Video


Keep calm, it's just a data-breach - what determines the IT security in the organization

Posted: by Jan Nawrot

Category: cybersecurity

WannaCry, Petya, the Kaspersky scandal, the Cloudbleed data leak, the Shadow Brokers group activity… these are just some of the cyber-scandals of 2017. Therefore, the key question is not whether there will be an attack on the digital resources of the company, but when will it happen and to what extent is the company prepared to face it?

From this article you will learn:

  • how important is the security awareness in a world full of digital data,
  • why you should have a limited confidence in your own security measures,
  • what additional security measures you can invest in.

Digital security awareness

For example, according to the 10th edition of Data Breach Investigations Report from 2017, 81% of the data breach incidents were caused by a stolen and/or weak password. At the same time, the report commissioned by Intel IT security in large companies in Poland in 2016, shows that as many as 62% of Polish companies use only a password for authentication. It is known that in 62% of cases, the data breach incident was caused by "hacking" –gaining an unauthorized access to user data (2017 DBIR), while 40% of Polish companies do not have a scenario prepared for such an event (IT security…).

But enough about the statistics! Imagine that this is happening to your company. One morning you realise that your website has been attacked and criminals have gained access to the data you collect through it. Unfortunately, this is not a science fiction story. It’s very likely that this has already happened to you, or you know someone who has experienced it. Attacking the security of digital resources, contrary to appearances, is not so difficult. The Internet is full of guidebooks and courses for beginners, while entrepreneurs too often forget that they are responsible for their website and for the IT security of its users, unfortunately. In addition to the loss of reputation, in the case of a successful attack the damage can be much greater:

  • hackers can cause harm to the users of your site, e.g. through phishing,
  • they can collect confidential data through the forms available on your website,
  • they can run scripts in users' browsers and use the computing power of their computers, e.g. for cryptocurrency "mining",
  • they can install on the website a software that attacks vulnerable browsers of users, so that they can take over their computers (e.g. the attack on the Polish Financial Supervision Authority),
  • they can block your application and demand a ransom…

…there are a lot of scenarios, and some of them assume that for a long time you might not even be aware that such an incident occurred, while the danger threatens all who visit your website!

Don’t trust your own security measures

As the entrepreneurs, we are exposing ourselves to such incidents by ignoring security issues when creating and sharing our web and mobile applications. Fortunately, it is becoming a good practice to verify their security of digital resources through penetration tests and security audits. They resemble a real hacker attack, but they are based on finding all existing vulnerabilities, not just using the first working one. After this test/audit, you obtain a report on the vulnerabilities found, the threat level, the potential possibilities of exploiting them and the ways of patching them. The penetration test and the security audit are primarily raising the awareness of one's susceptibility to an attack – it's a basic knowledge allowing to minimise the risk.

Another fundamental mistake made by the entrepreneurs is the omission of aspects of security dynamics. The company's ongoing activity is almost always associated with changes that affect the security level of IT resources. These can be, e.g.:

  • employees, both new and leaving the company,
  • changes in individual accesses to resources,
  • changes in the way the specific devices are being used,
  • vulnerabilities in the installed or used software,
  • new versions of malicious software,
  • new attack techniques and tactics.

The software is often a key part of the IT security in the company. Employees use the software on company equipment, often without the knowledge of the associated risks. Usually several dozen different applications are installed on an average computer. The most popular of them receive patches on the day of finding a vulnerability. Not all programs, however, notify the user about new updates. Therefore, it is important to keep up with current updates (uninstalling unused applications and checking for available updates). Threats also await the users who would like to download updates, though. Most of us know the story about the update for the trusted CCleaner program, which infected the operating system of any user who downloaded it.

How to further secure your resources

In connection with the above, the security of digital resources of the company resources should always be treated as a process – not as a state, and it should be monitored on an ongoing basis. Understanding this fact allows for the introduction of adequate preventive measures, such as active security monitoring, that is – regularly performed vulnerability scans, verification of the integrity of the website, the status of services, and checking the validity of the software components. Active monitoring is a type of a constant protection over the security of resources, even in the face of major changes in the company.

Due to such high dynamics, it is not possible to achieve a state of a complete security. The best example are successful attacks on companies dealing professionally with IT security (FoxIT wrote about such an incident on their blog). At the same time, only 60% of large enterprises in Poland have an emergency scenario implemented in case of a cyberattack or a similar event (the Intel’s report). In such cases, the services of experts are often used. They help not only with completing the appropriate procedures, but with "taking control of the situation", collecting the evidence and repairing the damage.

The above threats apply to basically every entrepreneur, regardless of the size of their business. From a business point of view, the risk level has increased to such an extent that it can no longer be ignored. We are now faced with the challenges of ensuring the constancy of resource and critical information security, and developing a scenario for data breach incidents. Fortunately, our awareness regarding this topic is growing (half of large companies in Poland are planning to increase investments in the area of the IT security in the next two years – according to the Intel’s report). We can only hope that the trends related to the development of security tools and services, as well as the awareness of entrepreneurs regarding the current threats will continue and allow for efficient business operations.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Udostępnij
Read more:
Step-by-step preparation for GDPR - checklist
GDPR

Step-by-step preparation for GDPR - checklist
An overview of the Regulation and its most frequently discussed issues
GDPR

An overview of the Regulation and its most frequently discussed issues
How was GDPR introduced? Facts.
GDPR

How was GDPR introduced? Facts.
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to [email protected], or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: [email protected].

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact