Protecting people, devices and data: the three pillars of a modern cyber security strategyMark Lomas, technical architect at Probrand, discusses the need to protect people, devices and data, the three pillars of a modern cyber security strategy
The mass move to home working as a result of the pandemic saw even the most prepared organisations face new security challenges. The displacement of the traditional office environment meant companies were exposed to new vulnerabilities, and cyber criminals didn’t hesitate in trying to take advantage, with cybercrime surging 72% in the first month of lockdown.
A year later, and many organisations will be taking the opportunity to review their security capabilities. From authenticating end users, who are no longer in the ‘safe’ environment of the office, to preventing sensitive information being leaked in the event of a data breach, do they have adequate protection in place?
While organisations will never be completely immune from the threat of an attack, there are steps businesses can take to protect three key assets; people, devices and data.
Creating and rolling out an effective cyber security strategy
Often cited as being the biggest chink in an organisation’s armour, any cyber security strategy has to start with protecting individuals. When you consider that human error still accounts for 90% of data breaches and home working has increased the number of people using personal devices to access corporate information, the pandemic has heighten this need.
One major area of concern is the rise in ‘credential stuffing,’ which involves hackers using compromised usernames and passwords to gain access to accounts. According to Deloitte, between February and May 2020, more than half a million people were affected by breaches where video conferencing user data was stolen and sold on the dark web.
Hackers don’t always need a username though – sometimes a weak password is enough for them to work out the rest. For example, if a hacker obtains someone’s Netflix password, they could go to LinkedIn to find what company they work for – with that information, their email address will be easy to guess. They can then try that email and password with Office 365 or a corporate Zoom account.
The simplest way for organisations to reduce this risk is to implement multi-factor authentication, which is offered as standard by all of the major cloud providers. And it’s easy to set up – all you need is a smartphone.
You may also want to consider adding conditional access to ensure access is only enabled from trusted locations, so you can prevent access from countries your users are unlikely to be in.
The time is right for passwordless authentication
With the majority of staff working from home, it’s important for organisations to assess how much control they have over corporate owned devices. It’s probable that many have been used outside of the office for over a year without ever being updated.
To tackle this problem, organisations can take advantage of cloud based tools such as mobile device management (MDM). These solutions can be used to authenticate users and ensure security on the devices are up to date before the user is given access to the corporate network – this includes the latest antivirus, firewall and software patches. MDM can also ensure employees are storing information in the places they should be, so the appropriate backup can take place and disaster recovery protocols are still functioning.
Additionally, with large numbers continuing to either work remotely or adopt a hybrid model, companies can consider adapting their Bring Your Own Device (BYOD) policy and assess whether a Corporate Owned Personally Enabled (COPE) approach, which allows individuals to use their personal devices to access corporate data, may be more secure.
The security impact of shadow IT
All too often, organisations focus on protecting devices and don’t think about data as the thing that needs to be secured. This results in data being protected while it’s at rest, but, as we all know, data only sits in one place for so long – especially when people are working remotely from one another.
Even when the user has been authenticated and the endpoint device secured, it is still possible for sensitive information to fall into the wrong hands if the data itself isn’t protected. Something as simple as an employee accidentally sending an email to the wrong person could result in the exposure of sensitive data or personal information – leading to serious reputational damage.
Putting access control permissions in place can help mitigate the risk of someone accidentally receiving information they shouldn’t, as this will ensure data is encrypted, rendering it unreadable.
Given that most businesses are likely to keep remote working options available, now is the time to identify any weaknesses that may have been brought about over the last year. With cyber attackers more active than ever in their attempts to exploit these vulnerabilities, protecting your key assets has never been more important.