‘Back to basics’ is the only way to combat rising complexity Written by Jon Fielding, Managing Director, Apricorn EMEA
Organisations are operating in a business environment that’s significantly more complex than it was just two years ago, driven by ongoing digital transformation, increased connectivity and the burden of compliance with ever-tightening regulation.
Many are investing in new and sophisticated security tools designed to keep data, systems, infrastructure and people safe from cyber-attacks and other breaches. While technology solutions undeniably have a role to play, focusing narrowly on these often serves to introduce more complexity – leading to a loss of control over the data environment, and creating brand new vulnerabilities.
In order to strengthen their security posture, organisations must tackle the issue of cyber risk at its root. This means underpinning the introduction and integration of any new technologies and tools with a set of fundamental basic steps.
Step 1: Gain a better understanding of the current security posture.
Review all existing security processes against compliance guidelines and best practice, and identify the gaps. Next, put a plan in place to address these areas – focusing particularly on creating or amending security policies, including those relating to mobile working.
Step 2: Mitigate human risk.
Cyber-criminals usually look for the path of least resistance, and the weak link is often people. In a recent Apricorn survey, almost two thirds (63%) of respondents said that human error had been the main cause of a data breach within their organisation.
Education and awareness programmes should be designed and rolled out to all staff at all levels, including senior executives, and also to third party contractors. Programmes must be regularly updated and tested. As part of this training, employees need to be clearly informed of the necessary password policies, which should be enforced at a technical level wherever possible.
Step 3: Encrypt all data as standard, at rest and in transit.
Data taken beyond the network should be carried on IT-approved mobile storage devices featuring strong hardware encryption, with any non-sanctioned devices blocked by endpoint controls. These controls should be enhanced with strict policies.
Hardware encryption generally provides better protection than software encryption as the keys are held safely in a crypto module that stops brute force attacks and unauthorised access. It also makes the devices more portable and easier to manage as there are no drivers or software to install, and typically delivers better performance since all cryptographic operations take place on the device’s dedicated hardware.
Effective patch management, using automated risk-based tools, continuous network monitoring, and anti-malware and breach detection tools should also be considered as basic best practice.
As business and technology become more complex, the attack surface grows. Cyber-risk will escalate, and the number of successful data breaches will continue to rise. Stakes that are already high are set to get higher: according to IBM, the financial impact on companies that have suffered a breach has increased 12 per cent over the last five years, with larger firms losing $3.92 million per breach, and smaller enterprises $2.5 million. By reverting back to basics – understanding and improving the security posture, educating users, and implementing end-to-end encryption – organisations can remain secure as their operating environment continues to shift.