Information Security Focus for 2021

Information security for 2021: as we enter the new year, many of us will have taken the initiative to improve our personal habits. Whether that is starting a new exercise regime, beginning a diet, or learning a new skill, the new year is about setting goals and aiming for improvement.

Likewise, with these personal resolutions, organisations should also be seizing this opportunity to look back at their practices, ask themselves honestly what can be bettered, and set goals to improve information security practices.

With cyber and information security threats, such as phishing attacks and ransomware set to likely increase and evolve throughout this new year, the following are some of the areas you and your organisation should consider as we begin 2021.

Staying Up to Date

Regardless of your industry, or whether we are considering personal or professional devices, keeping software up to date should be cornerstone of your information security culture.

Most likely, your organisation relies on a plethora of different software. The vast majority of which will be subject to some level of regular update.

As new vulnerabilities and flaws are discovered every day, developers work hard to ensure that these issues are patched and fixed (hopefully as quickly as possible); though if we as users do not make these updates, we leave ourselves susceptible to attack.

Read More: How a Ransomware Attack Works

From viruses, breaches and even ransomware, having up to date software (especially anti-virus software) may sounds basic, but it is these kinds of information security foundations that open organisation up to risk.

Though you undoubtedly have some form of update process in place, 2021 is the year to ensure that your updating practices are mitigating as much risk as possible.

Reduce Over-Sharing

Cyber criminals love information. Information is key to manipulation, to exploitation, and to access. The more information we have about ourselves available to these groups, the higher our chances of being targeted.

With social media in particular, there is an inbuild incentive to share information. From the professional platforms, such as LinkedIn, to the more personal platforms like Facebook, Twitter and Instagram, sharing is what these companies want.

Though sharing can be harmless, and even fulfilling, it can also come at a diminishing return, and ‘over-sharing’ can invite in information security problems, including reputational damage, identity theft and even spear phishing attacks.

Whether its birthdays, family names or educational background, this information can be exploited to help crack passwords. Likewise, details about a person’s role within a company, their routines, or specifics about company processes, this information is all too easily leveraged in security attacks.

Again, the new year is a great opportunity to assess what it is you and the employees at your organisation are ‘over-sharing’, and what training needs to be conducted to help minimise this issue and mitigate avoidable risk.

This can be simply giving guidance on how to configure privacy settings or establishing specific guidelines on what is and what is not acceptable information to share. Whatever your organisational needs, do not allow avoidable problems to become critical issues in 2021.

Consider Supply Chain Risk

Regarding your plans for Information security for 2021, it is worth considering your organisation’s information security with a holistic, or all-encompassing approach. Not just focusing on in-house practices but taking a broader look at where risk can be mitigated.

The majority of organisations rely upon suppliers to deliver products, services and systems. Though supply chains are complex and can be viewed as outside of an organisation’s immediate purview, they do present certain risks to information security.

Despite these risks, very few UK businesses set minimum security standards for their suppliers. In fact, some research suggests that as little as 13% implement these requirements.

When considering supply chain risk, one thing to keep in mind is the changing regulator landscape. With the exiting of Britain from the European Union (31^st January), how UK GDPR will relate to issues such as the transfer of data are yet to be decided, but for any organisation moving data outside of the UK, regulation needs to be a consideration in 2021.

Below is a guidance issued by the UK’s data authority, the Information Commissioner’s Office.

“The EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to 6 months. EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.”

ICO, December 2020

Backing Up

It is likely that most of us have been in the situation of having accidently deleted or lost some form of data. If this data is not recoverable, then at best this situation is frustrating, though at its worst, the loss of certain data can be catastrophic to an organisation.

In early 2019, the email company VFEmail was effectively ruined following a particularly malicious hack. The encrypted messenger service suffered a complete loss of data as hackers infiltrated the service, deleting entire servers without warning, reason or ransom. With seemingly no motive, the attackers destroyed all users’ data, leaving the company in a devastated situation.

Again, regardless of your industry or organisation, the availability of the information you hold is vital to your ability to operate. In the event of an information security attack, such as a ransomware attack, threat actors seek to remove this availability from a victim.

As advanced and effective as anti-virus software, anti-phishing training and other security practices may be, to insulate your organisation from this form of risk, robust back-up practices need to be in place.

And when it comes to backing up, redundancy is the name of the game. With regular back-ups being made and data being stored in multiple locations, this new year is the time to ensure your data remains, protected, secure and available.

Phishing

Another foundational element of information security is phishing avoidance. With nearly 90% of organisations experiencing targeted phishing attacks, it is estimated that around 32% of all breaches involve some form of phishing vector.

Typically arriving in the form of malicious emails, phishing attacks invariably prey upon users’ curiosity; using tactics such as urgency, suspicious attachments and disguised link URLs, phishing emails can range from glaringly obvious scams – to extremely sophisticated, targeted attacks.

Though this is a threat vector that many are aware of, the continued evolution of phishing tactics is enough to warrant regular and sustained training to help users identify and circumvent this avoidable risk to your organisation’s information security.

Read More: 4 Ways of Recognising Phishing Attacks

For the new year, consider how it is your organisation can strengthen your defences when planning Information security for 2021. Be it with regular training and reminders about the importance of avoidance or running a simulated phishing campaign, 2021 should be the year where you close the door to phishing threats.