extent – especially when firms of all sizes are much more vulnerable with the rapid acceleration of online transactions and digital transformation today. So the most important question is perhaps not “how good is your protection?” but rather, “how much have you prepared for a data breach?”