Talk Talk is a name that has been making headlines in the last month – for all the wrong reasons. The recent cyber attack on the company’s website put customer data at risk and is thought to have cost Talk Talk in the region of £35 million. During the attack in October this year, up to four million customer details are thought to have been accessed by hackers who demanded a ransom for the return of the information, which included bank details and home addresses. It’s certainly the most talked about attack of 2015 – but it’s not the first and it won’t be the last. So what can we learn from Talk Talk’s problems in terms of in-house security for other businesses?
1. Encrypt your data. The data that was stolen from Talk Talk was not encrypted – the company stated that it was not legally required to encrypt it but the point is that, had it been encrypted, the hackers would not have been able to turn this situation into the disaster that it eventually became. Encrypting data is a basic step for any business, particularly if you have employees who are carrying sensitive data around with them on laptops or data sticks.
2. Use a secure infrastructure. For many companies, providing a secure infrastructure is a serious challenge when undertaken in house and there are some obvious benefits to migrating systems to the cloud. Cloud systems can actually be more secure than locally managed systems, from the physical security of the servers themselves to the authentication required to access systems.
3. Stay on top of updates. Remember that software, once installed, does not simply evolve on its own but needs to be continuously updated and patched with the manufacturer’s latest fixes for issues that are discovered on an ongoing basis. This evolution is something that businesses often fall behind on and this can create huge vulnerabilities. This is particularly the case with respect to patches updating security characteristics which are responding to problems already identified – if these are not installed in a timely way then the entire system is vulnerable.
4. Restricting permissions to approved users. Not everyone in the business needs to have access to all data – in fact, the fewer people who have access, the less likely it is that there will be a data breach and, if there is, the easier it will be to identify it. Many of us assume that these kinds of issues are the result of external hacks but that’s not necessarily the case - statistics vary but most settle on somewhere between 40% and 50% of attacks originating from an insider with malicious intent.
5. Ensure security protocols at all layers of infrastructure (SAN, Server, Virtual Machine and Application Stack etc.). There is simply no way to protect the various layers of your business without security protocol so these should be meticulously introduced and policed. Bear in mind that multi-factor authentication is much more secure than traditional user name and password authentication, as it incorporates something you know (password), with something you have (hard token), and/or something you are (biometric).
For information and advice about how to help your clients, then speak with the team at Marathon. We can act as an extension of your team or work on a white labelled basis to support your inhouse team.