Equifax data breach - not 'just an IT issue', HR need more involvement, says ITCS

BRIDGEND, Wales - Sept. 22, 2017 - PRLog -- Cyber security professionals are hot property at the moment, with a 70% increase in job vacancies across the sector. It's therefore no surprise that that the ITCS IT security team are in constant demand.

The recent Equifax data breach and the Wannacry ransomware attack have made world headlines, highlighting the need for robust IT security, especially with new GDPR rules due to come into force.

Two Thirds of FTSE Companies have been hit by a cyber attack
IT security audits are increasingly important. In case you think your company can't be affected, the 2015/16 Cyber Governance Health Check made sobering reading. Two-thirds of FTSE companies have been hit by a cyber-attack in the past year alone, so IT security audits have to be a high priority for every business, even SME's.

Staff often pose the biggest risk to IT Security
HR and the C-Suite need to lose the view that IT security is something they can pass off to 'the IT team'.

That's because no matter how robust your IT infrastructure, the biggest security risk comes from inadequately trained or complacent staff. In fact, at a recent Cybersecurity event, 57% of cyber security experts said they would like to see human employees replaced by AI!

IT experts like ITCS (http://www.itcs.co.uk) can help provide a robust infrastructure, combined with security advice and training, and we can advise your internal IT team on how to carry out regular IT security audits.

However, it isn't only an issue for 'techies'.  Line managers and HR have a vital role to play in maintaining secure working practices on a day-to-day basis. IT security isn't just IT's responsibility – it's everyone's responsibility. The CIPD are now encouraging HR Managers to take the lead and educate staff on secure working practices.

Here's some things you can do to mitigate your risk:

Tighten up your physical security
Hacking isn't just done by anonymous remote hackers. Train your staff to challenge anyone who they don't recognize (in person or on the telephone) requesting access to your PC or password information, and train staff to lock their PCs when leaving their desk.

Your password is not usually something you need to provide, and being asked should raise a red flag. If in doubt, check with IT before granting access. If your firm has an ID system, challenge anyone who doesn't have company or authorized contractor ID. This is good common sense anyway with current terror threats.

Keep your IT systems up to date
If you don't outsource your IT, you are responsible for updating your system. Make sure staff know what to do if their system prompts them about software updates. We can help if you aren't sure what to do – you definitely shouldn't ignore them.

Manufacturers often update their software in order to protect against a specific threat.  The Equifax breach apparently resulted when a staff member failed to apply a software patch in a timely fashion – affecting 400,000 UK customers alone (and an estimated 143 million worldwide). Ouch.

Offer regular IT security training and updates
Training in cyber security adds a layer of resilience. It means staff understand which threats are out there, how to prevent them, and how to deal with them when they occur.
Sending out a memo is usually ignored, so formal IT security training is essential – and your in house team should reinforce secure working practices in between sessions.

Drive home the importance of password security
Most people know they 'should' create strong passwords, but nonetheless choose the name of their child, dog or even their address.

It's vital that employees understand the importance of this. Passwords are the first line of defence. Managers should enable their systems to 'force' the use of strong passwords, and frequently educate staff on the need for them.

Managing the risk of insider attacks
Disgruntled employees pose a very real risk, whether having their own agenda, or receiving an incentive from a third party. A disgruntled Morrisons employee who leaked employee data literally cost the company millions of pounds.

The first step to protect your business from insider threats is to carefully control who has access to what information. Staff should only have access to data they need to do their job, access to sensitive data should be controlled and recorded and access levels should be regularly reviewed, especially if job roles change.

A formal starting and leaving procedure should be followed, rather than just making changes when someone leaves. On leaving, the formal leaving process should terminate access immediately, not a few days later and any shared passwords (which should not exist anyway) should be changed.

ITCS offering free IT security audits
Whilst many customers rely on ITCS for their IT support, the company believe IT Security is needs equal consideration, and are offering a free IT security audit to any company with concerns as to whether their provisions are robust enough.

The free audit will assess your current IT security and the company will then advise on the next steps to take, with or without ITCS's help.

However, the company are keen to stress that staff have to play their part if IT security is to improve.

Wayne Harris, ITCS Compliance Officer explains:

"No matter how secure your systems are, your people have a vital impact on security. Alert and well-trained staff add an important layer to your security. Unmotivated, untrained staff simply add an additional risk – with so many threats these days, that's not a risk worth taking."