“The key to good, frictionless, security is understanding the needs and the operations of the business to efficiently build controls around them. Security should be baked in, not sprayed on.”
Senior Security Engineer – Dan Perry
What is infosec?
Quite often a part of information risk management, Information Security (often shortened to ‘Infosec’) is the process of reducing and removing the risk of unauthorized access, use, disclosure, disruption, deletion, corruption, modification, inspection, or recording.
In order to protect information, and in today’s climate a lot of personal data, businesses must follow these principles to best handle their data storage:
The ‘CIA Triad’
The confidentiality principle is to ensure that private information remains private and that it can only be viewed or accessed by individuals who need that information in order to complete their job duties.
The principle of integrity is designed to ensure that data can be trusted to be accurate and that it has not been inappropriately modified.
Protecting the functionality of support systems and ensuring data is fully available at the point in time (or period requirements) when it is needed by its users. The objective of availability is to ensure that data is available to be used when it is needed to make decisions.
See Purple’s Information Security Qualifications at the end of this blog!
“It takes 20 years to build a reputation and few minutes of a cyber incident to ruin it.”
Forms of security breaches
A man-in-the-middle (MitM)
A MitM attack occurs when a hacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
One example of a MITM attack is active ‘eavesdropping’, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection.
Phishing is when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware, or direct them to a dodgy website.
Phishing can be conducted via a text message, social media, or by phone, but the term ‘phishing’ is mainly used to describe attacks that arrive by email.
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users (i.e. employees, members, or account holders) of the service or resource they expected.
Victims of DoS attacks often target web servers of high-profile organizations such as banking, commerce, and media companies, or government and trade organizations. Though DoS attacks do not typically result in the theft or loss of significant information or other assets, they can cost the victim a great deal of time and money to handle.
“Security isn’t something you buy, it’s something you do, and it takes talented people to do it right.”
Consequences of a security breach
Loss of Revenue
This consequence can be heavily influenced by the type of cyber attack a hacker has chosen to use, however, data leakages will result in additional security costs, market share value loss, as well as costs to compensate affected customers.
While a short-term hit to a business’s revenue may not seem all too damaging, the real cost comes over time. Once word of a security breach gets out, partners and prospect/existing customers may not think twice before “jumping ship” taking an even larger chunk out of a companies income.
Fines, fines, and more fines.
There are numerous regulations around the world that businesses must follow, for example:
- Europe – GDPR (GDPR is an EU Regulation and it no longer applies to the UK)
- UK – Data Protection Act
- China – Personal Information Protection Law
Under UK GDPR and DPA, the maximum fine chargeable is £17.5m or 4% of annual global turnover – whichever is greater. Businesses operating under EU GDPR and DPA however can be charged with a maximum fine of €20 (£18m).
Disruption of Operations
With any attempt or successful breach, all businesses will face an impact on operations as extensive investigations to report the damage, cause, and find the source.
In some cases, businesses halt completely for damage control and devise a recovery plan, and during this time all of the above points worsen.
Largest Data Breach of the 21st Century
In 2013 Adobe was hacked and over 153 million user records were attained including encrypted IDs, passwords, and debit and credit card information.
Adobe had to pay $1.1 million in legal fees and In November 2016, the amount paid to customers was reported at $1 million.
“If you can’t afford security, you can’t afford a breach.”
Purple’s infosec certification
Purple is ISO/IEC 27001 complaint for the design and development of cloud-based wifi software for the handling and storage of personal data. Our ISO certification is something we’ve maintained for a number of years and has ensured we have the correct processes, people, and technology in place to ensure the secure delivery of our product in line with our obligations to our customers and their data subjects. ISO 27001 designated a framework of controls spanning the entire business from how we manage our human resources to cryptography.
By taking this baseline and expanding upon it to feed in our business goals (internal requirements) and our customers’ expectations (external requirements) we’ve built a secure and repeatable way of operating that’s fit for purpose.
The Cyber Essentials scheme is a relatively new scheme backed by the UK government and the NCSC which is aimed at enabling SMEs (small to medium enterprises) as a way of ensuring a security baseline to their customers and enable them to apply for government procurement processes.
The Cyber Essentials certification is a self-assessment tool, however, due to the confidence in our controls, especially in having already implemented the more robust ISO 27001 framework, we took this one step further and achieved the Cyber Essentials Plus Certification by having our controls validated against an independent accredited CE+ security partner.
Eager to learn more? Find out How to keep your business safe online – Read here