• Skip to main content

PC PORTAL

Experienced. Trusted. Solutions.

  • Learn More
  • Solutions
  • Services
  • Testimonials
  • Partnership
  • Contact Us
    • Employment Opportunities
    • Support
    • Download Remote Support
  • Blog

Uncategorized

July 30, 2019 By PC Portal

Nine lessons for strong incident response and recovery in a data breach

Data breaches are rarely out of the headlines, but the recent proposed fines against BA and Marriott will have pushed this risk back to the forefront for many businesses. Like many security threats, breaches are nothing new; we’ve covered this subject on our blog many times in the past.

A data breach can take many forms; it can involve an employee losing a laptop or mobile device that contains data about an organisation’s employees or customers. It might involve a criminal infiltrating IT systems to steal payment card numbers or bank account details. When the data involved is personally identifiable information, the General Data Protection Regulation comes into play. Under GDPR, organisations must report a breach to the data protection supervisory authority within 72 hours. A look through our archives netted us a valuable haul of nine lessons from past breaches that can help to guide you in forming an incident response plan.

Lesson 1: pay attention to security alerts

Let’s start back in March 2014. News of the now-infamous breach at the US retailer Target was still fresh, having happened the previous November. The security breach resulted in the loss of 40 million payment card details, as well as 70 million other personal records. The kicker? Not long before, Target had installed a network monitoring tool costing a cool $1.6 million. However, operators dismissed its early alerts that could have averted or at least mitigated the subsequent breach. Side note: back in those heady days, data breaches were still things that happened to other people. Our blog quoted the security expert Neira Jones, who confidently predicted that a retailer in the UK or Europe would suffer a data breach before long.

Lesson 2: scammers read the news, too

Fast forward to summer 2015 and the high-profile breach at Ashley Madison. The website’s interesting business model – encouraging extra-marital affairs – meant the loss of more than 30 million personal records had an extra sting. Apart from launching a thousand double entendres (we may have been guilty of a few ourselves), Ashley Madison catapulted the issue of data breaches firmly into the public consciousness. As it turned out, that proved to be a double-edged sword. As our blog writer Lee Munson noted, scammers often take advantage of the publicity surrounding a large breach. He warned companies to watch out for “spam email, identity theft, carefully crafted phishing emails and even potential blackmail attempts”.

Lesson 3: check password re-use

Later that year, four security breaches came to light in one single week. The victims were Experian, Patreon, and Australian retailers Kmart and David Jones. In our blog, we advised being aware of how information can be used against victims. For example, if someone’s password was compromised in one of those breaches, it’s worth checking whether they use the same passwords on other websites.

Lesson 4: check for vulnerability to SQL injection attacks

Soon after, the Chinese toy company Vtech revealed that an unauthorised party had accessed more than six million accounts. That was enough to make it the fourth largest ever breach to that point – however minor by today’s standards. Possibly the least surprising detail in the story was that the attacker used SQL injection to access the data. Lee Munson noted that even in 2015, this was an ancient and well known attack vector.

Lesson 5: employee negligence can lead to breaches too

Not all breaches are the work of external miscreants. ESET estimated that 138,000 smartphones and laptops are left behind in UK bars every year. Let’s leave aside some questionable maths in arriving at such an arresting stat. There’s no denying the risk from leaving devices just lying around when they could well hold personal information. That could include passwords, location history, personal photos and financial information. The survey found that two thirds of lost devices had no security protection. As anyone familiar with data protection and privacy issues will know, encrypting sensitive data is now a must.

Lesson 6: a data security breach can seriously harm your ability to do business

Whatever the source, the steady drip of breaches was starting to have an effect. By early 2016, data breaches ranked second on a listing of the biggest threats to business continuity. TalkTalk, victim of a serious breach the previous year, was a case in point. In the wake of the incident, and the company’s ham-fisted attempts at handling the fallout, a quarter of a million customers took their business elsewhere. Not long after, we covered a separate report that found the cost of online crime had tripled over the previous five years. Lee Munson wrote: “a data breach is not a one-time cost but rather an event that can cause extreme reputational damage (think TalkTalk) or additional loss of revenue when the damage is widespread”.

