The idea behind initiatives like ‘National Cyber Security Awareness Month’ in the US and the on-going campaign in the UK of ‘Get Safe Online’ – is that each and every one of us needs to do our part to make sure that our online lives are kept safe and secure. People, finances, devices and businesses must be better protected from fraud, abuse and other issues encountered online.
I would add that that for enterprises, in particular the large multinational corporations I work with, given the risk of falling victim to a breach is so acute – and that the financial and reputational fallout can be astronomical – we need to pay more attention to the types of data security solutions available on the market today. We know from a variety of studies that cybersecurity has been edging up the list of topics on the CIO and CEO agenda, but as the failure of traditional security controls becomes ever more apparent, an understanding of the data security tools and tactics to combat it needs to be given more attention too. I would further argue that encryption as a data security measure needs to zoom up the list for CEOs concerned about the safety of their business data.
To date, much attention has been placed on limiting end-point security solutions - this is perhaps unsurprising given the rise of “third platform” technologies like mobile devices and adoption of social media into the enterprise which are normally accessed via phones. However, as big data analytics and cloud computing technologies continue to come good on their promise of facilitating business transformation, the places where data resides – and where it most commonly accessed – will continue to change. Indeed, as more and more data enters the cloud, data security measures must follow it and protect it at its source.
In my conversations with customers, I often ask how strategic is IT security to you and your enterprise? Often, it quickly becomes clear that their resources are not being used efficiently and an overhaul in security posture is needed. The accompanying skills shortage is also clear; there simply aren’t enough data security experts ‘in-house’ overseeing how an organisation can keep its data secure now and into the future.
Of course, ‘big business’ isn’t alone in needing to up their security awareness. This year’s massive nation-state breaches have illustrated how government agencies too are increasingly falling victim to cyberattacks – take those at the Office of Personal Management (OPM) and the IRS for example. Equally, not-for-profit or community organisations are also in the line of sight for hackers – and one notable UK example of this is Mumsnet. Since falling victim to the Heartbleed security bug last year, the popular parenting forum has been subject to a series of cyber-attacks aimed at compromising its systems and its users’ data. However, the latest twist in the tale last month was particularly unsettling – cyber-crime now entered the physical world for double impact. As part of a wider DDoS attack, the site’s founder, Justine Roberts, was targeted in a 'swatting' attack that saw an armed police response team sent to her house. Until now, we have understandably focussed on the impact breaches have on business reputation and bottom-line, but the personal, psychological effect of such an event cannot be underestimated – let alone tolerated.
Ultimately, the lesson is that data is the target. It is a valuable currency and with the bad guys becoming more and more adept in their quest to steal it, more must be done to prevent such unnecessary fallout in the future. True data security requires a combination of technologies to reduce the attack surface available – limiting the ‘who, what, when, where and how’ of data access, and keeping a careful eye on those with a legitimate need to access it by monitoring their data access patterns for behaviour that may indicate an attack in progress. Adopting a default strategy of ‘encrypt everything’ is quickly becoming the only reasonable way to retain, and maintain, the upper-hand in the fight against cybercrime.
In the past, organisations only encrypted for protection what they were forced to protect by compliance requirements. Fortunately, advances in technology mean that it is now faster and easier to secure more data with encryption than ever before – and it can be applied to wherever the data resides.
Where is encryption on your cybersecurity fight list now?