Preparing IT security teams for 2017 – 6 tips for going back to basics

It has previously been assumed that once a customer gives an organisation personal data, it will be treated sensitively, responsibly and protected from misuse or misappropriation. Unfortunately, my experience – and the various cyber-incidents of 2016 – suggest that this is far from the truth, at least in practice if not intentional. The distance between the customer’s legitimate expectation and the regrettable reality is what creates such heated indignation and brand-damaging media interest.

If your business has been the subject of a successful cyber-attack in the last 18 months, I would bet that regardless of the sophisticated theatre of security devices and technology deployed, it will boil down to a basic failure in security best practices that allowed the attack to have an impact. For example, in the case of TalkTalk, the company reported that a simple SQL injection vulnerability cost the company £42million in 2015 and caused profits to halve in 2016. Simple error; massive consequences.

Combining lessons from 2016 and standard best practice, there are six basic steps that need to be reiterated to IT security teams to help them prepare for the coming year. These steps will allow them to start afresh safely in 2017, and ensure that protecting customers’ data happens organically in the process.

Encourage the use of OWASP or send developers on a CEH course
Developers are responsible for building the applications and services that prop up your entire business. If they unwittingly build vulnerabilities into your business, you won’t find out until those mistakes are exploited. is a great resource for developers to learn about the security vulnerabilities that threaten businesses. The Open Web Application Security Project (OWASP) is a hugely useful online community that creates free articles, methodologies, documentation, tools and technologies to equip teams with valuable security insight. Finally, the Certified Ethical Hacker (CEH) course is brilliant fun, and developers learn best when they’re enjoying themselves.

Educate your front of house staff in the latest social engineering techniques and how to baffle them
As we all know, people are the weak link in most security systems, and a simple social engineering course really helps to open people’s eyes as to how resourceful some criminals will be to get their foot in the door. Think of your front of house staff as the firewalls to your business in the physical world. Keep them patched and maintained.

Ensure all your staff remain aware of threats and how they are expected to respond
There are some very good security behaviour programs out there that help reduce the risk of employees opening malware or clicking on malicious links. Encourage employees to take the training home, and make it part of their personal life too. These are new skills in the digital era, and should infuse into everything we do.

Conduct regular vulnerability scans of your network and applications
You’d be amazed at the diversity of technology your business is dependent on. And any one of those components could have a vulnerability in it. Vulnerabilities of varying severity are typically discovered and reported by IT support teams on an almost hourly basis. Running automated vulnerability scans on your network both internally and externally is very easy to schedule, and means that as soon as a vulnerability is reported to the community, you receive a report to tell you if you’re protected. And of course, if you are affected, do something about it! You would be surprised (or perhaps not, given 2016) at how many businesses sit on stacks of known vulnerabilities for months at a time.

Stop using local copies of data, and start using intranet storage media
In the case of ransomware, simply working with a non-local document management system, backed up by the business, mitigates the impact a ransomware infection may cause. It might mean training staff to work with a document management system, but like a seat belt, when you need it most it may well save you from a world of pain or catastrophic loss.

Build a robust incident management plan, that includes customer communication
There is obviously a focus on maintaining business continuity when a security incident hits,and perhaps preserving forensic information. It’s worth testing these processes at least annually to confirm their suitability… but I would like to add a bugbear of mine in here. Customer communication. If you (as a business) suspect that my data (as a customer) has been compromised in any way, regardless of any industry-mandated action, I believe coming clean is the best policy. Sitting on that information while customers are left to speculate (and often speculating the worst) damages trust in your business. While you may not have the complete picture at “hour zero”, being honest and upfront with your customers, while initially very painful, will in the long run make your customers feel like you are on their side and that you are doing everything you can to correct the issue.

All too often when businesses see issues with security in their workplace, they look for technical solutions like firewalls, virus scanners and biometrics. But more often than not it is individuals and minor mistakes that make the weakest link in the chain. Training your staff is essential now as they hold your business in their hands, and as 2016 revealed, one small slip can cost you a great deal of pain with customers.