Lesson 7: mind your language

All too often, companies that have suffered a data breach are quick to throw about phrases like “sophisticated cyberattack”. But it’s often premature and just downright wrong, when any investigation is still ongoing, and the facts are unclear. “It’s hard to escape the suspicion that victim organisations reach for these terms as a shield to deflect blame. By definition, they imply the incident was beyond their means to prevent,” we wrote. Our post carried the headline “Time to remove ‘cyberattack’ from the infosecurity incident response manual?” Our inspiration was the Associated Press Stylebook’s decision to stop using the word cyberattack unless it specifically referred to widespread destruction. As AP lead editor Paula Froke said: “the word is greatly overused for things like hacking”.

That said, positive communication is a key part of any incident response plan. After detailing what word not to use, our post included advice for companies preparing post-incident statements.

  • Deal only in verified facts
  • Avoid speculation
  • Explain the incident in business terms
  • Include details of users or services affected by the breach.

Lesson 8: prepare a security incident response team

By mid-2017, the prospect of GDPR started coming into view, and the need to handle breaches appropriately started becoming clear. Senior management must lead the response efforts. “This is a business issue, not an IT problem,” said Brian Honan, who was speaking at an awareness-raising event. Brian recommended that organisations should assemble an incident response team from across all business functions. Ideally, the team should include people from:

  • IT operations (because they know how data storage systems work)
  • HR (because a data breach could involve staff data, or because a member of staff may have caused the breach inadvertently or deliberately)
  • Legal (because GDPR obliges organisations to notify the regulator)
  • PR or communications (because the company will need to deliver accurate messages to external stakeholders, the media, or internal staff as appropriate)
  • Facilities management (because the organisation may need to recover breach evidence from CCTV or swipe card systems).

Lesson 9: test the security incident response plan

The most critical lesson is to develop and test their incident response processes in advance. Speaking at the same GDPR event, Brian stressed that companies shouldn’t wait for a breach to happen before testing how its policies work. “Find out in advance how well your team works when an incident occurs. Carry out table-top exercises and scenario planning. It is important to have processes and infrastructure in place to respond to a security breach. Developing your incident response plan while responding to a security breach is not the best time to do it,” he said.

Our trawling expedition proves it’s worth planning for something even when you don’t intend for it to happen. The steps we’ve outlined here should help you to recover from a data breach or security incident faster.

If you would like to evaluate your breach response, see our risk assessment services page for more information. Or, if you need guidance in developing a structured incident response plan, contact us.

The post Nine lessons for strong incident response and recovery in a data breach appeared first on BH Consulting.

Filed Under: Breach Disclosure, Digital forensics, GDPR, IT Security, Management, Risk Management Tagged With: Breaches, Disaster Recovery, syndicated, Uncategorized

May 28, 2019 By PC Portal

Ransomware remains a risk, but here’s how you can avoid infection

It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.

Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.

Hoorays on hold

Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.

Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.

History lesson

The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.

In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.

The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.

Here’s a quick recap of those lessons for individuals and businesses:

  • Keep software patched and up to date
  • Employ reputable antivirus software and keep it up to date
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
  • Make staff and those who use your computers aware of the risks and how to work securely online

Preventative measures

By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”

Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.

The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.

Steps to keeping out ransomware

By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:

  • Implement geo-blocking for suspicious domains and regions
  • Review backup processes
  • Conduct regular testing of restore process from backup tapes
  • Review your incident response process
  • Implement a robust cybersecurity training programme
  • Implement network segmentation
  • Monitor DNS logs for unusual activity.

The guide goes into more detail on each bullet point, and is available to download from this link.

Infection investigation

Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)

Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.

Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.

The post Ransomware remains a risk, but here’s how you can avoid infection appeared first on BH Consulting.

