Combating cyber attacks with a data-centric defence

In this data-driven hyper-connected age, the business landscape is constantly evolving and organisations are adopting new tools and processes that enable them to react quickly. As such, there is an ever-increasing need to collect, analyse and process growing stores of information on customers, competitors and internal functions, in order to drive sales, competitive advantage and efficiency.

Yet, as data sets expand and information grows in sensitivity, the cyber risk increases. Whether through cyber attacks (such as the recent malicious release of WannaCry ransomware), rogue internal leaks or accidental data breaches (for instance, the United Airlines employee who mistakenly posted cockpit access codes online), businesses face a battle to keep information secure and within their ownership.

>See also: Elevating data risk management to the board level

The challenge is exacerbated further through companies adding more cloud accessible devices to networks – enabling employees to retrieve corporate material from anywhere – or adopting innovative technology, such as the Internet of Things (IoT). Every device, no matter how seemingly insignificant, becomes a potential access point that can be exploited by a hacker.

This pervasive threat requires organisations to rethink their cybersecurity strategies. Defences have traditionally been perimeter-based – forming walls around networks with the aim of keeping external actors out – but with so many access points and the need to collaborate, these solutions are no longer enough.

Organisations must assume that all data is at risk, that it will travel to places outside of their control and knowledge and that those with malicious intent will attempt to access it. As such, businesses must take a data-centric approach and protect individual pieces of information throughout its lifecycle.

>See also: Consumer trust and data privacy: it’s time to close the gap

One vital component of the equation is robust encryption. Most companies already utilise the technology in some form, but not all variations of encryption are created equal. For instance, basic HTTPS encryption only scrambles data in transit as it travels between devices. This ensures that it remains unreadable should it get intercepted, but data is unencrypted at rest, on both the senders’ and recipients’ devices. This is a major vulnerability that leaves sensitive data accessible should either device be ‘misplaced’.

Point-to-point encryption (P2PE) involves encrypting data at source, before it leaves the sender’s device for the server and recipient, and protecting it at every point of its journey. The link is established between the two devices, preventing anyone from intercepting the information and guaranteeing that it always reaches its intended destination.

Then, the person or machine – in the case of IoT – must prove identity by meeting a number of stringent policy requirements before the decryption keys are issued. This action must be completed every time data access is requested, ensuring data remains protected regardless of where devices end up. Moreover, this means that stored data – whether kept on-premises, in the cloud or a hybrid of the two – constantly remains encrypted and inaccessible to those without permission, even if network perimeters are breached.

>See also: The cyber security industry: on the front line

The strict policy requirements must be tied to granular data access controls, as one layer of security verification just isn’t enough. Access to huge data sets shouldn’t be granted solely based on having a company email address, for example.

Controls must be specific to individual packets of data and stretch further than simply controlling who is accessing the information, but to where and what they are accessing the data from.

For instance, while an employee with the relevant clearance can access highly sensitive data in the UK, the company may not want them accessing that same data from a country infamous for ‘monitoring’. This functionality not only ensures that data is only being accessed by employees that have the authority to do so, but it mitigates the risk of it becoming compromised by third parties when access from outside the UK is attempted.

It’s also vital for firms to have the capability to amend access controls to data at any point, with all subsequent requests to access the data immediately subjected to the new rules. This enables firms to react quickly should they believe data to be at some risk, but don’t want it taken out of action completely. If a link was accidently sent to the wrong individual, the company can simply amend the controls to block access to that person, without hampering the access of others.

>See also: The inside man: your biggest risk may be closer than you think

While granularly controlling data access will go a long way in ensuring data remains uncompromised, businesses must have the capability for real-time revocation should they believe an attack could be in process.

For example, if a company suspects a high number of files are being exfiltrated, it can close off access to the data and ensure it remains encrypted while the issues is investigated and resolved.

Ultimately, as businesses strive to become more agile, mobile and make better use of information, data will inevitably be placed at greater risk. Companies that simply secure new ways of working with traditional cyber security techniques will not only soon find themselves unable to respond adequately to employee errors and cyberattacks, but the looming EU General Data Protection Regulation (GDPR) and its fines will compound the damage.

Organisations must now assume that networks will be breached and that data will travel to places outside of their knowledge and control. Only by adopting a modern data-centric cyber security approach that encompasses robust encryption, policy management and granular access controls, can enterprises protect sensitive information, however and wherever it’s shared.

 

Sourced by Andrew Alston, UK director, Covata

 

The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is the editor for Information Age. He has a particular interest in smart technologies, AI and cyber security.