As tech moves out of IT, know the right questions to ask about data security
Last year data breaches cost Australian companies an average of $2.72 million, according to research firm Ponemon. This cost has been rising year on year. Much of the reason is because of the proliferation and adoption of cloud services. As more business is done online, organisations are exposed to higher risk. It’s much easier today for criminals to make money from crime online than in the real world. Attacks happen every day on websites, but it’s not as common for a bank to be robbed.
The other factor for consideration with this burgeoning criminal enterprise is the fact that cloud services are so easy to procure, it’s often not the IT guys buying them. The centralised management of IT is therefore spread across the organisation to business units like HR, sales and marketing. This is sometimes known as ‘Rogue Cloud’ implementation.
Some of the sites at greatest risk are those with ecommerce engines, which are often set up by marketing departments. I’m not trying to single out marketers as much as to highlight a specific use case because it is becoming increasingly common. The challenge with this new fragmented IT model is the fact that often less-technical people don’t have the background to help them to ask the right questions when standing up a site. You can’t implicitly trust your service provider. You need to quiz and direct them. These questions aren’t obvious to most people but it’s often only because the threats aren’t fully realised by marketing professionals that pertinent questions aren’t asked.
What you need to ask
Simply, you need to know if you will have a set and forget security service, or if it will be proactive and multifaceted. Don’t just ask if it is secure! You need to dig a little deeper:
- Ask if it is encrypted,
- ask if ‘honey potting’ is used to trick attackers and push them away,
- ask what security vendors are used. You don’t have to know them yourself, but simply asking makes them accountable because the service provider doesn’t know what you do and don’t know. Same goes when asking about the accreditations they have, and
- finally, you should also ask if they work with third- and fourth-party security providers to set the profile and do the testing. You can’t afford to have a single point of failure. Your brand depends on you getting this right!
Why you need to ask
This year’s ‘Symantec Internet Security Threat Report’ revealed a 42% increase in targeted attacks compared to the prior year. Designed to steal intellectual property, personal or customer data (including identities), these targeted cyber-espionage attacks go after organisations of all shapes and sizes. Attacks happen all the time, only in 95% of cases, organisations aren’t even aware.
What you should expect
A defence in depth strategy! Vendors are constantly patching vulnerabilities and they are often within the applications themselves. This requires you to work with providers who constantly monitor for this and refine their approach with respect to new internet nasties.
I suggest using a third-party security partner to overlay any cloud service. I also suggest using a fourth party to conduct penetration testing. In this way you can feel confident that you have done your best by your staff, customers and shareholders.
An evolving service that moves with you, the technology, and those trying to disrupt it is important. Security starts with protecting the integrity of your data and guarding against service interruptions, malicious attacks, fraud, and illegal activities such as theft of data. A lack of protection can result in financial losses, brand’s equity and reputation and business continuity. Half measures in security aren’t good enough.
All organisations today can be negatively impacted by an attack – even if the attack is not on them specifically. It’s something you need to think about. Ask yourself, what price do you put on your brand?
You should work with providers that take a consultative approach to understand what your business is; what data is exposed; what you are trying to achieve by having it online. This then helps to understand and protect against specific kinds of attackers and attacks. It’s a sophisticated operation so you need to work with a provider that understands this and is happy to work through the process with you.
You can’t paper over cracks in a dam. These threats are real. Ignorance is not bliss. Thinking like this is a little like walking through a lion’s cage with your eyes closed – just because you can’t see the danger, doesn’t mean it’s not there. Next time you do reach out to a cloud or hosting provider, you’d do well to remember this.