Being a CISO in 2021 – our Head of Security David Clarke

Our Head of Security, and CISO Service lead, David is recognised as one of the Top 10 influencers by Thompson Reuters, and a Top 50 global expert by Kingston Technology. He is also one of the Top 30 most influential thought-leaders and thinkers on social media in risk management, compliance, and regtech in the UK.

 

In his role as Head of Security at QuoStar, David leads the CISO Service. The CISO service provides businesses with the cyber-security skills and experience necessary to manage the multitude of threats and rapidly changing risk landscape of today, on a flexible and cost-efficient basis. David take’s a moment to share his views on it all.

 

1. How did you get started in the security field and ultimately become a CISO?

David: I was around when some of the first Viruses went mainstream. Back then I worked for one of the only companies that made Multi Factor Authentication systems in the 90’s. It was “leading edge” at the time.

I built and ran one of the largest commercial remote access platforms using Multi Factor Authentication.  Then I ran Infosec for some FTSE 100 companies, one of which was the largest private trading network in the world – trading 3.5 trillion dollars a day.  Another was managing Global Security Services Operations Centres (24/7) across 4 continents, where most of the customers were FTSE 250.

 

2. What do you enjoy most about working as a CISO Service resource/consultant?

David: Meeting challenges of audit, due diligence, and breach management.

Audit is getting more involved and complex and due diligence is often 300-400 questions and an “interview” with the compliance department of potential customers.

Breaches is about managing with around 10% knowledge of the situation and making decisions in a very short time for the best outcomes – while ensuring buy in from the board. They always seem to happen on Friday evening!

 

3. As Head of  Security, what challenges or issues do you regularly see in small and mid-market businesses? Why do you think the same issues keep occurring?

David: 1. Robust management of access and privilege management. 2. Managing risk consistently. 3. Not aligning Cyber Security with Data protection requirements – as they overlap at a core level.

If you have control of the information assets servers and cloud, information security is much easier to manage. It enables savings in resource and effort if this happens and can demonstrate to the business control and improvement.

 

4. How do you think the security landscape has changed in the last five to ten years?

David:  As a CISO Service lead, I believe it is manging the hybrid of internal servers and cloud – and managing the challenge of access control. The company boundary is very fluid, especially where ‘what’s company and what’s personal’ is concerned.

One of the best frameworks is ISO27001. It is good for demonstrating accountability and decision making. It also aligns with SOC2 and parts of HIPAA quite well.

 

5. What do you think will be the emerging risks businesses need to consider in the next 1-2 years?

David: It used to be technology first, then followed by making technology safe and compliant. Now technology needs to be safe and compliant first, and performance orientated second – along the lines of what has happened in the automotive, aerospace, building and food industries.

The risks potentially surround the technology itself not having enough security management capability, or that if it does it can be resource intensive.  There’s also the globalisation of threat actors and the capability of managing multiple global data protection regulations.

More recently the US Biden government issued a memo to US Businesses in summary June 2, Stating the 5 best practices – one being Multi Factor Authentication. Other important aspects are multi-pronged backup Updates, Incident Response, external testing and network segmentation.

 

6. Has the Covid pandemic exacerbated security concerns or introduced new ones for businesses to deal with?

David: Probably, due to homeworking and fast transformations of moving office servers to the cloud, as well as an increase in Ransomware attacks, an increase in Data Protection legislation globally and the increase in corporate security concerns due diligence.

It has been an increasing challenge for a Head of Security. We have seen an increase in demand from due diligence enquiries, especially for more detailed homeworking policies and guidelines. So, the lines have blurred as to what is home device or a work device. The “physical office” is now the home office, and mandating rules now have to be guidelines that are appropriate – as well as using more layers of defence to protect staff and corporate assets.

 

7. Do you think businesses focus too much on the technical/technology element of security (e.g. AI solutions)? What other areas do they need to consider?

David: Potentially yes, without an end-to-end strategy, it makes security technology “tactics” unlikely to see a ROI, Return on Investment.

As Head of Security, I see the human element of security is also overlooked quite often. Especially when you consider that almost half of all security breaches are caused by human error. This is even more disconcerting when you consider that only 60% of employees will report a security breach too.

We are actually hosting a free webinar on that subject on 29th July 2021 at 1pm, so if you’d like to know more register for free.

 

8. How important is cyber-security education? What are the challenges for a Head of Security conveying the risk/educating business? Who in the business needs to receive education/training and how often?

Education is very important, as is having the appropriate training for each role ideally aligned to the companies risks – so that maximum benefits can be realised e.g. developers would require different training from HR staff, as the risk they are managing are different.

Of course, there will always be a need for baseline cyber and data protection training. You can find out more about what Security Awareness Training there is available for employers and employees in our article here.

 

9. Do you feel there is a security skills/talent shortage? What advice would you give to businesses to combat this?

David: I’m not entirely sure. If there is a shortage, there is definitely a misunderstanding of what skills are required.

Personally, I would align the risks and the strategy, then decide what skills are required to make it happen. It may be that companies would benefit from outside help – to formulate the strategy, and always have access to a range of skill levels onboard to achieve skills resilience.

The other issues that many companies seem to come up against are 24/7 and global, so having just one capable Security resource will not be enough to cover these time periods.

 

10. As Head of Security, what advice would you give to businesses who want to reduce risk and increase their security posture?

David: Manage Risk regularly with key stakeholders.

Ideally do not remove a risk or lower a risk without evidence, from at least the following e.g. a Policy, Procedure, Penetration test, Internal Audit, External Audit or risk committee approval. This will demonstrate accountability and assist in managing data protection, to enable a defensible position in the security posture.

Ensure a multi-layer approach to security. Utilise things like Access control, least privilege, Approved applications, strong email defences, layered endpoint security, centralised control of endpoints and access, plus multiple point backups.

 

11. If there was one security investment you could recommend to businesses what would it be and why?

David:

One piece of tech most companies aren’t using

To keep companies ahead, Secure Access Service Edge will help with Cyber security and Data Protection. The ROI is great! It releases staff time, and the payback can be in months.

 One Framework

You can manage risk and accountability using ISO27001 framework. If you are not going to be certified, ISO27001 also helps align with NIST, SOC-2 and can help align some components of Data protection. It can clearly demonstrate accountability.

Training that is focused to the role in the business is most appropriate, using the “Incident” metrics to tailor training and technology requirements.

 One practice
Have a data/Cyber champion in every business function so you’re able to manage threats, risk and increase incident reporting capability to enable “real-time” issue management.

