People, Environment & Technology: A Three-Pronged Approach to Reducing Cyber security Risk
The number and variations of successful cyber-attacks is increasing daily, and as such cyber security risk has become a top priority for CEO across the globe. The impact of cloud solutions, increased connectivity between organisations and the fast amounts of data generated by digital technology have had a great impact on the way we conduct business, while making us more vulnerable to cyber threats. While none of this is new, how we use digital technology and protect our data is constantly in flux. As organisations continue to embrace the greater flexibility and efficiency that cloud solutions and remote work provide, the risk of security breaches rises. So how can businesses enjoy the greater productivity and strategic advantage that technology brings without putting their data, customers, and reputation at risk? The solution is complex, as the best practice to reducing cyber security risk is a three-pronged approach: People, Environment and Technology.
People are often the greatest asset of an organisation, but they can also be the biggest liability when it comes to cyber security. Despite the best efforts of corporations and governments to solve technological vulnerabilities, they only work if the people using these online resources take the necessary precautions on their end as well.
Think about it… who among us hasn’t given a vendor access to a file or worked around firewalls to access protected information? When was the last time you changed your password to your company’s cloud accounts? Do former employees still have access to your corporate servers? While businesses spend a great deal of time and money on keeping attackers out, all too often the people inside are knowingly – or more often unknowingly – inviting them in.
Obviously, educating users on how to work in safe ways is important. In many cases, however, these rules are followed more consistently if users are also educated on why rules are in place, how they are protecting the company and its data, and what can happen if they are not followed. We can’t rely on technology alone to solve what are often human errors. However, if we approach it with the fact that humans are involved, and fallible, we are more likely to find sustainable solutions that work.
The increased popularity of flexible and remote work adds an additional layer of complexity in protecting ourselves from cyber-attacks. The behaviour of users varies depending on the environment they work in, which needs to be taken into consideration when educating users. Traditional security architectures are built with perimeters, or firewalls, in place to keep those who shouldn’t have access out. But an increased reliance on mobile and cloud technologies to operate a remote, mobile workforce make network perimeters increasingly difficult to enforce.
Most of us know better than to access protected data from the free WIFI at the local coffee shop, but password-protected public access has major areas of vulnerability too. Even the latest WPA3 encryption standard, launched in 2018, has been found to have serious issues that allow data moving to and from the cloud to be intercepted.
Because of this, more organisations are moving from a network perimeter-centric view of security to one set up on the idea of “Zero Trust.” Developed by Forrester Research analyst, Jon Kindervag over 10 years ago, Zero Trust treats all network traffic as “untrusted” and is built on three principles:
- All resources must be accessed in a secure manner, regardless of location;
- Access control is on a need-to-know basis and strictly enforced; and
- Organisations must inspect and log all traffic to verify users are not violating the rules intentionally or unintentionally.
Even with security measures like multifactor authentication in place, environment will continue to be a challenge. With the predicted exponential rise of the adoption of artificial intelligence (AI) in our day-to-day lives, criminals are already examining its potential for a new backdoor to information access. AI-augmented attacks are a real threat and some predict that a new breed of AI-powered malware will allow hackers to infect an organisation’s system undetected, gathering information about users’ behaviours and company systems. Once it “learns” what it needs to, it can unleash a series of attacks and take down the organisation from the inside out.
Of course, the technology and how it is built to protect data will always be a factor to consider and address too. Cloud solutions and remote working are here to stay. In fact, a recent survey of IT decisions makers in companies with revenue of more than US$1 billion uncovered that 75% already use cloud applications regularly and 65% expect the number of cloud applications they use to increase as well. And it is not just large corporations that are adopting these technologies either. According to Forbes, 77% of enterprises have at least one application or a portion of their enterprise computing infrastructure in the cloud.
With this greater flexibility and mobility comes increased risk of data breaches. Some of the larger players in this space are investing greatly in the security of their cloud applications in the hopes of assuaging the fears of users, gaining new users, and creating loyalty in current ones. For example, Microsoft invests over UD$1 billion annually on cyber security research and development.
Additionally, many governments are partnering with cloud providers to try to tackle the constantly evolving threats to data security. UK Business Secretary Greg Clark recently said, “With government and industry investing together as part of our modern industrial strategy, we will ensure that the UK is well placed to capitalise on our status as one of the world leaders in cyber security by ‘designing in’ innovative measures into our technology that protect us from cyber threats. This will also help us bring down the growing cyber security costs to businesses.”
Minimise cyber security risk
Most businesses are already taking a hard look at the technology they use and how it can be improved to protect data and make customers feel secure. But what can be done on the people and environment side of things? Here are a few considerations.
Limit access to those who need it
It can be a persistent challenge to create and constantly update that accounts that have permission to access certain files. But without these layers of protection in place, those with nefarious purposes can sneak in more easily. Many organisations have outdated user permissions or stale accounts which can leave sensitive data at risk. Data is as valuable, if not more, than financial assets. It is worth the effort to categorise that data, determine who really needs access, and update those permissions (and related passwords) on a regular basis.
Educate team members on why rules are in place
Keep in mind that you can create rules, but they are only good if everyone follows them. According to a recent article in Diginomica, 79% of IT leaders believe that employees have put company data at risk accidentally in the last 12 months, and more frighteningly, 61% believe they have done so maliciously. Too many times a person in a hurry, or who thinks they are an exception, will skirt around the restrictions. This is often not malicious in any way; they simply don’t understand the risk. That is why it is important to educate employees at all levels on the rules themselves, but also on why they exist and how they are protecting the company, its customers and employees. That is why it is important to educate employees not only on the security policies, but also on why they exist and how they are protecting the organisation. Additionally, creating a system to make it easy to report odd or unusual activity can be of critical value, since finding issues early can often allow additional protocols to be put in place so serious repercussions can be avoided.
Update permissions on a consistent basis
One of the most common ways that data is breached is through old accounts or outdated permissions. As people move in and out of the organisation, or into new roles, it is vital to immediately update their permissions appropriate to their role. This also applies to contractors and remote workers. And while you are at it, make everyone in your organisation regularly update their passwords and routinely review what you are storing on cloud servers. Any one of these, and many more, access points can easily be breached by people who know what they are doing, so ensuring that the people on your team do all they can to protect data is one of the most important parts of a strong cyber security strategy.
Create rules that apply to all devices
Your remote and more mobile employees work across multiple devices, including personal devices. Designed for continuous availability and connectivity, most tablets and phones lack much of the inherent security built into our computers. Many run on default credentials that are never updated, making them particularly prone to malicious exploitation. This is a risk, especially if your organisation has a bring-your-own-device policy. Educate your team about how to enjoy the flexibility and access these devices provide in a way that also protects your data and makes it hard for others to get in.
Based on this and many other factors, we expect investment in cyber security by businesses of all sizes will rise and as well as a growing demand for security talent worldwide. As business evolves, so will the ways criminals try to access our information and the tools we will need to prevent them from doing so. While AI can be used to hack a system, it is also being used to “learn” to connect the dots between threats and provide actionable insights so companies can respond to them with greater confidence and speed. In the end, those who do what is necessary to create a secure, yet flexible, work environment will have a competitive advantage that will more than pay for the cyber security efforts that have to be made, and even more so, the cost of a serious cyber attack on your organisation.
Need more information?
This article touches on just some of the issues you need to consider when planning how to protect your business and client data. For more information, please check out our cyber security services or speak to Mark Butler today.