If information security is not a top-of-mind issue for your business, it should be. A data breach can be devastating to your brand — not to mention the fines or penalties for which you may be liable. The other reason this issue should be top-of-mind for your team is because you can actually do something about it. Most data breaches reported are easily preventable. Inc. notes that, “91 percent of data breaches that occurred from January to August of 2015 could have easily been prevented by, for example, patching a server, encrypting data or ensuring employees do not lose their laptops.”
We sat down with Winfried Neessen, Director of Information Security for cleverbridge, to learn more about information security in the connected age. He gave us an insider’s perspective into the role of information security, ways companies can be breached, what questions come up when working with digital goods vendors, and what questions he would ask a potential solutions provider. Finally, he ran down the consequences of insecurity and hammered home why this topic should never be an afterthought.
“91 percent of data breaches that occurred from January to August of 2015 could have easily been prevented by, for example, patching a server, encrypting data or ensuring employees do not lose their laptops.” — Inc.
The Role of Information Security
cleverbridge: How common is it for companies to dedicate a permanent position to information security?
Winfried Neessen: It’s actually a very common position. Sometimes it’s called Director of Information Security, sometimes it’s CISO (Chief Information Security Officer). The field is getting more and more established, with several professional conferences and a network of practitioners. We also invested in the Certified Information Systems Security Professional (CISSP) certification for our team. The CISSP certification is highly regarded in the security world and helps ensure that our security staff is trained on the different domains of information security.
Prospects and FAQs
cb: What are the questions that come up when a company is integrating a new subscription billing provider or is looking to integrate systems. What are businesses concerned about?
WN: I think there is a standard catalog of questions they use. Things like: “What is your network diagram?” “How does traffic flow into your network?” “What is the software/technology you are using?” “Do you have firewalls?” “What is the physical security of your data center?” “What type of encryption are you using to keep credit card data secure?” We regularly field these kinds of questions.
Sometimes prospects also want detailed information about change process and development. For instance, “How is your software released?” “Do you have testing?” and so forth. It’s basically everything from A to Z.
The Three Most Important Questions
cb: What are the top three questions you would advise a company to ask about information security?
WN: One thing that is always important now is encryption. So question number one: Are they using top-notch encryption? If it’s a web interface, are they applying the latest standards to web services? Data privacy is very important for everyone so that no one can spy on your data.
For the second question, I would also want to make sure that their staff is actually trained very well in their field. Make sure they have annual training on security best-practices. Ensure they know what’s happening on the market and what kinds of vulnerabilities are out there. Not every employee needs to understand everything, but to be aware.
Finally, the third question would be for developers. Do they have code reviews? Do they use automatic code review systems that would look into the code and detect common mistakes? If you’re using a web application, those web applications are always vulnerable because they’re on the Internet. The first thing you notice when you connect a system to the Internet is it starts getting hit by security scanners. Those guys are just scanning the whole Internet to see what is open and what they can get.
cb: Zooming out, what are the hallmarks of your average hacking attack?
WN: Most of the successful attacks are based on user error or insufficient security measures. That’s definitely fact. That’s the reason it’s so important to have the top security — even for your employees. People may get annoyed they have to restart their PC twice a week for security updates. But this is the thing that makes a difference. You get PDF documents that are vulnerable because the software that opens the PDF is vulnerable. It can execute some code and then take over your PC. I know that security stuff is a hassle for the end user, but it helps the business in the end.
Though users may be frustrated by security updates, they are essential to keeping your business secure. Source: GIPHY
cb: Run through the consequences or risks a company faces for not keeping their security updated.
WN: For us, the biggest concern is protecting credit card data and personally identifiable information (PII). Penalties are based on individual records breached. Between industry fines and legal fees, I believe every record stolen from you costs you about $100. So 90,000 records stolen can cost you at least $9,000,000. That’s a lot of money, and depending on the size of the breach, it can increase substantially. A breached company also wouldn’t be allowed to authorize credit card data anymore, which would effectively shut down any online business.
What I always am a little bit afraid of is malware you don’t detect. Very targeted stuff, maybe only sent to one executive staff member. Very targeted, he executes it, it’s not detected, and it’s just running in the background of his PC. Just constantly collecting information. That is much worse.
cb: In the long run, it’s worse?
WN: Yeah, they can get sensitive information, company ideas, they can steal, they can perhaps get access to other systems based on the permissions of the person targeted by the malware. Undetected malware is possibly the biggest risk. A study found malware on business systems is usually detected after 200 days. An attacker can do a lot of damage in 200 days.
Information security is essential. Each company should consider having a dedicated person or team working on information security, if they don’t already. If that kind of investment is out of reach for your organization, ensure you are asking the right questions of your third-party providers so you don’t get burned. Every company with information on their machines (effectively every company) is at risk of being breached. But without certified and experienced information security specialists, the chances of being compromised are much higher.
Winfried Neessen is Director of Information Security for cleverbridge in Cologne, Germany.
To learn more about how cleverbridge handles information security, check out this resource.