 

We hope you found David’s current take on Cyber-Security insightful. During his career David has worked across multiple sectors, including financial services, government, utilities and FinTech, working with a variety of clients – from start-up level and SME up to FTSE 100. He previously held the role of Global Head of IT Security at BT and Radianz (formally Reuters). He’s also been responsible for managing the security infrastructure and delivery of ISO 27001 for multi-billion/trillion-dollar environments. He is also an active CISO consultant on our CISO service offering.

Find out more about how to improve security within your business by signing up for David’s free webinar The Important Role Your People Play in Cyber-Security  on Thursday 29th July at 1pm.

 

Book an online review with QuoStar’s consultancy team today.

 

contact us button

9 essential cyber-security measures every business needs

essential cyber-security measures for businesses

What are the essential cyber-security measures every business needs?

In today’s digital era, advancements in technology are happening very rapidly. Therefore our defence systems against very real cyber-security threats must keep pace. If the correct measures aren’t taken, your business might be more at risk than you think. Here are 9 essential cyber-security measures your business can take.

Are you relying on the same security basics you were a few years ago?

It’s easy for time to pass unnoticed while all these advancements happen around us. Before you know it, you’re relying on the same old security basics to protect your business as you were a few years ago – firewalls, antivirus and intrusion detection software. Most people update their mobile phone software more frequently than that. So here are our 9 recommendations on how to keep your company more secure.

Why is it so important?

The truth is, we all feel impervious to cyber-crime and security breaches. It’s just something that happens to other people – until one day it’s not. Even if a direct financial attack is not a concern for a business because that’s locked down, many people are unaware of the intrinsic value of the data their business holds in today’s world.

Hackers aren’t just after your bank accounts.

Cyber-crime is now an industry that produces over £1 trillion in revenue for cyber-criminals. Ransomware can be used to encrypt a company’s files and hold them for ransom. Network penetration can enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power. Money can even be gained by using social engineering to persuade employees to transfer cash to a fake bank account.

9 steps to combatting cyber-threats

1. A Unified Threat Management (UTM) system

A UTM system is a combination of security appliances and acts as your gateway to the internet.

2. A SPAM filter

A Spam Filter tops potentially malicious files from entering your network via email.

3. Antivirus/anti-malware software

Antivirus and Anti-malware are applications that protect your servers, laptops and other devices from malware.

4. A patch management system

A Patch Management System manages the installation of software updates to close security holes.

5. 2-Factor authentication

2-Factor Authentication gives you a second level of security, preventing unauthorised sign-ins.

6. Device encryption

Device Encryption makes any data stored on the machine useless to criminals and keeps your data secret.

7. A regular data backup

Regular data backups. You should keep a copy of your business data at a secure off-site location in case the original is lost.

8. Content filtering

Content filtering prevents access to dangerous or illegal websites which reduces the risk of infection.

9. A disaster recovery plan

A Disaster Recovery Plan sets out how you will recover from an unplanned event such as a fire or cyber-attack.

 

Regulatory fines and costly lawsuits sting victims of cyber-crime too.

Keeping businesses cyber-secure is even more important since the implementation of the General Data Protection Regulation (GDPR – tailored by the Data Protection Act 2018). Businesses are responsible for their data leaks or breaches if the correct security protections/protocols have not been put in place. Hefty regulatory fines can be levied, and costly lawsuits can follow for the victims of a cyber-attack or security breach.

All businesses should ideally be looking into taking more than just the bare minimum steps to keeping the company cyber-secure, but it’s at least these 9 steps that start the journey in the right direction. The next step beyond the basics is to become Cyber Essential certified.

Cyber Essentials is a Government-backed Accreditation

Cyber Essentials is a government-backed accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.

Cyber Essentials still covers fairly basic security concepts, such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already – it can improve your company’s image as well as open you up to working with more cyber-conscious clients.

If you want some help implementing the basics, or would just like some friendly advice, contact our team today.

I’ve already met the security basics, but I want to level up >>

How to make remote working secure: 13 best practice tips to increase security

IT Security: How to make remote working more secure - 13 best practice tips

As businesses scrambled to suddenly support much larger, permanently remote teams, certain cyber-security policies and procedures fell by the wayside. Simultaneously, cyber-criminals capitalised on the uncertainty, confusion and panic caused by the pandemic and found new opportunities to attack, via remote workers and unsecured technologies 

Remote Desktop Protocol (RDP) attacks were up by 400% in March and April alone, while COVID-19 related email scams skyrocketed by more than 650%. A survey by Verizon found users were 3 times more likely to click on pandemic-related scams, putting businesses at greater risk of credential theft, data breaches, malware and more  

Remote working is not going away. In the UK, businesses will be subject to at least several months of restrictions. Yet, even when things do return to ‘normal’ its unlikely that operations will be the same as they once were. It is imperative that businesses prioritise making remote working secure to prevent themselves from falling victim to a breach or serious attack.  

13 ways to make remote working secure

1. Educate your employees

New scams, particularly revolving around business email compromise, arrive daily in relation to events, such as the pandemic or a legislation change. It’s important that your staff can identify a one-off or unique phishing scam or at least raise it with IT if unsure. Software can help keep staff sharp with phishing, but ongoing training is critical to protect the business from other methods of social engineering, such as via the phone.

2. Establish 24x7x365 security monitoring

The threat landscape has changed forever and so have the risks as the workforce works remote as standard. It’s essential to continually monitor the security of all infrastructure, cloud environments, cloud applications and end-user devices. The more devices outside the perimeter the greater the potential holes and entry points to an attacker. 

3. Establish advanced threat detection and response

It’s vital that you are aware as soon as possible when major threats appear. Security systems also need to be aware and rapidly notify you of any breach or attempted breach of your security. The system action and human response must be rapid to isolate and contain the threat, even if it’s not on your local network. It’s important to note here that the human element is critical, too many organisations are simply relying on slick-looking AI solutions, which on their own just don’t cut it. 

4. Deploy aggressive vulnerability management

Keeping systems up to date with the right security patches is more important than ever with a disparate workforce. Unpatched systems and system misconfigurations are a key focus for attackers. It’s important to use scan networks but also to use host-based scanning that allows remote workstations to scan themselves outside of the corporate perimeter. 

5. Monitor cloud infrastructure and applications

You must monitor systems that hold your data, even if you don’t actively manage them. Most cloud infrastructure and cloud applications, especially the like of Microsoft, AWS and Google provide large volumes of data that can be monitored for suspicious events and activity. 

