The recent cyber attack which led to the theft of sensitive data relating to Australia’s defence programmes served as a reminder of the security vulnerabilities inherent in defence supply chains. The hacker exploited a weakness in a government contractor’s software, which had not been updated for 12 months. The firm was also using default passwords.
Every organisation involved in a defence project – whether as a contracting organisation or supplier or, as is often the case, both – must take responsibility for appropriately protecting the data they process and share. With collaboration so crucial to sustaining innovation and productivity, this has to be done without stifling the flow of ideas and information or making systems and processes unworkable.
Data without boundaries
As the workforce becomes more mobile, and supplier ecosystems increasingly complex and globally dispersed, the threat to IP and classified or sensitive information intensifies.
Project teams use mobile and cloud platforms daily to share and store data, potentially exposing it to access by unauthorised users. It is also being physically carried outside the organisation on smartphones, removable hard drives and USB storage devices which are prone to theft and loss. Within this context, data is constantly crossing the boundaries of companies and nations. There’s no longer a clear perimeter to defend.
While deliberate hacks are now commonplace, one of the biggest threats to security remains the theft, loss and misuse of data on the move. Research from Apricorn has revealed that 29% of organisations have suffered a data breach as a direct result of mobile working. One in ten companies, meanwhile, has admitted to not having a security strategy that covers removable media such as USB sticks.
Organisations that are not in complete control of their data at every point on its journey risk hefty fines and reputational damage resulting from data breaches and non-compliance with strict regulations, such as the ITAR export control and the new EU General Data Protection Regulation (GDPR) which comes into forceon 25 May 2018.
A data-centric policy-based approach to security will protect the information itself – inside and outside an organisation’s central systems, both on the move and at rest –while enabling safe communications. The answer lies in a multi-layered approach combining people, process and technology.
1. Map data through its lifecycle
Before looking at data protection solutions, organisations should conduct a comprehensive audit of their data, covering:
This will make it easier to spot areas of non-compliance, pinpoint where data may be unprotected, and identify technologies, policies and processes that can minimise risk exposure.
2. Implement a watertight data security strategy
This needs to include the documenting and enforcement of policies that control how sensitive data is handled and used, and which are extended to all endpoints, including partners and contractors. Encryption must be a key element of the strategy. If a removable media device ends up in the wrong hands, encrypted information will be rendered unintelligible to anyone trying to access it. IT should research, identify and mandate a corporate-standard encrypted mobile storage device, and enforce its use through whitelisting policies.
The device should be pre-configurable to comply with security requirements, such as password strength.
Requirements can be written into third-party contracts – setting out, for example, the tools and technologies that must be used and when they should be updated.
3. Form a strong first line of defence
In addition to ensuring that everyone follows the same processes and best practice, this will help to build a culture of accountability across the whole supply chain.
4. Measure, monitor and report
The ongoing ‘auditing’ of compliance, both within the organisation and across third parties, will provide rapid visibility of policy violations so they can be addressed through training or disciplinary procedures. Monitoring will also provide a detailed audit trail that allows the organisation to demonstrate its compliance position, as well as an accurate record of any non-compliant user behaviour.
A combination of technical and organisational measures can help to reduce risk exposure in defence supply chains, while allowing the safe exchange and mobility of information across global business environments. Businesses that control their data appropriately can protect confidentiality, national security and their own reputation without compromising efficiency, agility or their competitive edge.
For more information, visit: www.apricorn.com
If you would like to join our community and read more articles like this then please click here.