Cyber-attacks are a growing concern for private enterprise and public bodies around the world. Previously, we explored the steps an organisation should take after being attacked. In this article, we look at measures that can reduce the risk of a successful attack and minimise the resulting damage should the IT estate be breached.
Preventing a successful attack
Cyber-attacks are constantly evolving, and organisations should regularly conduct audits of their IT systems and security measures to make sure they are up to the challenge. An essential part of these audits will be to understand what servers are operating within the organisation, where they are located and which data they contain. You need to understand your IT estate in order to protect it.
Organisations should regularly review employee practices and behaviour, and make sure updated Internet and device usage policies are in place and clearly communicated. One infected computer can serve as the gateway for wider incursions into a network and the unfortunate reality is that, regardless of what technical security measures are in place, employees remain to be the gatekeepers of an organisation’s IT estate.
It is important to keep detailed logs of all devices in use within the organisation. The increased use of mobile computing and storage devices has greatly increased the threat surfaces of today’s organisations. Organisations should implement end-point security measures to deter and prevent employees from plugging personal devices into their work computers – USB devices are a common carrier of malware and other viruses, and are a primary medium for employee data theft.
Employees should use sufficiently robust passwords, which are regularly changed, although many experts predict that password authentication alone will soon be a thing of the past. Two-factor authentication is becoming more common, for example, requiring a password and a physical security token for authentication.
Anti-virus software is not enough. Organisations need to tackle cybersecurity through comprehensive organisation-wide security measures. There is a wealth of information available from government agencies. Security consultancies can also be hired to perform penetration testing to determine how porous an organisation’s IT security defences really are, and whether employees are following IT policies.
Unfortunately, organisations cannot rely on perimeter defences alone. Some cyber-attacks will inevitably breach the IT estate. Steps should be taken to make it harder for attackers to find what they are looking for and to generally navigate within the organisation’s systems.
If an employee device is compromised, various steps can be taken to make it harder for the attacker to step off the beachhead and attack the wider network. Limiting employee access privileges, to both data and systems, can help keep an attacker from accessing more sensitive areas of an organisation’s network. Requiring authentication from multiple employees in order to access key data and systems can also make it harder for an attacker. Furthermore, requiring an employee to use different passwords for different roles within an organisation can limit an attacker’s reach if the login details of the employee are compromised.
An attacker’s progress can also be impeded by employing network architecture that separates the public-facing, logical and data storage elements of a server. Stored data itself can be segregated as well to prevent a breach in one sector from resulting in system-wide access. Also, encryption should be used as much as possible on both devices and data. In addition to making data harder to access, encryption makes data harder to search. It is difficult for an attacker to steal what he cannot find.
Once an attack is detected, swift response is essential. Organisations should have clear response plans in place detailing who is responsible and what actions they should take in response to varying forms of attack, e.g., website defacement, data theft, IT systems compromise and cyber-ransom.
Organisations should also consider whether cyber-incident insurance can mitigate the costs associated with a cyber-attack including legal costs for pursuing the cyber attacker.
Organisations should not only consider the physical safety of data centres housing their servers and data, but should also ensure that devices are adequately wiped or destroyed when they are retired. If service providers are employed for either of these purposes, organisations should ensure that they too are using the proper security precautions. Devices in use within an organisation should only be purchased from reputable vendors to avoid supply chain corruption problems.
Denial of service attacks, which disable public facing Internet servers and websites by spamming them with bogus network requests, cannot be stopped via improved IT security measures. However, the success of these attacks can be limited by working with specialised security contractors.
Perhaps the key lesson for organisations is that they should be proactive in dealing with the threat of cyber-attack. The range and complexity of threats is growing and many attacks go undetected for months or even years, if they are ever detected at all. IT security is a key part of running today’s organisations and should be embraced from the C-suite through to the mailroom.
IT, IP and isk management forms a large part of my legal practice. More and more, lawyers in the corporate sector and in-house legal service providers are looking for opportunities to contribute to the community using their legal skills. I am a former in-house legal counsel and I do provide in-house outsourcing as part of my legal services provision.
Corporate in-house legal services are all about managing and assessing risk, managing and assessing liabilities and managing and assessing your compliance in a business environment using an audit strategy. It can involve IT and IP agreements, and ANY Business Agreement or Business Relationship.
If you are a small business enterprise (SME) or Corporate Enterprise in the Illawarra, Wollongong , Southern Highlands, South Coast or surrounding areas including Camden Picton and West, and need corporate in-house legal services please call me.