Why “wait and see” isn’t acceptable anymore


The right cyber security advice is out there; it’s up to companies to listen to it, writes Damian Walton, director of professional services at IntaForensics

An often quoted statistic is that 80 per cent of cyber security risks can be tackled by 20 simple to implement preventative steps. The UK government introduced a relatively simple “light touch” assessment process in the form of Cyber Essentials and Cyber Essentials Plus in 2014. Having supported companies of all types around the UK, we can attest that this programme proves that even companies with a modest budget can significantly improve their chances of being secure in the face of growing cyber threats and is a far better strategy for most than “wait and see”.

Changing technology = changing threats

Unfortunately, our desire to create an environment where our every need can be achieved by the press of a button or the downloading of an app is undoubtedly exposing us to financial, moral and, occasionally, physical danger. This new world has created a new language – ‘Internet of Things’ (IoT) has become a common phrase. In very simple terms, it refers to the expanding ecosystem of common ‘appliances’ that now have the ability to connect to the internet – think kettles, heating systems, doorbells and cars, although the list is constantly being added to. In a similar vein to the maxim “what goes up, must come down”, if a device is capable of network connectivity, then the device can be attacked, hijacked and used for nefarious purposes.

Security versus compliance

Some business sectors are already a long way ahead in their efforts to remain secure. The major payment card brands mandate that all entities who store, process or transmit cardholder data must be compliant with the requirements of the Payment Card Industry Security Standards Council (PCI SSC) Data Security Standards (DSS). These reflect current threats identified against payment card environments and a substantial number of the requirements are common-sense processes, i.e. complex password enforcement. If, however, a business is attacked and payment card data is stolen, a thorough investigation will be required and can only be conducted by an accredited PCI Forensic Investigator (PFI) company of which there are currently only 22 in the world. In addition to the financial cost of the investigation, consideration must also be given to the other intangible expense – loss of productivity, reputational damage and long-term effects on the business. In such cases, it is vitally important to secure the services of a professional, diligent and empathetic PFI company. Think security, implement security and maintain security.

Don’t bury your head in the sand

Some simple guidance in conclusion must include:

•Plan ahead – it is far better to have a planned response ready to go.

•If you need help planning, understanding the risks or ensuring the right technical responses are in place, ensure you get help.

•Retain what external assistance you might require and get contracts or arrangements in place before any incident occurs.