October is Cybersecurity Awareness Month and this year’s theme is “Do Your Part. #BeCyberSmart.” The purpose of Cybersecurity Awareness Month is to empower individuals and organizations to do their part in protecting themselves online. If everyone becomes responsible and adopts good cyber hygiene practices – implementing stronger security practices, raising community awareness, educating people, following good cyber hygiene – our interconnected world will be safer and more resilient place. This is the only way to keep people and organizations safe from attacks on their data, personal information, finances, and infrastructure.
As my Thales colleague Marc Darmon says, “#Cybermonth is an opportunity to focus on cybersecurity, the cornerstone of any digital transformation and the foundation of digital trust.”
4 simple habits to protect your business online
Digital transformation introduces many benefits for businesses, but it can also increase the risk of cybersecurity threats targeting your data. In a data-driven world, a single cyber-attack could seriously damage your business and its reputation. These four simple steps can help protect your business from cyber threats.
1.Discover and classify your data
With businesses operating in hybrid computing environments, data can be stored and processed anywhere. It is therefore important to discover all your data and where they reside – on-premises or in the cloud. As we often say, “you can’t protect what you don’t know.” Your data can be literally anywhere – on your local data servers or in the cloud. Knowing where your data is can help you also determine the data flows, how data moves between your servers and your customers and partners.
Once you identify all your data, it is equally important to classify them, determine its importance. Sensitive and personal data deserve stricter security controls than other, non-critical information. Data discovery and classification is the foundation for prioritizing and selecting the security controls that are appropriate for securing your data and maintaining compliance against a patchwork of regulations.
2.Protect your data with encryption
The second step towards a hardened infrastructure is to encrypt all your data, especially these identified as critical and sensitive. Make sure you encrypt all your important data, whether it is stored or in transit. Encryption converts your data into a non-legible text before you send it over the internet. This reduces the risk of theft, destruction, or tampering. Plus, encryption is the number one requirement across many security and privacy regulations.
However, encryption alone is not enough. Encryption is as good as the underlying protection and management of cryptographic keys. No matter how resistant an algorithm is, if the keys are stolen or compromised, all your data is compromised. Criminals can gain access to the plain data and use it to harm your business. Let alone that you will suffer huge penalties for violating the privacy of your employees, customers, and partners data. The combination of strong encryption and effective key management is what hardens your data against an array of attacks.
3.Maintain control over your cryptographic keys
Although many cloud providers offer native encryption and key management solutions, it is always a good idea to opt for a centralized solution, which will provide a consistent approach to key management across the entire estate of encrypted data be it in on premise or in the cloud and avoid encryption and key management silos. Such a solution supporting paradigms such as Bring Your Own Key (BYOK) or Bring Your Own Encryption (BYOE) will allow you to maintain control over your cryptographic keys and avoid the risks of native Cloud Key Management systems.
This is also a good security practice, as you will keep your keys separated from your data, segregating the duties of data storage and data protection for enhanced resilience against advanced cyber-attacks. Opt for an accredited Hardware Security Module (HSM), whether it is on-premises or in the cloud, as the root of trust to store your keys. By trusting your cloud provider less, you have more confidence that your data is secured and that you will meet the data sovereignty requirements of many regulations.
4.Control who has access to your data
Identity-centric access control is gaining traction, considering that traditional network perimeter security is not adequate for a business environment where boundaries have obscured. Consider employing an integrated solution that supports Single Sign-On (SSO), multi-factor authentication (MFA), and adaptive, risk-based identity validation. Access security should not be based on on-time, static authentication decisions, rather on a step-up process to meet all your business risk scenarios – access critical data from anywhere, using privately owned devices, supporting hybrid workforces.
Lastly, you should not forget that all technology and processes are useless without empowering your people. Skilling and reskilling your employees is crucial, since they are the strongest asset in your cybersecurity chain.