6. Monitor the dark web for breaches

Corporate data, particularly passwords, appear on the dark web daily. This may come from large breaches, such as with LinkedIn or Adobe, but also from smaller malware attacks that have skimmed off information during an infection. More than half a million Zoom accounts are currently for sale on the dark web and, at only 1p per login, are extremely cheap to buy. It’s important to know when passwords and sensitive information is leaked, so that action can be taken to mitigate the associated risks. 

 

HOW SECURE IS YOUR COMPANY DATA? RUN A FREE DARK WEB SCAN NOW AND SEE IF YOUR CREDENTIALS HAVE BEEN OBTAINED BY CYBER-CRIMINALS 

 

7. Ensure multi-factor authentication (MFA) is in place

Multi-factor authentication is a basic and essential security control both too many organisations are still not deploying it to improve the security of their remote access. 

8. Don’t forget backups

Most of the attacks focused on the remote workers aim to deploy ransomware on a corporate network. To take that further, they are also looking to encrypt backups to ensure that a company can’t recover their data. Therefore, businesses should be looking at creating an air gap backup to protect against this threat.  

9. Run attack simulation training

Spear phishing is still one of the most common attack vectors. By running this type of training, you can see how employees would respond to real-life attacks and socially engineered campaigns. Results can be used to identify weaknesses and deliver personalised training to those more likely to fall victim to a breach attempt 

10. Implement device risk and compliance checking

You need to ensure devices are secure before allowing them to connect to the corporate network and access resources. Personal devices often do not have the same security protocols and can open several weak points. Businesses need to have clear oversight of all devices connected to the networkbe able to distinguish between personal and corporate devices and be aware whenever a new device joins or tries to join. As it may not be possible to install additional security software on the device, businesses should flag it for unusual activity and put it on to a separate network.  

11. Implement access governance policies

The rising threat of a breach, internally and externally, means it’s important for businesses to monitor and control who has access to key resources. Policies should assume the principle of least privilege (POLP) – giving users the bare minimum permissions they need to perform their role – and clearly define who has access to which resources and under what conditions they have accessWith the right policies in place, it becomes easier to identify areas of ‘privilege creep’ and prevent stale accounts (e.g., ex-employee accounts which are still active).  

12. Manage privileged access

Employees are often given full admin rights as standard. However, increased access means an increased risk level. Instead, you should ensure employees are only able to access what they need to fulfil their job role and responsibilities effectively. There should be systems in place allowing administrators to respond to access requests and be notified of any unauthorised access attempts.  

13. Adopt a zero-trust principle

The increase in cyber-attack frequency and sophistication, coupled with the hybrid nature of today’s IT environment, means traditional security frameworks are no longer enough. While businesses typically focus on defending their perimeters, assuming everything ‘inside’ is already cleared and safe, this is too open of an approach. Zero-trust is essentially about removing all automatic trust. Anything and everything which tries to connect to the system must be verified before access is granted – ensuring it is the right user, from the right secure endpoint, with the right access permissions, who is making the request.  

Remote working security is a critical issue

More than ever, businesses cannot afford anything which would harm their productivity, their reputation, or their bottom lineIt’s understandable why measures may have not been fully in place at the beginning, but it’s imperative that businesses now make security a priority. 

To make remote working secure, businesses must take stock of their current security landscape, assess the risks, and take steps to improve and protect themselves. If you would like advice or assistance in doing this, to ensure all the bases are covered, please contact the QuoStar team for a no-obligation chat or initial risk review.  

New call-to-action

Are you using WhatsApp for business communications? 2021 is the year to stop

Should you be using WhatsApp for business communication?

While WhatsApp is a consumer-grade application, many people are using it for business purposes. It’s free and it’s easy to use – most people are probably already using it – so it seems like the ideal communication tool, particularly now many employees are working remotely. 

But is WhatsApp really suitable for business communication? 

Privacy Policy Updates

WhatsApp was acquired by Facebook in 2014. At the time, CEO Jan Koum stressed how deeply he valued the ‘principle of private communication’. However, just two years later, in 2016, both apps announced they would be ‘coordinating more’– but did give users the option to opt-out of sharing their personal data with Facebook.  

This time around, there is no opt-out. 

Users who want to continue using WhatsApp after May 15th 2021, have to agree to the updates made to its terms and privacy policy. This means being prepared to share their personal information such as names, profile pictures, status updates, phone numbers, contacts lists, and IP addresses, as well as data about their mobile devicewith Facebook and its wider companiesUsers who don’t accept the new terms will be blocked from using the app. The new policy, which applies to all users outside of Facebook’s European Region (including the UK), also means that simply deleting the app from the device will not prevent WhatsApp from retaining a users’ private data.  

Since the privacy policy changes were announced, WhatsApp has now said that it will not be sharing personal data from people who previously opted out of sharing their information with Facebook. According to The Register, this setting will be apparently be honoured going forward next month, even if you agree to the new policy. For all other users though, there is no opt-out.  

A WhatsApp spokesperson also said this update ‘primarily centres around sending messages to businesses to get answers and support’, claiming there will be no change in data-sharing for non-business chats and account information. However, there has been much criticism and concern about the update online.  

Update: 12th May 2021

Originally, WhatsApp planned to roll out its privacy policy update on February 8th 2021. However, due to huge public backlash and confusion, they opted to delay until mid-May. Through a series of updates, WhatsApp attempted to clarify its position, reiterating that the update is mainly meant for businesses using its messaging platform. But nonetheless, WhatsApp stated that the change would not impact “how people communicate with friends or family” on the platform. The company also specified in a blog post that it would continue to provide end-to-end encryption for private messages, and it didn’t keep logs of its users’ messaging and calling.

However, despite the clarification around data sharing, there are still plenty of reasons why businesses should stop using WhatsApp for business-related communication

GDPR Compliance and Liability

WhatsApp makes it abundantly clear that the app is designed for personal use in their Terms of Service. 

“Legal And Acceptable Use. You must access and use our Services only for legal, authorized, and acceptable purposes. You will not use (or assist others in using) our Services in ways that: … or (f) involve any non-personal use of our Services unless otherwise authorized by us.” 

After installing WhatsApp on your device, you’ll receive a pop-up asking for your permission for the app to access your contact. It requests that you ‘Upload your contacts to WhatsApp’s servers to help you quickly get in touch with your friends and help us provide a better experience. Agreeing to this means that all your phone contacts are accessible in the app. The problem is, it doesn’t distinguish between personal contacts and business ones. Your contacts haven’t given permission for a third party to access their personal data, which could be a potential breach of GDPR.  

