Cybersecurity may or may not be a point of interest for your organisation. You might know about the overall cybersecurity threats to your organisation; or you might not. Regardless of how much or how little you know about the subject however, these threats still exist and are still capable of taking your organisation offline. This isn’t something that only IT needs to worry about though; if you’re connecting to the internet, you’re at risk. Read on for some information security risks specific to different departments in your organisation!

Human Resources

Performing the role of administrator for human resources is vital to ensuring that an organisation’s most valuable asset - its people - is handled properly. This involves handling Personally Identifiable Information (PII) such as ID numbers and email addresses, which is where HR departments need to be the most careful.

PII can be used for malicious purposes if they fall into the wrong hands. For example, if an attacker gets access to employees’ phone numbers, they could call them while pretending to be the CEO and trick them into transferring money to fake accounts. This makes it vital that personal and sensitive information be stored in a secure fashion and only accessible to authorised individuals. Onboarding, offboarding and employee training should also have security included. This could be done by defining necessary access levels during onboarding interviews or meetings, background checks on staff to ensure they do not have criminal records and creating and enforcing an information security policy. There should also be technical security measures in place to ensure that external parties cannot access PII data.

Marketing

Products or services that truly sell themselves are few and far between, and marketing exists to fill that gap. Creating awareness of an organisation’s products or brand means that marketing departments are often what outsiders see the most of or interact with. Greater exposure can only be a good thing, but the risks to the department increase with it.

Social media marketing accounts and company websites are prime targets for attack, as are the people who control them. These attacks could be to take control of accounts, deface public facing company assets, or rip off customers. Marketing departments will also have customer data in their possession, which is very interesting to a number of unsavoury individuals. Combating this using technical means could include making sure that all security controls such as 2 Factor Authentication are enabled on social media marketing accounts and that any plugins you use on your website or other assets are secure. Administrator accounts in particular should only be accessed securely and only by tracked and trusted individuals, as they have the highest potential for causing damage. As an example, if the employee with sole access to your company’s Facebook page is fired or leaves on bad terms, they could lock you out of the account, post content that damages the company’s brand or even rename the account and use it for their own benefit. Users should also be trained about the sensitivity of the information that they handle and share.

Finance

A company’s finances decide whether it sinks or swims, which means that A) Accounting handles a lot of sensitive details and B) Everyone else is interested in those sensitive details. For obvious reasons, financial information being released to those who should not have access to it is a Very Bad Idea, so this is an especially critical area where information security MUST be maintained. For instance, if you use a third party to handle your billing processes, they might not have implemented any security measures such as firewalls or proper password policies, which could lead to your company’s data being stolen. While it is their responsibility to implement appropriate security measures, it is your responsibility to audit and approve that those security measures will protect your company’s information.

This information must be protected during its creation, in transit and at rest. Protection can be done by using strong encryption measures that ensure that data is not readable unless a password is used for data storage, restricting access only to those who need access to that data and keeping track of any changes made to it. Insider threats can also be an issue when it comes to financial information and steps should be taken to protect against them. More on this here!

Production/ R&D

If you’re in manufacturing or rely on a specific product or service to differentiate yourself from the competition, losing your IP can have disastrous consequences for the continuity of your business.

In this instance, you should identify which assets would cause the most damage to your organisation in the event that they are made available to your competition (we can’t all be as lucky as Coca Cola). Conducting a risk assessment on your organisation can help you in this process. An information security risk assessment identifies what security gaps exist within a process or in relation to a specific product. You might find and resolve issues such as engineers taking confidential plans home to work on them, or documents being hosted in a Google Drive that is accessible to anyone on the internet.

Administration/ Operations

Of course, information security doesn’t exist purely in cyberspace. Physical security is a part of information security that the administration and daily operations departments in an organisation will have to be responsible for.

Maintaining physical security measures will require first understanding exactly how your information assets could be affected by a physical attack. For example, the protection measures and policies you implement if you maintain a physical server room would be different to those you would need if you operate with a complete virtual (cloud) environment. You might choose to require that users enter a password or PIN before accessing rooms where sensitive information or equipment is stored, or having CCTV systems that monitor the entrances and exits to your production facilities.

Everyone Else

Of course, while there are some risks that only apply specifically to some sections, there are some true classics that everyone should be aware of;

-Social Engineering

Social engineering is an attack technique where an attacker attempts to trick someone else into giving them access to an area or giving them information that they shouldn’t have access to.

-Phishing

A phishing attack is where a cyber attacker attempts to trick a user into taking some action that they otherwise would not by contacting them in some manner. This could be through email, through text message (SMishing) or voice calls (Vishing).

The difference between social engineering and phishing is that social engineering usually involves a more involved approach and a physical presence, whereas phishing activities are more passive and are usually done remotely.

-Physical Security

Physical security threats will change based on your unique situation and business landscape, but are usually things like users plugging in unknown or infected USB devices, leaving their devices unlocked and unprotected in public places and even theft.

Remember that these don’t just apply to different departments; if you’re a one man band or the singularly talented person that handles all of the above for an organisation, these will all apply to you as well.

If what you’ve read so far sounds like it could apply to you, you might be interested in the UK NCSCs Cyber Essentials certification to shore up your issues, a quick security scan of your company or in having a information security risk assessment done; whatever it is, we would love to hear from you. Get in touch today!