Written by Rob Aitchison, 1 November 2017

Large organisations with extensive security and procedural protections in place. Each hacked and made vulnerable by ‘third party’ actions. Leaving aside the general finger pointing and legal implications, how do you protect against the fact that today’s world necessitates outsourcing and complex supply chains each with their own set of unique vulnerabilities? Now that ‘Ransomware as a Service’ has exposed military grade cyber hacking tools to a connected planet the threat is even greater.

Companies will spend more than $93Bn in 2018 on cyber security products (Gartner). Whilst companies have been ramping up spend on internal skilling and systems it still leaves perceptive gaps where directed socially engineered campaigns can be effective. For large organisations the inconvenient truth is that the ‘law of large numbers’ applies to their risk profile. Not just in terms of the records and information that they hold but the exposure of the organisation to large numbers of third parties. In one of Deloitte’s breaches a campaign was directed against an admin via Facebook. It was interesting as it was an administrator in a third party not Deloitte themselves. Although the breach did not result in any sensitive record loss as systems become more secure, there is a growing trend towards this type of attack.

We’ve learned from experience that it isn’t always easy to manage. Even when specific system weaknesses are exposed via testing these can remain exposed if the procedural, awareness and governing elements are lacking. Some key questions to ask:

  • Does senior management lack the correct tools to enable them to both understand and effectively manage the complexity of the infrastructure and procedures that they command?
  • People often unknowingly divulge too much exposing the company to exploits. Are your staff risk and security aware? Do they truly understand the reasons behind the security controls they are mandated to operate? Do they understand the implications if they do not comply?
  • Are the reporting structures and allocated resources enabling secure achievement of business objectives? How does your security operational teams and risk teams work together? Do they have the right level of authority to effectively monitor and manage security concerns?

In addition to the above, many companies are engaged in a scramble to get ready for the new GDPR regulations which will replace the old Data Protection Act. Substantial amounts of useful, valuable data is simply being deleted to eliminate the risk of personal information being stolen. Whilst migrating greater operational capacity to the Cloud in its various forms will result in greater security in the longer term some legacy risk will likely remain. Particularly as companies grow, merge and adapt to socio economic changes such as Brexit.

With these issues in mind we’ve put together a few things that we think might help. Firstly, by identifying the gaps in security systems and processes, particularly in how the security supply chain operates and the people within it. Secondly by using the latest technology to expose system risk and ultimately store your key data within a new secure cloud system; one that will constantly let you know whether your precious information is safe. Lastly and perhaps most importantly provide ongoing monitoring and management information that can be effectively acted on to stop you being the next victim.

Get in touch to see how we can help you better secure your business.

Phone us on +44 (0) 333 939 8553