Nine out of ten security breaches are the result of social engineering or phishing, meaning deceptive manoeuvrings whose goal is to usurp the identity or steal the login details of information systems users. Likewise, most acts of fraud (65%) carried out on companies do not come from premeditated acts or a weakness in the system, but actually from an exploited opportunity to commit fraud.
Across the whole information systems protection chain (a notion much vaster than “cyber security” and which includes both digital and analogue systems), the human element is still the weakest link. In fact, it constitutes the bulk of the 4 million euros spent every year by businesses in an attempt to block breaches in their security system.
Security culture must be part of company DNA
Today, digitalisation is an integral part of our lives. However, too often we forget that the main object of security is not the system itself but the data it contains, whether personal, medical, business, or contractual in nature.
With the digital world having become an extension of the real world, the same sort of vigilance must be applied. Just as we close the door behind us when we leave the house, or install a security door to protect our home, our online space should also be protected. So, the companies that “forget to close the door” are exposing themselves to theft; of their strategy, of their business information, or of their processes.
Yet, a lever does exist that will allow the risk of attack to be reduced: raising awareness amongst users. In fact, without a training and awareness procedure in place for professionals and companies in general, any technical measures will be useless because the user will carry on clicking links without verifying them.
When it comes to data security, there’s no such thing as zero risk
A few technical solutions currently applied to IT systems are firewalls, measures against ransomware, antivirus software, operating system updates, or strengthening passwords. However, the human firewall is still the safest protection system.
These solutions, as well as an active defense policy (searching the networks to detect potential attacks, preventative and corrective techniques, artificial intelligence, etc.) can contribute to reinforcing system integrity. However, it is not so much a question of using one single technology, but rather of applying several “layers of security” so as to prevent unprotected systems (a driverless car, for example) from being attacked.
Cyberspace can’t escape data protection regulation
Cyberspace seems to be a new political place where citizens are interacting with each other. As such, it is subject to the current legislation in place.
Regulation is taking on a greater international dimension. In Spain, the law on data protection (Ley Orgánica de Protección de Datos, or “LOPD”), the equivalent of the “information and freedoms” law in France, protects personal data regardless of format, from a simple voice recording to notes written in a notebook. The European Data Protection Directive, which will come into effect in May 2018, claims to be more restrictive, obliging data security to be taken into account as soon as the information system is set up. Lastly, the ISO 27001 standard aims to certify the most secure information systems.
Security is not incompatible with our private life. On the contrary, it’s the only way to guarantee its privacy. A good number of smartphone apps are free. The consequence? The user becomes a product whose data can be exploited. Security and legislation therefore aim to prevent this information from being used maliciously.
Learning lessons from data security errors
Over time, professionals and private individuals have taken data protection into their own hands. Previously, companies that were victims of an attack due to a security breach preferred to brush the incident under the carpet through fear of tarnishing their image. Today, they are striving to reduce the impact of the problems and learn lessons from them.
This is what happened with the WannaCry phenomenon. Companies have recognised the facts and, although the episode has been widely told, its effects were minimised in relation to other attacks happening until now.
Whilst this accident reminds us not to forget our operating system updates (Microsoft published a patch in March), it above all underlines the importance of the user in the overall security strategy. Another lesson to be learned: security is everyone’s responsibility.
Data security: a field in full development
Attacks happen in the world every day, everywhere. Even if our systems are largely well protected, with the time and the means, no infrastructure is infallible.
At present, security measures are on a code level so as to identify vulnerabilities. Similarly, firewall and antivirus type software are improving and becoming more and more robust. Despite all of this, there is still some way to go before users will be fully conscious of the issues around data security.
Monica De La Huerga
Latest posts by Monica De La Huerga (see all)
- 5 tips for reinforcing information systems security - 11 December 2017