As more operational processes are digitised, and emerging technologies are introduced to improve business efficiency, the threat potential increases. New cloud- and IoT-driven architectures can be exploited by hackers, for example, while mobile working practices make it more likely that employees will expose information to loss or theft.
Data without boundaries
Research from Apricorn shows that 29% of organisations have suffered a data breach or loss as a direct result of mobile working. Employees collaborate and share information daily across mobile and cloud platforms, potentially making it vulnerable to access by unauthorised users. They are also physically removing information from the organisation on smartphones, removable hard drives and USB storage devices, which are easily lost or stolen.
In the office, connected devices can increase the ransomware threat, while providing hackers with an entry point to the network from which they can move laterally until they find something of value.
Another avenue of risk lies in defence supply chains, which are increasingly complex and globally dispersed. It is unlikely that any contracting organisation will have a detailed picture of its suppliers’ digital environments and cybersecurity frameworks – and this increases the risk of falling foul of regulations.
Seize control
Digital data must be protected at all times, but most security strategies and policies are no longer fit for purpose. There’s no clear perimeter to patrol and defend in this new business environment, and traditional security models and tools such as firewalls, VPNs and gateways cannot be relied on to prevent data loss or stop cyberattacks. Digital transformation delivers the agility and speed-to-market required to remain competitive. This means that limiting access to ‘risky’ technologies and applications is not the answer to safeguarding data.
The solution lies in a multi-layered security approach that is both people-centric and data-centric, and which encompasses policy and technology. There are four key actions that will enable organisations to understand where their liabilities are, and take decisive steps to address them.
Audit all company data. This will provide visibility of exactly what data the business holds and processes, and highlight where information may be unprotected and/or at risk.
Every organisation should document:
This is a good opportunity to improve data hygiene by deleting any data that is not required to run operations, and to limit access to information only to those who need it.
The organisation should also check that the way digital data is handled and controlled complies fully with key regulatory frameworks such as ITAR. GDPR extends the definition of personal identifiable information (PII) to genetic data and biometric data, as well as IP addresses and cookies where these relate directly to individuals – making it essential that these categories are appropriately protected.
Review security policies, procedures and processes. This will highlight any gaps which need addressing. Existing policies should then be updated, and new ones developed as necessary, to control how digital data is captured, accessed, processed, managed and disposed of. These must be clearly defined, written down, and shared across the organisation and with partners and contractors.
Specific policies and processes should be created and enforced to protect data when it is outside of central systems, including policies that relate to removable media, mobile devices and flexible working. One in 10 companies admits its security strategy does not currently cover storage devices such as USBs.
Processes that enforce the regular backing up of systems and data, meanwhile, will help to mitigate the impact of a ransomware attack.
The business must also put in place processes that prime it to respond to requests EU citizens may make under the new rights bestowed on them by the GDPR – such as demanding their data in a portable format, or that all their data is deleted.
Encrypt data at all stages of its lifecycle. Strong encryption forms the last line of defence. This approach should include the mandating of a FIPS certified, hardware encrypted mobile storage device, and the enforcement of its use through policies such as whitelisting and locking down USB ports so they can accept only approved devices.
Build a culture of accountability. People remain the weakest link when it comes to data security: 44 per cent of IT decision makers in the UK expect employees will lose data and expose their organisation to the risk of a data breach.
To mitigate the human risk, organisations should run training programmes that educate all users in the threats and compliance requirements specific to the business, their role in protecting data, and the procedures they must follow. These can be extended to partners’ and contractors’ teams to ensure the entire supply chain follows the same best practice.
Digital business is creating a complex and evolving security environment, and defence organisations’ security strategies must keep pace with the speed of their digital transformation programmes. This means carrying out data audits at regular intervals, and reviewing policies to check that they remain fit for purpose. Security systems must be up to date – particularly encryption and authentication technologies, tested regularly, and adjusted to defend against evolving cyber threats. Achieving a security posture appropriate for digital business is anything but a one-off exercise.
If you would like to join our community and read more articles like this then please click here.
Apricorn data breach Jon Fielding US Marine Corps Forces Reserve