Secure your data

All business owners are at risk of data security breaches, not just players like LinkedIn, whose 6.5 million user passwords were stolen in June 2012.

“As companies put more and more information on the web, critical data is being exposed, putting them and their customers at risk,” says Trac Bo, Technology Risk Services Leader with MNP Calgary.

The grave facts

The cost of a security breach can be high, and includes unfavourable media coverage, exposure to liability, and loss of customers or public confidence.

Organizations have to pay to fix the problem, return to normal operations and prevent such incidents from happening again. There is also a cost to win back customers and repair their reputation.

In the worst cases, the damage is so extensive that companies may have to close their doors. For example, the average cost per record (credit card, payment data or personal information) is more than $200, and the average cost per data breach among the largest organizations is more than $5 million, finds the Ponemon Institute.

Further, 90% of popular web applications, even if they use encryption, are vulnerable to attacks, says SSL Pulse, a website that monitors the effectiveness of secure sites. Web applications include customer-facing sites, supplier and partner portals, and employee intranets. Further, software such as Excel, Word, Access Databases, and SharePoint can be compromised through the use of malicious macro or Java scripts.

The increasing numbers of IT security incidents are the result of a number of factors. Security has only come to the fore as a serious issue in the last five years, so IT vendors never allocated adequate resources and developers never received training. Organizations are also underinvesting in security teams, resulting in a lack of tools, policies and processes for secure operation.

Further, online applications such as cloud computing, banking, e-commerce and the use of social networks, as well as mobile computing through smartphones or tablets, present new risks. The security industry’s development and use of best practices has not kept up with the pace of emerging trends.

Today’s hackers have more opportunity too.

Most organizations are dependent on the Internet and some are migrating their information to the cloud — online computing resources provided by thirdparty companies operating servers, databases, or applications accessible through the Internet. “Now, the wire goes through the Internet and anybody can potentially tap into the information on your computer,” says Bo.

Information can also be inadvertently leaked to competitors, for example, through social media. Last year, a Google employee was fired for posting information about a change in the firm’s pay structure.

Are you at risk?

So how do you protect yourself and your company against today’s sophisticated hackers?

Every business owner or management team should ask:

• When was the last time we listed all information that is sensitive for the business?
• What will happen if my computing environment is brought down?
• What will I do if private information about my clients gets stolen?
• Who’s managing our IT environment, and are they fully qualified? How serious are they about implementing good security?
• When was the last time our systems were tested? Could someone access our data, or easily get into our applications?

Taking action

IT security begins with identifying exactly where you are at risk, then implementing controls to mitigate the risks. Here are some tips.

• Stress test systems:

  “Some clients ask us to try to break into their applications, like a hacker would,” says Bo. “This approach allows the detection of dangerous vulnerabilities without malicious exploitation. Very often, we will easily find a way in, as a result of a default password that has not been changed or a vulnerability related to an application that has not been patched.”

• Assess the risk:

  This will allow you to prioritize your efforts and determine where security needs to be increased. It should include more than just a look at your IT systems, and should identify specific processes, information and resources essential to the business.

  “Find out what key information you are trying to protect, where it is stored, and how it is used so we can define specific controls to protect it,” adds Bo.

• Get help early:

  Get the new system analyzed by an IT security professional early in the development phase of the project. “If there is a problem with software you built in-house, you may avoid significant effort to overhaul if it’s caught early enough. It could take longer and be more expensive to fix later,” says Bo.

LioneL Cochey, CISSP, CRISC, CISM, is senior manager with MNP in Calgary.