At Axis, we take information security incredibly seriously. As such, we obtained ISO27001:2013 certification atypically early in a company's lifecycle, we run extensive live and automated checks on our code and platforms, and behind the scenes we are working on a list of other compliance programmes. Why? Because this is the data age, and data is "the most valuable asset on earth" (yes - I do recognise the irony in quoting Brittany Kaiser here).
What many people miss, is that it's not just IT who need to work on this. Per PWC's 2018 Global State of Information Security Survey, the highest source of Information Security incidents comes from employees, at 30%. Not hackers or unscrupulous competitors but your own employees. So, in this spirit, here's three things for everyone to think about when considering how information security is everybody's business.
1) Hackers are not just sweaty guys in a darkened room cutting code
The stereotype is dead - as I referred to above, data is the new oil. If you consider the top 10 most valuable brands in the world, three quarters of them are either large-scale collectors of, traders-of or processors of data as a core part of their business (in Amazon's case; all three).
As such, obtaining that data has become valuable to do. This can be legitimate, like paying Facebook to advertise against a targeted profile, for instance. Some of this, however, is not - just see the list of breaches from July 2019 alone to see how much illegitimate activity there also is in this space. But if you look at this list carefully, you'll notice something. It's not just hackers running scripts looking for vulnerabilities. A lot of it comes from more sophisticated means.
A good example of the change of methods: we’ve all seen a phishing email, and most of the time we can pick them out, but when you receive a phone call from your broadband provider and the first thing they ask for is details to “verify your identity” you hand over your name, postcode and date of birth without questioning. Why?
As such – be careful. Anyone calling up purporting to be from Stripe/Salesforce/HMRC/etc. are just as likely to be phishing as someone sliding into your inbox. One loose comment and that could be all the clues someone needs to crack your password clue. It is now so commonplace that penetration testing consultancies employ this as an actual method when doing testing alongside the other technical methods they might use.
2) Use every means you can to make it impossible to break through defences - even if it's a minor hassle
This point is pretty simple. If you use the same password everywhere, and that password is leaked (take a look at have I been pwned and see how many times your email has been shared on a stolen list), how secure is anything you can log into? There are two super-simple steps you can take;
- Get a password manager - look at the popular ones like Lastpass, 1password and Dashlane, install them on your devices and never use the same password twice. Now that most phones will allow third party password managers, there is no longer any excuse not to use one.
- If multi-factor authentication is available, use it - MFA is unpopular for UX, but a brilliantly simple way to keep logins secure. If your email address and password have been compromised, but you still need your phone to generate a token or receive an SMS or call to get a code to log in, you're still secure.
It might add a few seconds to your experience, but what is the comparative cost of a breach? It doesn't bear consideration.
3) Accommodate your IT team and suppliers in making security changes to your platforms
This is a little but of a tub-thump, but it's one of those things that needs re-iteration. Regardless of size or scale, all organisations have to budget and prioritise their spend. Everyone wants to do the cool new things, nobody wants to do the maintenance work; investment has historically been about return on capital and not about keeping the fundamentals running. This culture has definitely started to change in the last 5-10 years, however it's remains a harder sell to sell a fear-based security programme, than an optimistic programme that could increase revenues tenfold (as a British company, the Brexit example immediately springs to mind).
So - when that prioritisation happens, and the IT team want to do something that interrupts the flow of your platform (MFA, magic links, captchas - take your pick), has no easily quantifiable return on investment (successful attacks avoided? GDPR fines we might have paid but didn't? Anyone up for those KPIs?) and is going to bump out your cool improvement by a factor of 3 weeks to 3 months, cut them some slack. GDPR fines are designed to be borderline existential for most businesses, big or small.
Nothing is foolproof, but it doesn't take a lot to help
Nothing in the tech world is completely foolproof - the incredible pace of technology development in both physical infrastructure (from the phone in your hand to AWS's 69 availability zones, and counting) and software means that issues will be found, and there will be people that will seek to exploit them. If we, as the users of this technology, can at least keep the simple bits in check and behave with cognisance to this world we now live in, we can collectively make it a much harder place for the exploiters to operate in.