Comment: Ensure digital defences can handle attacks

PROTECTING customer data and a company’s brand image are both important, writes Julian McMenamin

British Airways' Frequent Flyer programme was hacked, to the extent that points from individual accounts were stolen and used to make purchases. Picture: TSPL

British Airways, one of the most iconic brands in Britain, if not the world, recently came under cyber attack.

Its Frequent Flyer programme was hacked, to the extent that points from individual accounts were stolen and used to make purchases. It serves as a reminder for everyone that no account is immune, no target too big and of the importance of having the basics, such as strong passwords, in place.

Sign up to our daily newsletter

The i newsletter cut through the noise

But I’m sure everyone reading the news will have wondered what responsibility companies are taking on their behalf, however big or small the brand. It’s a fair question to ask when we hand over personal details every day.

The good news is that I know a great many boardrooms have been prompted to review their security plans as a result. Many directors have been in touch to find out what happened and what they could do to protect themselves.

Interestingly it wasn’t just the big brands getting in touch, it was also the start-ups and SMEs that think they need to take another look at how they protect themselves and their partners, suppliers and customers. In short, it hit home how devastating an attack can be on a brand, especially when you are trying to establish one.

While we can only speculate on the specifics of the case, there are lessons that can be applied from a whole host of attacks that have occurred in the last 18 months. There are five things that I therefore recommend as an approach.

• Don’t panic. The fact you are thinking about it is a tremendous step in the right direction. Use this energy to understand your enemy so you can take control and plot your defences. There are a multitude of places you can get good information on the types of attacks that are most prevalent and get yourself in a position where you can stay ahead of new types of attack, Organisations like Cert-UK have been established exactly for this purpose.

• Use the knowledge you gather to put in place an emergency response team. You’ll need to assess what your current team can do, what they could do if they had training, and where you will need help from a third party. Look at how process, policy and technology would help or hinder them in an attack. What needs to change?

• Identify the blind spots. Today hackers will attack you because they are a) disgruntled b) want to make a political, social-economic or religious stand c) want to obtain very specific information or d) have nothing better to do. Where are your weak links

• Separate networks so that access to one doesn’t guarantee access to another. This is especially true when it comes to sensitive data. Look ahead too. If you are going to start using more cloud computing, then you must ensure ­security is integral to how it is rolled out.

• Simulate a test and ask questions that go beyond technology: can you, your people and processes stand up to an attack? Can your suppliers protect you if they go down? Would you be able to take control of PR and customer communications quickly and limit damage to your brand?

Admittedly these five steps ask a lot of questions and there is no doubt that by answering one you will open up Pandora’s box. But breaking the challenge down into manageable tasks will help you structure your planning and identify what you can do within your company and where you need help. But most of all it will give you control. And in today’s cyber landscape, control is a very powerful weapon.

Julian McMenamin is the regional director for Radware Scotland