Last year, much like those that preceded, saw an influx of data breaches making the headlines. From Facebook and the Cambridge Analytica scandal, to the 500 million victims of the Starwood hotel breach, the problem is only getting bigger, as are the numbers of businesses and consumers suffering as a result.
The problem lies in the complex nature of cybersecurity. Digital transformation has forced businesses to modernize their processes, as well as restructure and revolutionize how they use technology – and how they grow – to defend their market position, innovate and disrupt their ecosystem. It is understandable, then, that many organizations are panicking about what the idea of digital transformation represents – bringing in ever more complex (and expensive) technology, and constantly re-evaluating and innovating their digital strategy in order to make sure they are safe from a breach. Add in regulatory hysteria brought about by GDPR, and it’s no wonder businesses are suffering at the hands of cyber-criminals.
In the face of complex and stressful digital planning, many organizations and their IT teams are losing sight of the basics in terms of protecting IT infrastructure and data, and compliance. The majority of high-profile cyber-attacks have not been due to the sophistication of the breach involved, but rather a lack of basic precautions taken by those affected.
Complexity has penetrated every aspect of organizations, from expensive IT infrastructures, to complicated compliance mandates. The aftermath has left them struggling as they focus their attentions on new technology, and the security developed to protect it, rather than tackling the issue at its root: the solution need not be complex, it’s about simplifying in order to strengthen security.
Keep it Simple
Organizations should be cautious of the time, technology and resources spent on protecting complex data environments. Understanding where all your data is stored, and classifying relevant data in accordance with compliance regulations, for example, can easily get out of hand and see businesses skipping fundamental basic steps critical to ensuring long-term data security.
Businesses should start by reviewing their existing security processes to better understand their current security posture against compliance guidelines and best practices, identifying the gaps and putting a plan in place to address these areas.
They should follow this with education and awareness programs. These should be designed and implemented with all staff in mind, temporary and permanent – third-party contractors can pose a huge threat as has been proven in many of the data breaches over the past years. Education should apply at all levels, senior execs should not be exempt and should certainly be practicing what they preach when it comes to security protocol. On top of this, these programs must be regularly updated and tested.
Many security breaches can be down to something as simple as choosing a weak password or clicking on a link from an untrusted source. Passwords are the initial line of defense. They are crucial in both our personal and professional lives and can make or break the overall level of security within an organization. Employees should be clearly informed of the necessary password policies.
Many devices and applications come with default passwords. Using a default password is the same as using no password at all, so this must always be changed immediately. When choosing a password, employees should make it long and complex. Staff should also regularly change their passwords and never reuse them.
As a necessity, and as part of any awareness and education program, employees should be clearly informed of the necessary password policies which should also be enforced at a technical level wherever possible.
Employees also need to ensure they understand the risks when opening email attachments or clicking on links from unfamiliar sources, to avoid putting confidential information at risk. This should be covered in staff awareness training sessions.
The encryption of data should be a key element of any security strategy. Encryption is specifically recommended by Article 32 of GDPR as a method to protect personal data. Data should be encrypted at rest and in transit, especially when it’s stored on removable storage devices. Equally, data taken beyond the corporate network should be carried on corporately approved mobile storage devices featuring strong encryption, and non-sanctioned devices should be prohibited from working by end point control solutions.
In addition, organizations should also have a well-defined patching process in place to ensure all software and systems are updated regularly.
With these basic principles in place, organizations will be primed to reduce the risk of internal and external data breaches, support compliance with privacy regulations such as GDPR, and achieve a sustainable security posture, eliminating any overarching complexity.
You can discuss your breach prevention needs in person with Apricorn on stand P60 at Infosecurity Europe in London from 4-6 June. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.