WhatsApp has been clear that is for personal use. Users must agree to these terms and conditions before they can access the service and WhatsApp can access the users’ contacts. Therefore, the responsibility for GDPR lies with the user, not the app. 

Individuals who use WhatsApp for any business communications are in breach of the terms of service. This limits WhatsApp liability for GDPR because they have given the user all the responsibility for seeking the permission of their contacts.  

Security Risks of WhatsApp

Using WhatsApp for business communications is fraught with security risks tooWhile the app famously boasts security due to its end-to-end encryption, there have been plenty of reported hacks and flaws.  

Just last October, security researchers revealed that links to thousands of WhatsApp chats were accessible online. Although there was a quiet change to stop the links from being indexed by Google, the information was still readily available on other search engines. The group’s title, image, description and owner’s phone number were all readily accessible, you didn’t even need to actively join the group   

WhatsApp communications are also notoriously difficult for companies to monitor. It may be possible if they are taking place on a corporate-owned device, but even then, there are multiple hoops to jump through. Companies could require the employee to surrender the device, but to access the content itself, there would need to be an IT policy that states WhatsApp as an acceptable communication channel for business purposes. Although, this policy would be in breach of WhatsApp’s acceptable usage policy. The IT policy should be crystal clear about the firm’s right to access and for what purposes (ensuring these are proportionate), so the employee has no expectation of privacy.  

Things get even more complex if the employee owns the device and WhatsApp has been installed outside of a mobile device management (MDM) container installed as part of a BYOD policy. The same policy that applies to the corporate-owned device could be extended to employee-owned ones as well. However, given the device is owned by the employee and used predominantly for personal use, it is doubtful whether a forced surrender and access could be seen a legally proportionate.  

If there’s no BYOD policy in place? Access is near impossible. As a personal device, the employee would have much higher expectations of privacy and there would need to be an extremely compelling reason, akin to a criminal offence, for an employer to try and obtain access.

What should you use instead of WhatsApp?

While you could write WhatsApp into your IT policies as an acceptable communication channel for business communications, you would knowingly be in breach of the app’s acceptable usage policy.  

Plus, even with that in place, there is still a myriad of security, privacy, monitoring and accessibility concerns linked to the app’s business usages. That’s before you even begin to factor in cultural problems potentially caused by the informal nature of the app. Employees could post personal messages to work chats by mistakeaccidentally share their live location, or information could get lost between multiple group chats. 

Instead, it’s much better to opt for a business-grade secure communication solution. Many of these solutions function in the same way as consumer-grade apps, giving users a familiar interface so they can get started immediately, but with much stronger security. Solutions are available across multiple devices and will protect your voice, video and text data in transit and at rest, preventing accidental leakage or malicious attack.  

Join the Business & IT Leaders Forum

Do you want to receive more content like this? Then join our Business & IT Leaders Community. Not only will you receive our monthly briefing with more business improvement tips and advice, but you’ll also get exclusive access to virtual events designed for leaders who want to make strategic improvements and get ahead of the competition. 



10 ways to protect sensitive business data

IT security - How to prevent your data from leaking

In a modern business, communication and collaboration are becoming easier than ever. We can work remotely, we can access documents on our smartphones and check in with our colleagues whilst on the go.

While the increase in this type of working culture is positive. The rise of social media, instant messaging and email – along with the influx of portable devices and removable media into the office space means it’s easier than ever for data to leak out of your business.

Your data – be it financial, client, employees or intellectual property – is a valuable asset. So it’s only right that you protect it.

But with confidential data living on many devices (servers, databases, desktops, laptops, USB drives, mobiles), and moving through many channels, it’s difficult to know where to start. In this article we will outline some of the solutions available to help with the problem of data loss. And look at how you can begin your data leak prevention project.

What is data leak prevention (DLP)?

DLP is a strategy for making sure that sensitive information does not leave the corporate network. It describes any solution or process which identifies and tracks the journey of sensitive data. Or that enforces policies to prevent unauthorised or accidental disclosure.

Many businesses decide to undertake a DLP project to protect their IP or client data. But the task’s complexity and the resources required to complete and maintain it often results in the project never reaching completion.

But with the number of Internet-connected devices skyrocketing and remote or flexible working being so huge since the Covid-19 pandemic, managing and protecting your confidential information is vital. And you will only be able to do this with a DLP strategy in place.

How can a data leak occur?

There are three categories of data leakage:

  • In Transit – Data is intercepted whilst travelling, e.g. via email, webchat, web traffic etc.
  • At Rest – Data is captured from areas such as file shares, databases, desktops or laptops
  • In Use – Data is captured from screenshots, clipboards, printers, USB drives and other removable storage.

As a business, you need to break down each category. Create a list of everywhere you store data and assign them to one of the three categories. Then classify the data in each location (e.g. level of sensitivity and risk) and write this down as well. Only when you understand what data you have and what risks you face, can you start to think about controls.

How can I keep my sensitive data secure?

1. Portable encryption

You should be encrypting any sensitive data which leaves your network. To do this, you need software systems in place since you cannot rely on employees alone. It only takes a lost USB stick, laptop or phone to deliver a severe blow to a business.

2. Endpoint protection

Data endpoints are the machines your employees use, e.g. desktops, laptops or mobiles. It’s on these devices that intellectual property and sensitive data resides or passes through.

Endpoint solutions allow administrators to control what devices are in use. They also let them see when they’ve been used, who by and the information which was accessed or downloaded.

Businesses should also have security policies in place governing the use of devices. Since employees store sensitive information like emails or documents on their smartphones and tablets. Your security policy must cover areas like password complexity, downloads and screen locks.

3. Email content control

As users often send confidential information and documents via email, it has a high potential for a data leak. Using content filtering allows deep content inspection technology to scan for potential threats. Email text, images and attachments can all be scanned this way to flag up potential leaks.

Content filtering can also alert administrators of insider threats. Informing them if users try to send restricted material outside the business.

4. Intelligent firewalls

Alongside email, IM and Internet use also present a risk to your data. Firewalls can protect individual computers and whole networks from security threats. But they can also take automatic action against potential data leaks, unauthorised access or malicious behaviour. This is achieved by notifying the administrator or by blocking the action.

5. Device control

It is now expected that employees will have a smartphone on them at work. For DLP, this means it’s much easier for employees to take away confidential data.

