Businesses often have a very limited understanding of the value of their data to a potential hacker
Cyberattacks are more significant to Australian organisations now than they have ever been.
This is due to extensive use of the cloud and what that means from a security risk management perspective, in addition to how little businesses really understand about the types of data valued by hackers, According to Keith Marlow, Security Architect at ELMO Software
“In the good old days, data was held in computers onsite with multiple physical and logical controls around access,” Marlow told HRD.
“It was easy to keep secure as there were less moving parts and they were all in one place.”
Nowadays, however, with the extensive use of offsite internet-based solutions and the myriad of integrations required to function, “businesses have much less direct control over data security”.
“Hackers are well aware of this increased complexity and lack of unified oversight, using this to gain access to systems over an extended time frame,” said Marlow.
In fact, he said it is quite typical for a data breach to be discovered 200 days after it has occurred.
Additionally, businesses often have a “very limited understanding” of the value of their data to a potential hacker.
“Businesses naturally secure what they consider valuable, which is often the complete opposite to what a hacker values, and hence why we are seeing such large scale data breaches - the defensive focus is often wrong,” he said.
“Combine these two factors, the highly interconnected and distributed nature of modern data processing with the lack of understanding of how hackers value data, and you have a 'perfect storm'.”
READ MORE: Data breach prompts discrimination fears
This security hostile environment is one of the reasons why ELMO Software recently obtained ISO27001:2013 certification (with an essentially clean pass in that we had no observations or recommendations).
“We wanted to directly underline our professional commitment to the security
of our clients’ data and demonstrate that we are a security-first organisation,” said Marlow.
“Also, as part of that, we wanted to show that we understand what hackers value and set our defensive focus appropriately to defeat them.”
Through phishing emails, social engineering attacks and identity theft, employees are now finding themselves at the front-line of fending off attacks.
Most finance staff, for example, have encountered the 'emergency purchase order with payment to a new bank account' attack and similar techniques to obtain money by deception.
With people's tendency to post more and more about themselves onto social media, Marlow said it is also becoming easier for a motivated hacker to determine which business decision-makers to target with a greater likelihood of success.
“Employees are now being targeted to plant malware and unwittingly allow hackers to enter business infrastructure, where they can lie in wait for months for the right opportunity to arise.”