Cyber security strategies must start with the organisation’s DNA

Successful cyber security is a business-wide imperative that requires the support of every part of the organisation. It is the responsibility of each individual across the company to help ensure that everyone involved in the handling and distributing of sensitive data is aware of best security practices, as well as the know-how to fix any security weaknesses before an attacker gets to them.

As the gatekeepers of corporate finance, treasury should be more aware of this responsibility than most. Financial data is one of the most sought-after prizes by hackers, making anyone involved in the financial arm of the business a prime target for all manner of attacks.

In order for the security measures to be effective, businesses need to continuously review their databases, networks and applications, or DNA and look at the ability of those assets to withstand an attack. This can be achieved through the implementation of security testing. Continuous security testing helps identify and remediate security weaknesses across a business’s infrastructure.

Below are seven reasons why organisations should continuously test their networks. While some might seem to belong firmly to the IT department, financial professionals should understand both the risks and the solutions for protecting their data.

1. To get to the root of the cause before the attacker does: Vulnerabilities in databases, networks and applications can increase the risk of a data breach. As revealed in the ‘2015 Trustwave Global Security Report’, 98% of applications that the company’s experts tested in 2014 had at least one vulnerability. The maximum number of vulnerabilities that were found in a single application was 747. Some of the most common security vulnerabilities exposed in web applications included information leakage, cross-site scripting and SQL injection (malicious SQL statements inserted into an entry field for execution). It is critical that businesses continuously identify and remediate security weaknesses across their infrastructure. Testing should not be merely a point-in-time, annual task that is on the ‘to do’ list.

2. To uncover and fix poor passwords: Easy-to-crack passwords have been on the business risk list for a number of years, yet still employees are able to use easy to remember passwords to access corporate systems. According to Trustwave’s report, ‘Password1’ remains the most commonly used business password, with 39% of passwords tested being eight characters long – although these typically take no longer than one day to crack. A ten-character password, on the other hand, can take 591 days to crack. Security testing helps organisations to identify and strengthen weak passwords.

3. To gain visibility of what your third party providers are doing: With the introduction of emerging technologies, businesses have to outsource certain activities. However, companies must have a clear understanding and visibility of how their third party providers are securing such platforms and the potential access they may have into the corporate network. When businesses place blind trust in a third party provider they don’t know how or whether the provider is adequately securing the company’s sensitive data.

4. Complacency can be costly: Large fines from security breaches have made headlines for some time, but are set to increase even more. The European Union General Data Protection Directive (GDPR) framework is currently being finalised, with the regulation itself tentatively scheduled to come into effect by the end of 2017. Under the new legislation, firms found to be responsible for major data breaches could be fined by as much as four per cent of their global profit.

5. To avoid overlooking security: Everyone can relate to the challenge of completing a project and deploying it by a specific, mandated deadline. If that applies to you, do not overlook the security essentials. According to the ‘2016 Trustwave Security Pressures Report’, 77% of IT professionals have been pressured to unveil IT projects that were not security ready. This means security can be pushed to the wayside and ultimately leave the application – and the organisation – open to an attack.

6. To know how and where employees are accessing business data: The concept of bring your own device (BYOD) is now a mainstay in many work environments, making it critical that businesses stay on top of the risks that are posed from these devices and the resulting infrastructure. Continuous security testing will promptly identify and fix security weaknesses within mobile devices.

7. To make changes securely and ensure your most valuable assets are protected: Any change to an organisation, whether it is the introduction of technology or new employees, can bring additional vulnerabilities to a company. With cyber criminals after your most sensitive and saleable data, configuration mistakes, identification and access control issues or missing patches, can lead to escalation-of-privilege or denial-of-service attacks, data leakage or unauthorised modification of data. If you don’t test and re-assess whenever you make a change, you may put the business at risk of a breach. Testing needs to be done more frequently than at the annual compliance review, and become a standard procedure of any organisation’s security programme.


Related reading