Gavin Kane, Director of Quadra Ltd, highlights the importance of business owners and decision makers establishing data governance in businesses by taking a holistic approach to IT and cyber security; through infrastructure, management systems and processes and enhancing employee awareness of risk and risk mitigation measures.Data Breaches and Password ManagementThe data breach notification service "
Have I Been Pwned" recently announced that it has obtained a list of 773 million unique email addresses and 21 million unique passwords, a list that contains 2.69 Billion rows and takes up 87 Gigabytes of disk space. One of the lessons from these data breaches is that people will tend to use the same user name (email address) and passwords on multiple sites.
The Bad Guys that actively dig out this information also know this fact, so if they obtain logon details from one compromised site then they will try it on multiple sites before the user has even noticed the breach. The lesson from this is to not use the same logon details on multiple services, with best practice being to use a unique complex password for each service.
Using a password manager
The best practice of using unique complex passwords can lead to the common complaint of "I have too many logons to remember," but this problem can be solved by using a password manager. These products store all your passwords in a secure encrypted database and often include a password generator. As the passwords are now centrally managed, a unique, long, complex, random password can be used for each site or service.
A number of commercial products are available that will work across multiple devices, the best known of which are LastPass and 1Password. These services are cloud-based and can be configured to use multi-factor authentication for added security. If the use of cloud services to manage passwords makes you nervous, there are also free open source software tools and commercial products that can be used locally, such as KeePass.
Training staff in password securityThe UK National Cyber Security Centre
recently asked the question "Should I use a password manager?" and concluded that "Yes. Password Managers are a good thing." To back this up, organisations need to ensure that staff are trained in the organisations password management policies.
Actual password complexity and history rules are usually enforced by technical controls such as Microsoft Active Directory, but beware that enforcing too stringent rules can force staff to adopt bad practices for their passwords. Requiring too complex a password and making users change them too often leads to staff using easy-to-remember but poor quality passwords.
ISO 27001 is the Internationally recognised Information Security standard and should be the first port of call for organisations concerned about securing password access to systems and data, mitigating vulnerabilities, and controlling the entire flow of all information within the organisation. This certification is applicable to businesses of all sizes, and obtaining certification to this standard will enforce best practice and robust controls in areas such as; password management, mobile device security, and staff awareness (amongst others).
Mobile Device Security Mobile devices are valuable tools for an increasingly mobile workforce, offering staff on the road full access to organisational services and flexible home-working tools. However, mobile phones, tablets and laptops are high value items that can be easily lost or stolen. In addition to user account passwords, consideration should be given to ensuring no valuable or sensitive data is compromised if a mobile device is lost or stolen.
Full device encryption should be enabled where possible, such as using Microsoft's BitLocker encryption on certain versions of Windows and File Vault encryption on MacOS devices. Device encryption is enabled by default on Apple iOS devices as soon as a PIN or fingerprint is enabled, and is also available on recent versions of Android. As well as protecting the user's data, it also reduces the risk of a breach of Data Protection laws.
Mobile security and your legal obligationsThe Data Protection Act 2018 has written the requirement of GDPR compliance into UK legislation, and one of its requirements is to ensure data has been properly secured. Enabling device encryption could be the difference between just losing a laptop and having to report the incident to the Information Commissioners Office, which is a legal requirement if a loss is deemed to pose a risk to individuals.
A method for locating and remotely wiping or disabling mobile devices should also be investigated. To embolden organisation’s efforts in developing processes to ensure their devices are secure from attack, many are proactively looking at systems that will not only protect against vulnerabilities but will drive their businesses forward into the future.
The spike in growth in recent times of organisations reaping the benefits of establishing certificated management systems (e.g. ISO 27001) has gained rapid traction, and is setting businesses apart from their competitors, opening more doors globally.
Employee Training and Awareness The key part in all of these risk areas is people. We are all fallible, so how does an organisation protect itself from the mistakes we make? The key is to make sure everyone is aware of what is expected of them and the consequences of not following the organisation's policies and processes.
An organisation should have some form of mandatory document that all staff have read and understood and that covers the dos and don’ts of using the organisation's systems and information. These policies are then reinforced by linking to the organisation's disciplinary process, and staff should all be regularly reminded about Cyber Security and given appropriate training.
Quadra Ltd know a thing or two about training employees and establishing management systems to international standards, having worked with over 2500 companies worldwide since their inception in 1991. Quadra has built up an internationally renowned reputation for delivering world-class solutions in areas such as Information Security (ISO 27001), Business Continuity (ISO 22301) and Cyber Essentials.
Cyber Security Governance Having a current ISO 27001 certification brings a significant number of advantages to an organisation and assists in delivering corporate governance. It offers clients or customers assurance that their data will be kept safe, and reassurance that the security will be independently audited. Having the certification can offer a competitive advantage that deliver more business or can allow an organisation to compete in new market areas.
Having the certification can also simplify the Tender application process. Organisations such as NI Water have recently requested in their ITT for IT Security Health Checks that tendering companies assist in line with industry best practice as part of the ISO 27001 requirements. Another example of an organisation requesting compliance with ISO 27001 standards is the Department of Agriculture, Environment and Rural Affairs (DAERA), in their Pre-Market Engagement for a provider for their Library Information Management System.
Quadra has seen more and more organisations seeking assurance that the organisations they do business with have appropriate controls in place. This usually takes the form tender selection criteria containing a long-winded set of questions in relation to information security, which takes considerable time to complete. Having ISO27001 certification normally means these parts of the tender response can be quickly skipped over.
Who should consider ISO 27001 certification?All business regardless of size or sector should actively
consider certification to standards such as ISO 27001. Failing to do so could make it increasingly difficult to provide assurances to existing and potential customers that your organisation applies robust information security controls. This is especially important in the uncertain times that we find ourselves in.
Should you have any queries regarding how Quadra could assist your organisation achieve ISO 27001 and mitigate data breach risks, please talk to the world-leading professionals. For more information on Quadra and its services, head over to
https://quadraconsulting.com or call the Belfast office at Tel: +44 28 9042 3222