Filed Under: BH Consulting News, Brian Honan, Computer Viruses, Cyber Crime, Digital forensics, IT Security, Security Tools Tagged With: InfoSec, ransomware, Security, syndicated, Uncategorized

April 17, 2019 By PC Portal

We are hiring – Senior Cybersecurity Consultant

Due to the continued expansion of our DPO as a Service, and CSO as a Service offerings, BH Consulting is now seeking to recruit a Senior Cybersecurity Consultant to join its growing team.

BH Consulting is a dynamic and fast-paced cybersecurity and data protection consulting firm. We provide a market leading range of information security services focused on GDPR, cybersecurity, cyber risk, digital forensics, ISO 27001, and awareness training.

We have a vast range of clients from private and public sector organisations, to large global multinational organisations. We operate both domestically in Ireland and Internationally with our head office located in Dublin.

The trust relationship with our customers underpins the fibre of our organisation. We nurture this trust relationship by investing time and resource to understand our customer’s business needs and we provide advise that aligns with those needs.

Our team is passionate about successfully addressing the cybersecurity and data protection issues our customers have. We continue our journey to grow and expand and have established a new senior role within our organisation to support this growth.

Who are we looking for?

A senior cyber-security consultant who will work closely with the Chief Operations Office, and the CEO, Brian Honan. You  will help BH maintain its customer relationships by delivering to existing clients and you will also help to win new business. You will be an ambassador for BH’s trusted brand and your calibre will reflect this.

Who are you?

You are a Senior Cyber-security Consultant, with a wealth of experience at both a technical level and at senior management level. You have a reputation as both a thought leader in cyber-security and data protection, and a strong technical background combined with senior leadership skills.. You a dynamic individual who likes to be challenged and you have an in-depth knowledge of cyber risk management, cybersecurity, cyber strategy, data protection and business strategy. You will be able to understand the needs of both the C suite and on-the-ground teams and you will be able to talk to both audiences. You are target driven, and passionate about helping customers solve their cybersecurity and data protection risks. 

Details of the role

  • Develop stakeholder relationships with executive management in our clients, and proactively develop ongoing service and product recommendations for these clients based on their business needs
  • Define and provide pragmatic security guidance and architectures that balance business benefit and risk
  • Assess and advise on cyber-governance models, data governance models, risk management programs, and data protection compliance frameworks
  • Deliver cybersecurity risk assessments, running assessment workshops with clients
  • Audit and review client cyber projects
  • Examine clients cyber-security controls and make appropriate and practical recommendations that achieve robust security or compliance outcomes
  • Consult on security considerations based on system delivery models including internally, hosted, cloud hosted, cloud managed, mobile, etc.
  • Provide pre-sales advice and support, working alongside account managers
  • Research emerging threats, vulnerabilities and security practices/standards to maintain professional relevance
  • Provide complex technical advice, recommendations and consultancy regarding networks, infrastructure, products and services
  • Provide guidance around IaaS, SaaS, and PaaS security best practices
  • Enable clients to achieve certification to the ISO 27001:2013 Information Security Standard.

Your responsibilities

  • Ensure that all BH Consulting clients receive a professional service in line with our company ethos and values
  • Ensuring a first-class service to clients is delivered on time and within budget
  • Planning and leading projects while effectively managing resources.
  • Leading and mentoring junior team members ensuring a high standard is maintained in line with KPIs
  • Demonstrating confidence of a strong technical skillset to clients in relation to cyber-defence and incident response
  • Delivering independent trusted advisory services to our clients to enable them to manage their risk profile
  • Enable clients achieve certification to the ISO 27001:2013 Information Security Standard
  • Work with clients to ensure adherence to regulatory, legal, and relevant governance frameworks
  • Manage client relationships and accounts
  • Meet and exceed all KPIs and revenue targets
  • Plan and attend relevant events and conferences to promote the BH Consulting brand.

