Organisations are constantly changing the ways we as individuals work with, share, store and exploit information, therefore their security policies must be updated continually to remain effective. Organisational information security needs to be focused, creative and agile to ensure it is able to keep up with the moving business landscape. An organisation needs to consider the information stored dynamically on social media, mobile devices and in the Cloud and the risks associated in doing so to maintain control over the safe exploitation of the information that is an asset to the organisation.

Advances in technology help people do things quicker, more efficiently and with better results. Information and technology are changing almost every aspect of our lives: how we shop, how we work and how we communicate. We can access information on almost any subject, from almost anywhere. Cyber security is not solely an IT issue, it is the responsibility of the board in an organisation to implement and drive forward a holistic solution. Human interaction with IT is a key risk to the security of important data within an organisation, so it is vital to understand what proportion of your risks are people related.

“There are no malicious computers; they do what they are told.”

If for a moment we focus on the IT, traditional and legacy protection that is mostly still in place is expected to protect the organisation in cyber space. However, it is failing to stand up to the sophisticated attacks from cyber criminals trying to access company records or IP. Even next generation firewalls, intrusion detection and prevention systems, anti-virus and web gateways can no longer withstand advanced malware and targeted advanced persistent threat attacks. A new breed of cyber attackers is taking advantage of the gaping holes left behind by systems that rely on signatures, known patterns of behaviour and reputation to effectively and accurately identify and block advanced targeted attacks.

The introduction of the cloud, social media and bring your own device (BYOD) and other mobile handsets has increased the attack surface and gap in protection that cyber criminals use to attack organisations and individuals alike. It is important to know where potential threats and risks are located within an organisation to ensure protection of information . We will explore why these digital platforms are beneficial for organisations, what the associated risks are and how the use of controls can protect important information.

Are you lost in the Cloud?

Cloud services offer organisations the ability to manage IT costs, scale operations and streamline processes. However, this opportunity brings with it new security and privacy risks. Essentially organisations are handing over critical operations and data to entities they have no direct control of. It is critical to know where the Cloud components – and your data – will be housed and who is responsible for which functions and risks. Cloud providers may house data in different jurisdictions and/or transport the data among them, which introduces new risks and regulatory obligations.

To ensure you keep your handle on the Cloud:

  •  Categorise your information and operations by risk. It is all about control; what are you happy to give up control of?
  •  Establish standards – apply them to service providers and business partners to implement a level of control over the process;
  •  Investigate the Cloud provider – do your due diligence to ensure you can trust and verify the security practices they have in place.



We can learn from the Data Protection Act 1998, for whilst it only applies to personal and sensitive personal data it represents good practice controls which can be applied to any type of information:

  •  Check there is a sufficient level of security around the data or processes you are outsourcing to effectively manage your risk;
  •  Investigate to guarantee those security practices are in place in reality;
  •  Have a control in place that stipulates how the service provider is able to process, use and store the information.



Does everyone need to know?

Social media for all of its advantages can represent a multi-dimensional risk. The platform is an avenue from which an attack may be launched but at the other end of the scale is a larger surface area that holds a lot of information that needs to be protected. It has both internal and external threats; attackers can use social media to build personal data dossiers on potential targets to facilitate identity or information theft through social engineering. Data aggregation can lead to leaked information and compromised passwords. Internally, individuals could unintentionally leak intellectual property (IP), violate privacy legislation or distribute confidential data to an unauthorised audience with a click of a button.

It may be impossible to stop the information flow because social media has become a norm in today’s society however you can put things in place to mitigate the risks:

  •  Raising awareness of where the threats are hidden in what is viewed as a friendly, positive form of online expression and communication. Understanding the extent to which the information can be used if seen by the wrong pair of eyes will hopefully lead to less information being available or higher privacy settings being implemented;
  •  Develop a suite of clear and easy to comprehend policies. Organisations need to set clear boundaries for individuals to work within so there is no confusion as to what can be shared on social networks.


“I’d rather use my own”

Using tablets and smartphones at work to access privileged company information and applications is happening more and more frequently in organisations where there is no policy in place to regulate their use. Some companies, the thought leaders, officially offer BYOD but have tight controls in place to stipulate how those personal devices can be used. Although it is an attractive option for many companies and individuals alike; there are downsides to be considered. Smartphones, laptops, notebooks and tablets tend to be easy, low-risk points of entry to corporate systems. They can be monitored remotely for passwords, account numbers, personal data and proprietary information. Lost or stolen devices cause problems as unsecured data on the devices may be accessible to anyone.

In organisations that allow the use of your own device – BYOD – there are human issues to contend with as well:

  •  Executives demanding security policy exemptions;
  •  Executives permitting others to use their device – therefore sharing or not using passwords;
  •  Adding devices onto the corporate network – bringing with it a whole host of different problems that could jeopardise company information.



All of the above may present a problem as having different rules for different people increases the number of holes that can be exploited by cyber attackers.

Generally, individuals who use their own devices at work are less worried about the security of those devices than they would be with a company laptop. Similarly, a report found that 46% of individuals would bypass company policy if they knew an easier way to get something done . That same mentality is echoed with personal devices. It is essential that there is a connection between the type of information used and the task to maintain the correct level of security needed to complete the job securely.


  •  Know what is at risk – what devices are being used, what are their vulnerabilities. What information is being stored on those devices; apply a risk based approach to managing the devices, information and people who own the devices;
  •  ‘Lock it down’ – apply strong encryption and password protection. Assess whether the device needs to be connected to the corporate network and take into considering the possible risks of doing so;


  •  Be aware of geographical risks – it is advised when travelling to certain locations that devices are wiped clean or are prevented from connecting to open Wi-Fi connections;
  •  Have a suite of policies in place to guide the use of personal devices at work;
  •  Make sure you have the ability remotely to wipe the device of data if it becomes lost or stolen.
  •  Executives demanding security policy exemptions;
  •  Executives demanding security policy exemptions;





State of Play

The introduction of Cloud capabilities, social media and BYOD/mobile devices has increased the cyber attack surface. The traditional boundaries of business have been expanded, creating multiple entry points. Hackers have almost unlimited time, skills and resources to devote to creating and exploiting vulnerabilities and will chase identified value. The increased adoption of social media coupled with cyber criminals’ abilities to data-mine social networks continues to expand the threat to individual and corporate information. Attackers can aggregate data across sites and platforms to gain access to systems and to understand victim’s behavioural patterns to launch more targeted attacks.

Organisations are constantly changing the ways individuals work with, share, store and exploit information therefore security policies must be updated continually to remain effective. Organisational information security needs to be focused, creative and agile to ensure it is able to keep up with the moving business landscape.

An organisation needs to consider what information is going on digital platforms and needs to know what risks they are creating by doing so.

[1] FireEye –

[2] Irfan Saif and George Westerman, MIT Centre for Security and Privacy Solutions, May 2013

[3] ‘UK’s million missing laptops’ – ExtraTrak