To limit this, you need to have security policies in place governing the use of devices. Your policy must cover things like password complexity, download and application guidelines, and screen timeouts. Without a policy like this, sensitive data will be at risk once it enters an employee’s device.

6. Assess security permissions

Many businesses give employees far more access than they need. Taking a Zero-Trust approach to access permissions helps address this. Zero trust means people only have access to what they will need on a day-to-day basis.

This approach allows you to limit the scale of leaks and prevents employees from accessing sensitive data. You should review your current security permissions and see who has access to what. Then create access policies that limit employees’ network privileges to only what they need for their job.

Your system should also issue alerts if employees act out of the ordinary. For instance, if they start accessing large numbers of documents. Or if a user tries to access restricted documents. These are often signs of a script running or a compromised account.

7. Control print

Multi-function printers (MFPs) are typically unmonitored and so have high data leak potential. Requiring users to sign in before use can reduce this, as they will only have access to certain functions. This also prevents leaving documents on the printer, since the document only prints once the user signs in.

8. Secure back-ups

Backing up important information is a fundamental part of business. But backups can be vulnerable too and are often troves of sensitive data.

As with the original files, your should encrypt your backups. It’s also important to ensure backup servers are not publicly visible such as through the Internet. This makes it harder for attackers to attempt to gain illicit access.

9. Image text analysis

It’s not only documents and text which you need to protect, images can be sensitive data as well. The prevalence of camera-enabled devices, like smartphones, in the workplace has made copying images simple. DLP solutions have the ability to analyse text within images, preventing data exposure.

10. Educate users

Businesses often assume their employees know what information is confidential and what can’t be shared. But data leaks aren’t always malicious and an employee may not even realise their behaviour is putting the company at risk.

It’s useful to educate your users on the dangers of data leakage. You should include it as part of your onboarding process at a minimum. And should carry out sessions on a regular basis to ensure everyone is aware of the dangers and up-to-date on company policy.

A good security policy will be well-defined and easy to understand. Without this, people won’t adopt it since accountability and employee’s roles will not be clear.

The GDPR and data protection

A further consideration is the EU General Data Protection Regulation (GDPR). Although the UK has voted to leave the EU, the new regulation may still apply to your company. So you should review your data protection policies and technology to ensure you are compliant.

The GDPR focuses more on what the data is about, not where the data lives. So even if you operate outside of the EU, the new regulations could still apply. GDPR rules that if your business offers services to the EU market or holds data about EU citizens. You will need to be compliant.

When it comes to data, your business should be proactive about its protection. Keep your security solutions up to date, and don’t be afraid to reach out to a consultant for advice.

 

NEXT>> 9 red flags which should make you doubt an email

How vishing works: A real life example of a phone scam

IT security - Our experience with a vishing attack

The story

At 27 minutes past 2 on a Monday afternoon, the phone on my desk rang. Picking it up I was greeted by Faye Langford (a name I was unfamiliar with) asking if she could speak to the company’s CEO, Robert Rutherford. She said she was calling from one of our suppliers (which has been left intentionally unnamed) about an earlier email regarding problems with a credit card.

As Rob was out of the office, I asked if there was anyone else who could help. I was informed that Rob was the only person on the account and so I told Faye that I would pass on the message. She wished me a good day and that was the end of our conversation.

I emailed Rob the details of the call and was content that the issue would be resolved now it was in the appropriate hands.

This all seemed quite ordinary but here are two things which change that:

  • There are two people at this supplier who would normally call us regarding card information. Faye Langford is not one of them.
  • There are over 15,000 employees who work at this supplier. Faye Langford is not one of them.

So, what had just happened?

The scam

What had happened was an attempt at voice phishing – also known as vishing. When you think of phishing, you probably think of emails but unfortunately, phishing can occur on any channel. Phone calls, SMS or social media are all platforms which scammers can use to fraudulently acquire your details.

But there are some things which make this attempt particularly alarming.

  1. They already knew Rob’s full name and that he was the company’s CEO
  2. They knew that we use this supplier and are familiar with the name
  3. They didn’t probe further when asked if there was anyone else at the company they regularly spoke to

While the information in point one is widely available – on LinkedIn and the company website – it serves as a reminder that scammers will use personal details to make their attacks more targeted and realistic. Had Faye asked to speak to “the CEO”, I would have delved much deeper into what the purpose of the call was. But since she was on first-name terms and was purportedly calling from a known supplier I was more inclined to trust her.

The second point is alarming because it’s narrowly accurate. Since the supplier is well known and works with many companies, this may have simply been a fluke. Alternatively, this may be an emerging worst-case scenario. It’s possible that the supplier has at some point suffered a data-breach and had client information leaked. This would explain how they knew we worked with that supplier and may have been the source of Rob’s details as well.

As it turns out, a few days preceding the call from Faye, the supplier had suffered a data breach. This breach included client’s names, job titles, and partial payment information including cardholder name and card type. This makes it hard to doubt the two events are unrelated.

The third and final point is the most alarming whilst also being seemingly insignificant. When Faye called, she wanted to speak with Rob and was clear that no one else could help when told he was unavailable. This indicates that the scam wasn’t just a scattergun approach but targeted at Rob specifically. Considering that cardholder name was part of the data leaked in the breach mentioned previously, this may be why.

How do vishing scams work?

Based on the articles covering the breach, the information given during the call and other attempts we’ve seen before, the scam would have likely gone like this:

The supplier’s data is breached and acquired by cyber-criminals. This may be sold on a dark-web marketplace to the scammer or the scammer might have been the one to directly take the data.

The scammer creates a fake email pretending to be from the supplier and sends it to the target company stating they need to resubmit card details due to ‘an issue’. This email may include a website link or telephone number to ‘update’ the card details – both of which will be fake.

(I should note that we never actually discovered an email. It’s possible that it was blocked by our email security system due to coming from a known malicious address or linking to a known malicious URL. Alternatively, the email may be entirely fabricated and only used to imply there’s ongoing communication and build trust in the call.)

The scammer now calls the organisation and requests to speak to the target regarding the email about card information. Once they reach the intended target they would likely say that there’s an issue with billing and until the card details are resubmitted, all orders will be frozen and no additional payments can be made.

If the target is worried by this and not suspicious of the request, they will likely be happy to hand over their card details to resolve the issue. The scammer would then check the details are real and maybe say something like “Excellent, I can see the payments are going through now.”, before hanging up.

How can you protect your business from vishing?