Core competencies

  • Excellent technical knowledge of cyber-security, information technology, and business risk
  • Strong business understanding and acumen
  • Excellent written and verbal communications skills, able to use a variety of communications styles, language, and media, to effectively build relationships with key stakeholders
  • Have strong attention to detail and ability to present that detail in a dynamic manner based on its audience
  • Excellent planning skills together with project management and prioritisation skills
  • Delivery focused – ensuring projects are delivered on time and within budget
  • Strong analytical problem-solving capabilities
  • Ability to work on own initiative, yet also strong team player
  • Comprehensive understanding of risk management principles and effective risk response strategies
  • Passion and drive – willingness to go that extra mile to achieve a target/objective
  • Be willing to travel both within Ireland and internationally to our widely diverse client base
  • Resilience – ability to meet challenges and pressures head-on and to manage and address set-backs as encountered
  • Collaborative – ability to cooperate and to communicate well, and to resolve differences of opinion quickly and mutually
  • Flexible and adaptable – ability to improvise and adapt to a dynamic business environment.

If this role interests you and you want to join an exciting and growing company, please send your CV to [email protected]

The post We are hiring – Senior Cybersecurity Consultant appeared first on BH Consulting.

Filed Under: IT Security Tagged With: syndicated, Uncategorized

February 18, 2019 By PC Portal

AWS Cloud: Proactive Security and Forensic Readiness – part 5

Part 5: Incident Response in AWS

In the event your organisation suffers a data breach or a security incident, it’s crucial to be prepared and conduct timely investigations. Preparation involves having a plan or playbook at hand, along with pre-provisioned tools to effectively respond to and mitigate the potential impact of security incidents. These response measures are more effective when regularly tested, such as by running incident response simulation exercises.

This post relates to incident response in the AWS Cloud. It’s the last in a five-part series that provides a checklist for proactive security and forensic readiness in the AWS Cloud environment.

Incident Response

NIST defines a security incident as “an occurrence that actually or potentially jeopardises the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies”. The figure below outlines the typical phases of an incident response lifecycle.

Figure 1: Incident response life cycle. [Source: Computer Security Incident Handling Guide]

Incident Response in AWS Cloud

Incident response in the cloud is not very different from in the traditional on-premise environment. In fact, there are several tools in the AWS cloud environment you can use to help the incident response process, such as AWS CloudTrail, Amazon CloudWatch, AWS Config, AWS CloudFormation, AWS Step Functions, etc. These tools enable you to track, monitor, analyse, and audit events.

Audit logs are treasure troves and are indispensable during investigations. AWS provides detailed audit logs that record important events such as file access and modification. Events can be automatically processed and trigger tools that automate responses through the use of AWS APIs. You can pre-provision tooling and a “clean room” which allows you to carry out forensics in a safe, isolated environment.

Figure 2: EC2 Auto Clean Room Forensics using Lambda, Step Functions, Cloud Formation and SNS Topic.  [Source: Automating Incident Response and Forensics in AWS – AWS Summit Sydney 2018]

The following list provides guidance on having an appropriate incident response strategy in place, estimating the impact of incidents in the AWS environment, AWS tools to prepare in advance for incident handling, responding to AWS abuse warnings, containing compromised EC2 instance and wiping information post investigation.

The checklist provides best practice for the following:

  1. How will you ensure that you have an appropriate incident response strategy in place?
  2. What AWS tools should you use to prepare in advance for incident handling?
  3. How will you respond to AWS abuse warnings?
  4. How will you isolate and restrict user access to a compromised Amazon EC2 instance?
  5. How will you ensure sensitive information is wiped post investigation?

