There are three stages to data security, says Fraser Jack, head of The Cyber Collective.
Speaking at Riskinfo’s Riskinfocus 23 CPD Tour event in Melbourne, Jack said every company that stores information is responsible for protecting it, that data security is a team sport, and that every company should have a cyber security champion on the staff.
“The champion, an existing member of staff who ideally enjoys IT, can make sure members of the team are using strong passwords, seeing that those passwords are changed every few months, ensuring company apps are updated, and take control of that for the company,” he says.
Jack says every firm should review their IT systems and identify any risks to their data being seen by people who should not have access to it (that includes staff and hackers).
“Understand what the risks are, how people might get in to your network, and put protections in place,” he says.
Jack says the three stages of data security are:
- Before an attack – identify the threats and mitigate
- During an attack – have a robust response plan
- After an attack – restore data and recover
Jack recommends companies have a plan to follow when a cyber attack happens, and that each step of the plan is rehearsed with all staff – much like a fire drill when everyone is asked to leave the building.
He says: “You can’t sit there wondering what to do during an active attack on your business. You need a plan in place so all staff know how to react, what to do…And that will include taking all your computers off line while the intrusion is assessed and dealt with.
“That means you need a business continuity plan to cover you until all your computer systems can go back online. We all know the phrase ‘If you fail to plan, you plan to fail’, but that isn’t strong enough in this case.
…if your business is attacked, you’ve been punched in the mouth…
“As Mike Tyson says, ‘we all have a plan until we get punched in the mouth’. So if your business is attacked, you’ve been punched in the mouth. The adrenalin kicks in and you won’t know what to do unless you have a pre-arranged plan in place.
“You need to keep your guard up, train your staff, and understand that somebody is coming for you. It could be a teenager having fun or something far more malicious that leads to your data being shared on the dark web until you pay a ransom.”
Jack also cautions that once inside your computer network, a hacker can go undetected – sometimes for months – until a staff member notices something is wrong.
He suggests installing software to identify intruders along with two-factor authentication for a belt and braces approach to system access and email logins.