Undertake user training

You’ve probably heard this reiterated a hundred times before, but one thing often left unmentioned is that you must ensure your training program is grounded in the scope of the business.

The more abstract training is from employee’s day to day roles, the less engaged they will be and the less they’ll remember. A simulated vishing call against employees whilst in the workplace is not only realistic but will likely leave a lasting impression – making it incredibly valuable.

Don’t rely too heavily on caller ID

Caller ID allows you to put a name to a phone number and identify who’s calling. This sounds like a useful tool in preventing scammers masquerading as someone they’re not. But caller ID can be easily spoofed to show what the scammer wants to show.

There are many online services which offer caller ID spoofing – making it easy for scammers to take advantage of the trust a caller ID can give. This doesn’t mean caller ID is completely useless though as it can be helpful in filtering out nuisance calls, but you should not blindly trust the system.

Don’t respond to requests for details

It’s easy to say this, but if it were easy to do, vishing wouldn’t exist. To keep your details secure, you must get yourself and your employees into the mindset that unless the request is coming from an official channel which the caller can prove is genuine, don’t divulge company details.

Establishing and enforcing acceptable channels of communication for clients can make this much simpler. If you establish in company policy that certain details may never be communicated via certain channels (i.e. never disclose a mobile number over email), it’ll be far easier to stop scammers who are trying to siphon information out of the business.

Take the time to check

If there’s a suspicious call about an urgent bank transfer or new card details, get approval on whether it’s genuine off the phone and ideally face-to-face with who usually deals with the issue (e.g. the finance director). If the caller is genuine, they won’t mind you taking the time to check and if they aren’t, checking is a good way to avoid a disaster.

It’s worth building this approval process into policies so that people know who to go to for each request. Having the process in company policy also shows that asking about the authenticity of a suspicious request isn’t something for employees to be worried about doing.

Employ zero-trust

This policy sounds severe, but zero-trust simply means employees who don’t need to know something, aren’t told it. If you store credit card details in a secure digital wallet which everyone has access to, it only takes one successful vishing call for those details to be compromised.

If only the finance department has access to those details though, it’s much harder for a scammer to get lucky off an unaware employee who was trying to be helpful.

Establish and communicate a list of acceptable requesters

Like with establishing acceptable channels, you should ideally have a list of names for which it is acceptable to give details to. If you’re employing zero-trust, this list only needs to be known amongst those who have access to the details; otherwise, you’ll need to communicate it to the entire company.

… To summarise

Before this experience with vishing, I had only experienced it once before and it had been a rather poor attempt (a very robotic voice asking about the ‘accident’ I had been involved in). I had been fairly certain that this was the way vishing would stay – easy to spot, scattergun and done by text-to-speech. But this latest call has unfortunately proved me wrong.

Not only was it done by an actual real human, but it was pointed at a very specific individual. This is a trend which mirrors the evolution of other cyber-attacks and the increased weight cyber-criminals are placing on social engineering in their toolset. Whilst this threat is old and not uncommon in high-end security breaches, it seems it’s now also coming to the masses.

If you’re uncertain about whether phishing, vishing or any other type of cyber-crime is happening on the scope and scale it’s reported at, I hope this experience opens your eyes to the reality of what’s happening. It certainly did for me.

What is shadow IT and how can you control it?

IT security - What is shadow IT and why do you need to control it?

Lurking deep beneath your surface IT infrastructure is a malignant force. Its creeping tendrils extend into every department of the business and like a rot it spreads.

Whilst it started out innocent, as it grew more prevalent it’s evil nature emerged. Twisting roots buried deeper into the IT environment, corrupting business processes. Tendrils probed out, undermining defences whilst creating unseen vulnerabilities. And a maw guzzled and swallowed all the data it was fed.

But the worst part of all about this malevolent infestation is this. It wasn’t an attacker who planted this thing in your network, no. It was you.

And you continue to let it grow, feeding it and adding to it, all whilst unaware of the peril you have created…

Okay, whilst that description was a little dramatic, shadow IT poses an undeniable risk to your business. Gartner predicted that 1 in 3 security breaches will be the result of shadow IT applications by 2020. And Research from Cisco indicated CIOs underestimate the amount of shadow application running on the network by a factor of 14. That is to say, the CIO thought the business was running 51 cloud services when in reality it was using 730!

These stats highlight how many businesses still don’t have a grasp on the extent of their shadow IT. The risks and controls have been around for years, yet many businesses wait until they get burned to take action.

Discuss your shadow IT concerns with a security consultant an gain actionable advice you can take to your board

What is shadow IT?

Shadow IT is hardware or software (often cloud-based) used by staff without knowledge or approval from the IT team.

Shadow IT can present itself in many ways, a few examples being:

  • Staff sharing files between themselves, suppliers and customers. Often with a cloud file store such as OneDrive, Dropbox or Google Drive.
  • A member of the sales team using an online CRM solution to work on a campaign.
  • An account manager using a personal Skype account to conference with clients.
  • An employee using an online tool from their previous job, instead of the software their current employer uses.

In each example, it’s obvious that these systems will be outside of the control of the IT department. This is a concern because it increases the business’ attack surface and adds many fun and exciting ways in which your sensitive data could leak.

Shadow IT plays on the idea of “if you can’t see it, you can’t control it”. As a result, it creates a lot of invisible risks and security gaps which the IT team is unable to address.

Of course, shadow IT may be bringing in benefits to a business. If an employee is more comfortable with their tools, they’ll work more effectively. But allowing it to run wild introduces gaping security holes and puts you at higher risk.

Why does shadow IT occur?

Shadow IT arose with the boom in cloud-based technologies and applications. This application explosion allowed employees to gain access to IT solutions through a web interface. And with so much variety, employees could buy an entire suite of tools with little no involvement from the IT department.

The popularity of having sudden access to a plethora of applications was compounded by the fact that in the past, IT projects would have to stop or grind their way through the IT department before becoming usable. Whilst this wasn’t done with malice, the delay it caused frustrated power users who wanted rapid solutions to their issues.

In short, the demand for change was louder and faster than the IT team’s resources, and even their awareness. Technology had come to the masses and they wanted to use that technology. Now.

But blaming everything on the IT department isn’t fair and nor is it accurate. Another fundamental cause of shadow IT is misalignment within the business. Something which involves many departments and generally the board.

A lack of control on the IT estate tends to make identifying a single reason for shadow IT impossible. This means the cause for shadow IT can vary from business to business.

How can I manage shadow IT?