Best-practice checklist

Question

Best-practice checklist

1. How will you ensure you have an appropriate incident response strategy in place?

  • Make sure the security team has the right tools pre-deployed into AWS so that the incident can be responded to in a timely manner.
  • Pre-provision a ‘clean room’ for automated incident handling.
  • Have a list of relevant contacts that may need to be notified. Decide on the medium of communication. If the compromised account contains personal data, you may be required to contact the Data Protection Commission (DPC) within 72 hours to comply with GDPR.
  • Conduct incident response simulations regularly in the non-production and the production environments as well. Incorporate lessons learned into the architecture and operations
  •  

    Go back to questions list >>

    2. What AWS tools should you use to prepare in advance for incident handling?

  • Tags in AWS allow you to proactively label resources with a data classification or a criticality attribute so you can quickly estimate the impact when the incident occurs.
  • AWS Organisations allows you to create separate accounts along business lines or mission areas which also limits the “blast radius” should a breach occur; for governance, you can apply policies to each of those sub accounts from the AWS master account
  • IAM grants appropriate authorisation to incident response teams in advance
  • Security Groups enables isolation of Amazon EC2 instances
  • AWS CloudFormation automates the creation of trusted environments for conducting deeper investigations
  • AWS CloudTrail provides a history of AWS API calls that can assist in response and trigger automated detection and response systems
  • VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC
  • AWS Key Management Service (KMS) encrypts sensitive data at rest including logs aggregated and stored centrally
  • Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorised behaviour
  • Amazon CloudWatch Events triggers different automated actions from changes in AWS resources including CloudTrail
  • Amazon S3 stores snapshots and related incident artefacts
  • AWS Step Functions coordinates a sequence of steps to automate an incident response process
  • APIs automate many of the routine tasks that need to be performed during incident handling.
  •  

    Go back to questions list >>

    3. How will you respond to AWS abuse warnings?

  • Set up a dedicated security communication email address
  • Do not ignore abuse warnings. Take action to stop the malicious activities, and prevent future re-occurrence
  • Open a case number with AWS Support for cross-validation.
  •  

    Go back to questions list >>

    4. How will you isolate and restrict user access to a compromised Amazon EC2 instance?

  • When containing the instance manually, use IAM to restrict access permissions to compromised Amazon EC2 instance
  • Isolate the instance using restrictive ingress and egress security group rules or remove it from a load balancer
  • Tag the instance as appropriate to indicate isolation
  • Create snapshots of EBS volumes.
  • Notify relevant contacts
  • Use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation
  • You can automate the above steps using Lambda, Step Functions, Cloud Formation and SNS Topic to prepare an EC2 auto clean room for containing the instance
  • You could also use aws-security-automation code on GitHub, which is a collection of scripts and resources for DevSecOps, Security Automation and Automated Incident Response Remediation.
  •  

    Go back to questions list >>

    5. How will you ensure sensitive information is wiped post investigation?

  • Secure wipe-files and delete any KMS data keys, if used.
  •  

    Go back to questions list >>

    For more details, refer to the following AWS resources:

    • AWS Well-Architected Framework
    • AWS Security Pillar
    • AWS Security Best Practices
    • What is Amazon CloudWatch Logs?
    • Automating Incident Response and Forensics in AWS – AWS Summit Sydney 2018
    • aws-security-automation (GitHub repository of tools)
    • NIST Computer Security Incident Handling Guide

    Go back to the introduction AWS Cloud: Proactive Security & Forensic Readiness five-part best practice
    Read Part 1 – Identity and Access management in AWS: best-practice checklist
    Read Part 2 – Infrastructure level protection in AWS: best-practice checklist
    Read Part 3 – Data protection in AWS: best-practice checklist
    Read Part 4 – Detective Controls in AWS: best-practice checklist

    Let us know in the comments below if we have missed anything in our checklist!

    DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only. For more information, or to request an in-depth security review of your cloud environment, please contact us.

    Neha Thethi is a senior information security analyst at BH Consulting. She is an AWS Certified Solutions Architect – Associate and holder of the SANS GIAC Certified Incident Handler (GCIH). Neha has published papers, spoken at conferences, written blogs and delivered webinars about challenges of conducting forensics in the cloud environment. She has helped clients develop incident response plans and conducted several digital forensic investigations for cloud environments including AWS and Microsoft Azure.

    Editor: Gordon Smith

    The post AWS Cloud: Proactive Security and Forensic Readiness – part 5 appeared first on BH Consulting.

