With Sony, and even the CIA having fallen foul of hackers lately, we’re all aware of the danger posed by ever more sophisticated, determined hackers, driven less by monetary gain and more by political and ideological motives.
So how do you prevent hackers from taking down your website? We asked KPMG’s head of information security, Malcolm Marshall, for his advice.
1. Brace for war
Be prepared. Find out if you are a target and assess your capacity to ‘catch’ threats before they appear.
This new breed of hackers will persist until every potential vulnerability has been exposed. Don’t just defend your ‘crown jewel’ assets – areas perceived as low-risk often provide an easier route in for patient attackers. Stay alert and test for defensive weaknesses.
3. Know your enemy
Levels of determination have increased as motives have changed. These are more than one-off threats. This is prolonged warfare, and requires a different mindset.
Thoroughly review your current defence strategy and mechanisms. Assessing your vulnerability and existing security capabilities can highlight weaknesses in processes, systems and controls.
5. Learn from your victories and defeats
Organisations that are successful at avoiding security breaches are often highly focused on managing data security and learn lessons from their own, and others’, experiences in the field.
6. Bide your time
A rushed reaction can give the perpetrator more information about the organisation and its defences. Be wary of giving away vital information with an immediate response.
7. Call in support
Create a cross-organisational incident management plan, involving all stakeholders and regulators as well as HR, risk and communications. Escalate the data loss issue to the highest ranks of the business to secure executive level support.
8. Remember: careless talk costs data
Educate your employees to avoid sharing confidential information on social networking pages and to be wary of unknown links or contacts.
9. Beware of hidden threats
The consumerisation of IT in the workplace can create a potential security ‘gap’, as sensitive documents and systems are accessed on unsecured devices. Install security software to protect from leaks and attacks and train staff to understand the risks.
10. Take control
In the event of a breach, notify all customers, regulators and stakeholders early, and detail the action being taken. Ensure that investigation and crisis management capabilities are comprehensive, and that they are implemented quickly to protect reputation, as well as data.
- Image credit: José Goulão/Flickr