Whilst the idea of prohibiting the use of any applications outside of an acceptable list seems like it would work fantastically, it doesn’t.

Not only will it annoy employees and disrupt their workflows, but people will likely find a way around the filtering or will pester the IT team to add certain applications to the whitelist. Circumventing the point of the system in the first place and only resulting in a net negative.

Instead, the business needs to address the root cause of its shadow IT by installing policy controls and technical controls to reign it in. Here are 7 simple steps to give you an idea of where to start.

1. Review what’s going on

The first step is to use your internal monitoring and control solutions to analyse who is going where and doing what. It’s also worth auditing laptops and desktops if you allow users to install applications on their own devices (not advisable!).

2. Evaluate and prioritise risk

Go through your reports and work out which shadow IT elements pose the greatest risk. Staff sharing sensitive information or accessing the dark web through .tor browsers should both be big red flags.

Whilst doing this, you may also find out you are breaking regulatory obligations without evening knowing it. For instance, by storing files in regions that are unacceptable.

3. Lockdown

Shut down anything that is dangerous or breaking regulation immediately. If it’s illegal or breaks company policy then block it and take appropriate action at a management or HR level.

4. Give an amnesty

Once you’ve dealt with the immediate dangers and know what’s going on give everyone the chance to stop using the unapproved shadow IT applications.

Give them a week or two to alert you why certain applications are necessary and you can then manage the exceptions. After the week is up shut everything unapproved down.

5. Manage relationships

As you work through this process, take care to manage the external perception of the board and IT. People often use shadow IT to better fulfil their roles. So you should be trying to understand why they are using it and how you can fulfil their needs.

You may even find that some shadow applications are of benefit elsewhere in the business and adopting them could be a net positive. You don’t want to turn the business against the IT team as everyone then suffers.

6. Create policies

It’s unlikely that regular employees are aware of the danger of shadow IT and why they shouldn’t use it. Clear policies with training and regular reminders should help minimise risks.

7. Continually manage

You should always be monitoring and evaluating what’s going on in your network. People forget what they’re told, and the odd employee does go rogue. The technologies are out there and are nothing new. So there’s no excuse for not monitoring and blocking employees from doing things that could harm your business.

Are you concerned about your security and want to know how to better protect your business? Click here to book an online review with one of our security consultants today

Three uses for email archiving in your HR department

Email archiving brings benefits to every department throughout a business – from finance and legal, through to administration. One department which can benefit from email archiving is HR, as they deal with personal data every day.

3 ways HR Managers can benefit from Email Archiving solutions

Three benefits of email archiving for HR Managers

1. Investigate claims of bullying in the workplace

You may think this doesn’t happen in your workplace, but it’s something you should be able to investigate. Research carried out by the TUC shows that 29% of people have been bullied at work. Email records are important in cases of alleged verbal or physical bullying, as they’re difficult to prove.

An email archiving solution that captures every email provides HR managers with the transparency and visibility required to conduct a fair investigation in the event of a complaint. It’s more reliable than relying on employees to archive their messages on an ad-hoc basis. A solution with user-based security permissions is ideal as HR Managers can investigate complaints without the involvement of the IT department.

2. Monitor for email misuse

A company may find itself in the midst of a legal dispute if employees misuse corporate email. This could range from sharing offensive material to accidentally hitting the “Reply All” button. It is not enough to rely on your employees to use common sense when it comes to email etiquette, and it could result in legal action against your company – as seen in the case of Thales Australia.

One way to ensure employees are aware of your business’s email usage policy is to send a copy of the guidelines via email. Then ask employees to send a reply stating they have read the policy and agree to abide by it. Your email archive will save the reply, so you have a record available should any dispute arise. Using an email archiving solution means you will also have a record of any inappropriate work emails, even if the employees sending and/or receiving them delete the messages from their inbox in between system backups. Emails are time-stamped and digitally fingerprinted at the moment of storage and retrieval so you can guarantee accurate data. Which is essential if these emails are being presented as evidence in a tribunal.

3. Ensure regulatory compliance

You must keep former employees’ records for the duration of employment and for six years after you terminate employment. This includes items like training records, appraisals, contracts, annual leave, sickness records and disciplinary warnings (even if these have since expired). You have to keep these because an Employment Tribunal, County Court or High Court claim is possible for up to six years after employment ends. So the business could be at risk for failing to produce these records. Also keep anything that relates to the employee, which an Employment Tribunal may require as evidence, for this retention period.

How cloud email archiving can benefit every department

benefits cloud email archiving

Email archiving is much more than just another IT solution. By implementing cloud email archiving, every department in your business stands to gain a wealth of benefits. Greater efficiency, streamlined processes and reduced costs are just some of the positive results you will see at a high level.

IT Department

IT Director, IT Manager, Network Manager

  • Eliminates the need for PST files and restorations of individual emails for end-users
  • Reduces the time it takes to back up the email server and allows it to run more efficiently
  • De-duplicates email data and removes it from expensive Tier 1 storage, resulting in reduced storage requirements and lower costs
  • Allows end-users to self-manage their email, for example restoring deleted messages, rather than logging support calls
  • Easy to budget and forecast for
  • Enable authorised personnel – such as the HR Manager – the ability to conduct their own investigations without requiring assistance

Legal and HR Department

Internal/External legal counsel, HR Director, HR Manager

  • A fast and accurate way to search for all emails connected to a particular person, subject, attachment, client etc.
  • Ensures transparency and visibility required for fair HR investigations
  • Greater protection for employee privacy as a fully encrypted audit trail is generated with every search request
  • Manage HR investigations without the need for IT involvement with role-based security permissions and an intuitive search interface
  • A tamper-proof repository ensures the emails you retrieve are reliable and accurate, by removing the ability for users to edit or delete emails

Data Protection and Compliance

Freedom of Information Officer, Compliance Officer, IT Director

  • Provides authorised personnel with access to all email communications, ensuring transparency and visibility
  • Helps the company adhere to FOI legislation, financial regulations, data retention regulations etc.
  • Time-stamping and digital fingerprinting proves the data is authentic and exactly what was sent on/received by any given date

Senior Management

CEO, MD, Directors, Sales Manager, Customer Service Manager

  • Greater protection for the business against data leakage
  • Ensure that policies and procedures are properly enforced to protect intellectual property, patent data, client information etc. and make sure they are only held within the business
  • A greater understanding of how your business uses email e.g. how long does it take the Sales team to respond to a prospective client?