    Filed Under: IT Security Tagged With: syndicated, Uncategorized

    January 24, 2019 By PC Portal

    Security for startups: why early-stage businesses can’t neglect this risk

    In the early days of a startup, it’s easy to get caught up in the buzz of building a new business. Keeping so many plates spinning – from
    fundraising and hiring to shipping product – can mean security sometimes falls off the priority list. But in the face of ever-rising volumes of data breaches and security incidents, it’s a subject that early-stage companies can’t afford to ignore.

    That was one of the key themes from a wide-ranging discussion at Dogpatch Labs, the tech incubator in Dublin’s docklands. The speaker was Todd Fitzgerald, an information security expert and Dogpatch member. His ‘fireside chat’, as the event organisers dubbed it, looked at why no company is too small to develop a cybersecurity strategy.

    Pragmatic approach

    Todd shared insights into a pragmatic approach to cybersecurity strategy and the implications of recent security and privacy breaches. “Any company that doesn’t have cybersecurity as one of their top five risks is really not addressing cybersecurity,” he said.

    Recent ransomware outbreaks have shown cybercrime’s huge impact, no matter the size of the victim. FedEx and Maersk each suffered $300 million in damages from the NotPetya ransomware. Data breaches are a growing risk. In 2005, there were an estimated 55 million reported breaches in the US. Now, that figure is somewhere close to 1.4 billion. As Todd pointed out, those are only the ones we know about because victims have reported them.

    Startups, in tech especially, often rely heavily on data but that brings added responsibility. “If you don’t know where your data is and you don’t know the privacy laws around it, how can you give any kind of assurance [to customers] that you’re protecting that?” asked Todd.

    Strategy vs execution

    The moderator asked the obvious question: why should startups care about cybersecurity when they’re concerned about getting product out the door? Financial loss due to ransomware is one reason, and there are many other common security issues a startup needs to think about. Protecting valuable intellectual property is critical. If a startup’s bright idea falls into the wrong hands, a competitor could reverse engineer the code and bring out a copycat product in another market. “It’s the same issues, just the scale is different,” Todd said.

    Startup teams can change quickly while the business is still evolving, so another risk to watch is staff turnover. Without proper authentication, ex-employees could still have access to confidential files after they leave the company. Simple carelessness is another potential threat: someone might accidentally delete important code from a server. Startups need to put incident response processes in place in case the worst happens. “There is business benefit to having good security,” Todd said.

    For founders with no infosecurity experience, Todd also offered advice on protecting an early-stage company on a shoestring budget. He recommended speaking to an independent consultant who can advise on a cybersecurity strategic plan that reflects the business priorities.

    Starting on security

    Startup founders can start to familiarise themselves with the subject by reading cybersecurity frameworks like ISO 27001. The information security standard costs around €150 to buy, is easy to read and is suitable for companies of any size. “Walk through it and ask yourself: ‘would I be protected against these cybersecurity threats?’ That will probably prompt you to do a vulnerability assessment against your environment,” he said.

    Todd Fitzgerald has more than 20 years’ experience in building, leading and advising information security programmes for several Fortune 500 companies. He has contributed to security standards and regularly presents at major industry conferences. A published author, he wrote parts of his fourth and most recent book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, in Dublin.

    The post Security for startups: why early-stage businesses can’t neglect this risk appeared first on BH Consulting.

    Filed Under: Business Continuity, Computer Viruses, Cyber Crime, Incident Response, ISO 27001, IT Security, Risk Management, Threats Tagged With: Breaches, Disaster Recovery, InfoSec, Security, Security Awareness, syndicated, Uncategorized

    • Go to page 1
    • Go to page 2
    • Go to page 3
    • Interim pages omitted …
    • Go to page 8
    • Go to Next Page »
    • Data Recovery Services
    • Subscribe
    • Blog
    • Who We Are
    • Virtual CIO Services

    Copyright © 2021 · PC PORTAL · Log in