How to create an information classification policy

IT security - How to create an information classification policy

Documents are a business asset. If an asset is lost, stolen or damaged, it becomes a risk. Both for the business and for their client.

This means having control systems in place to understand these risks is critical. And having the controls to counter them is equally as important.

It sounds simple. But after a decade of working with businesses, it’s clear that few of them have suitable controls in place. To address this, we’ve created 10 points to guide you through the process of creating your information classification policy.

1. Keeping it simple

When looking at security in any way, it’s important to keep it as simple as possible. This is particularly true when it’s something so regular as dealing with documents.

To make it simple, businesses need to invest in technology. In this case, there are three main technologies worth investing in:

A document getting into the wrong hands is going to cause your business, or a client’s business, damage. That is a fact. So aiming to implement all three is the best way to get a comprehensive solution.

2. Mapping your classifications

Before you get into classifying documents it’s important to ignore technology. Technology comes after you have decided the policies and processes you wish to follow.

What this means is that you need to map documents or types of documents into distinct groups. To do this, you should look at two key areas: the sensitivity of the document and their intended audience. This information will make up the foundation of your Information Classification Policy.

Many businesses already have classifications in place. But they’re often created, implemented and forgotten – quickly becoming unusable without weeks or months of additional work. You need to create an Information Classification Policy and not hide it away. It needs to be clear and easy for everyone to work with and conform to with little effort.

3. Building the Information Classification System

The foundation of any Information Classification Policy is categorising information. Here are a few example document classifications that will fit most business requirements:

  • Public: Documents that are not sensitive and there is no issue with release to the general public i.e. on a website
  • Confidential: Documents only to be viewed internally or with third parties that have signed a non-disclosure agreement
  • Employee Confidential: Documents only to be viewed by employees at the company
  • Management Restricted: Documents only to be viewed by the senior management at the company
  • Private: Documents which contain personal information (useful for managing GDPR compliance)

In general, you don’t want to go over 10 classifications because classification should be as simple as possible. If you find that you have too many classifications, consider only looking at sensitivity or only looking at intended audience to begin with then filling in any gaps.

Information classification policy examples

4. Assembling the Information Classification Team

A policy needs board-level support to ensure the business buys into and uses it. Once you have this, you should form a team which includes key departments in the business to enforce the policy.

This team may include people from technical, HR, legal and any other departments that are suitable for your industry. An appropriate team will be able to protect a business from security breaches whilst letting people access the information they need. And whilst it is important, the technical solution should be the last point to consider.

5. Designing the Information Classification Policy

Once you have your team assembled, you need to start going through your documents. In most organisations, it can be hard to know where to start.

To solve this, you should group documents at a high level. Looking at the impact that a data breach of that type could cause. Focus on the most sensitive document types first. And once that’s locked down, you can move through the less sensitive list.

When going through this process there are a few tips you can follow.

For company documents, it’s advisable to put your company name first. This helps them stand out from any other classification, i.e. from a client or a partner business.

It’s also useful to colour code classifications to help distinguish documents by eye. This helps you identify a sensitive document that’s left on a screen, printer or vacant desk. The beauty of colour classification is that it aids you in taking action internally or externally. It’s simple to prove that the defendant knew the information was restricted.

It’s important that you make it easy for staff to label and classify documents. If it takes more than three clicks to label a document, staff will find ways to circumvent the system. People naturally take the path of least resistance. So if your system is obtuse, employees will find ways to bypass it.

6. Enforcing control with automation

Once you’ve designed the Information Classification System, it’s finally time to look at the technology. Automation is very helpful to ensure enforcement. You shouldn’t rely on people alone as things will drop through the cracks.

It’s important that any technology links back into the core authentication system within a business. This will typically be Active Directory – the system you use to log in to your PC at the office.

Doing this simplifies things as you can use existing user groups to give access to certain classifications. There’s likely to already be an Active Directory group called “Board Members” for example, which you can use straight away.

Of course, grouping people doesn’t guarantee a user will know who they can and can’t send specific documents to. Nor will it prevent them from sending a document to a recipient by mistake.

This is why a business should be using a Rights Management system. Rights Management ensures that the systems know who has permission to access the document. So even if someone does send a restricted document, the recipient won’t be able to view it.

7. Educating employees

One of the largest reasons for data leakage is employees. Make sure to train them on how to use systems and refresh them periodically.

Also educate them on any security risks to the business – known, current or potential. They need to understand why following policies is important and how not following them can impact the business and therefore them.

8. Controlling leavers

So many organisations do not manage ex-employees. It’s important to disable their accounts once they leave the company. Even if they left on good terms, it’s best not to take a risk.

Loose accounts complicate the system at best and act as a open hole for attackers at worst. Hackers or insiders can hijack old accounts and make use of the access privileges. So you need to shut down accounts or strip them of all access rights to reduce the risk to your data.

9. Continually improving

It’s best if you adhere to common processes and document them somewhere accessible. To do this, you need robust information classification and risk policies that integrate with a wider standard. A good example to use as a framework is the ISO 27001 standard.

Doing this ensures that you assess and improve how you are controlling your risks within the business. Keeping you protected from an evolving threat landscape.

10. Widening the focus

It would be ridiculous to only focus on document security whilst ignoring the other risks to your business. So understanding all the risks your business faces and assigning suitable controls is something you must do.

Again, the ISO 27001 standard is a good framework to use for managing your information security on a wider basis. But this shouldn’t stop you going ahead and dealing with document security first. Getting this done will make things easier in the long term.

Summary

Businesses must control their risks, as failing to do so has catastrophic consequences. The key is to start simple and then improve. You don’t have to adopt everything at once.

A good starting point is to understand the sort of data you have and then classifying it. A good percentage of your business information could be used to extort or embarrass you. Or even worse, a client.

Once you’ve got your classifications, tie them into document templates. Then automate management and workflow automatically with technology. When done right, businesses can dramatically improve their security since it’s embedded onto the asset. Rights Management can then control who can edit, copy, paste, print, email, transfer or view it at a later date.

Once in place, this can be overlaid with network controls such as Data Leak Prevention. This watches documents flow in and out of the business and can isolate, sandbox or alert relevant people that a breach may occur.

To take it further, systems at the perimeter, such as gateway encryption solutions, can identify sensitive information. Encrypting it to ensure it won’t pass over the open Internet in clear text.

The list can go on but it’s important you start at the beginning by creating an Information Classification System. You need to understand what you have and what the risks and potential controls are first though.

NEXT>> Best practice tips for creating an email retention policy