Responding to the challenges of data governance posed by the modern IT network.
Cybersecurity has changed exponentially in recent years, leaving CIO’s, CISO’s and their teams in very different waters, with the sudden shift to remote working last year only compounding the risks.
Gone are the days of protecting your network locally, enterprise security demands a multifaceted security strategy that incorporates all complexities of a contemporary IT network. It is a diverse mix of legacy systems and applications alongside cloud-based software, storage and third party providers, such as SaaS.
It is vital for businesses to secure their vast array of end-points that are connected to a corporate network at any one time. The need for a robust enterprise security solution increases in direct proportion to technological innovation, in turn increasing the security threats. Today, it is estimated that the total number of internet-connected devices worldwide is 13.8 billion. It is projected that the ‘Internet of Things’ (IoT) will amount to 30.9 billion devices by 2025 – a rise of almost 125% in just 4 years.
Senior IT professionals are faced with the significant challenge of safeguarding sensitive data as it is sent wirelessly and invisibly transferring to cloud-based systems. Large corporations are increasingly vulnerable and must deliver enterprise-wide solutions to prevent the two main threats to their data security – hacker attacks and data breaches.
The 2020 statistics.
In 2020, a total of 20.1 billion data records were lost or stolen. Or to put it another way, 20,140,224,547 files. There was also a 50% increase in breached data records compared to 2019. The second half of the year saw twice to amount of reported breaches as the cyber-criminals upped their game. Sophos report that 48% of UK organisations were hit by ransomware demands in the last year.
For the corporations concerned, a breach is disastrous for business – both for its finances and reputation. Enterprise security has gained massive media attention following breaches at global businesses, Facebook, Yahoo and Equifax. The British Airways data breach in 2018 resulted in a record GDPR fine of £183 million being issued by the ICO.
Banking institutions remain in sharp focus – Between February and April 2020, cyber-attacks against financial institutions rose by 238%. In 2019, the Capital One breach saw the hacker access 106 million applications and customer accounts. Sold to enable identity theft, fraudulent charges or embezzlement, there are said to be millions of credit card details for sale on the dark web for as little as $1 per card.
Enterprise Security best practice.
Install a Web Application Firewall.
A secure Firewall is still of primary importance, collaborating with your anti-virus to alert you to worms, malware, ransomware and virus in real-time. However, Firewalls only protect you against known malware signatures and are therefore heavily reliant of security professionals identifying these ever-present dangers. Zero Day attacks distribute devastating code before malware experts discover it. A multi-tiered system can isolate the threat once it has penetrated the OS or network, preventing further intrusion.
Automated, script-driven hacking targets large data centres, web servers and online applications accessing them via input entry points, such as login screens. Web Application Firewalls add another crucial layer of protection helping to prevent code injection attacks and cross-site script bots, which can lead to the most sought after prize for hackers – full administrative access.
Apply password encryption.
It may seem obvious, but a software system login transfers data point-to-point through a third party. It provides the perfect opportunity for interception, but criminals will be stopped in their tracks if password encryption is employed. Password lockout procedures and IP Blocking also help to prevent cracking attacks.
Attackers can install Packet Stiffing software on your telecoms network, the ISP or Wi-Fi channel allowing them to eavesdrop on unencrypted data sent, potentially telling them how to access your entire corporate network. Even biometrics, gated entry systems and 24/7 monitoring cannot prevent unauthorised access when they have the password.
It is important to educate teams of the importance of passwords as so many people still use the same password for multiple work accounts. By finding access to one part of the network, they are likely to gain access to much more.
Undertake a physical and virtual access assessment.
Check your boundaries around your physical and virtual network; assess all types of data transfers and all possible entry points. Is data encrypted as it is sent to the cloud? Is all software used on your network fit for purpose? You should immediately delete outdated versions, replacing it with a more secure program. It is also important to regularly assess administrative permissions. Does everyone with access really need it for his or her role? Removing unnecessary access will also remove risk.
Large corporations have thousands of employees connecting from mobile devices, many remotely – these pose a virus and script risk. Inspect every device for its security strength. Check that the latest update is installed and perform regularly scans for threats. If a device has been compromised, or if could be, IT asset disposal services can help you reprogram or even safely destroy the device.
As the IoT rapidly increases in your organisation, what has happened to those replaced devices? Are old smartphones, tablets and laptops simply laying in drawers, all with access to your data? Many ITAD services have responded and now provide mobile device recycling.
At the other end of the IT asset disposal scale, data centre decommissioning experts can perform on site data erasure for data centres and servers that cannot be removed. This provides secure office relocation for large enterprises.
Stretched IT departments must not overlook the importance of data destruction. The IBM and Ponemon data breach study reports that the average cost of a data breach for UK enterprises is $3.88 million, per leak – far more than the cost of professional IT asset disposition service. End of life IT assets should all have an ITAD chain of custody to ensure your legal compliance. Look for an ITAD partner that provides a separate IT asset disposal accreditation for every piece of redundant IT equipment.
One of the biggest challenges in data governance is improper data erasure of redundant IT assets. It is certainly false economy to seek to save this element of your IT departmental budget, particularly as free ITAD asset disposal is now available. E-waste is governed by the WEEE regulations, which promotes environmentally friendly ITAD and zero landfill policies, which is great for your CSR. In addition, many data destruction services are also pledging their commitment to the EU’s Circular economy helping you recycle and reuse equipment.
Create a robust cybersecurity crisis plan.
By far, the biggest mistake when it comes to enterprise security is the misconception that it won’t happen to you. Data Basix state that only 31% of all UK organisations have completed a cybersecurity risk assessment in the last 12 months.
Without swift identification and the deployment of a rapid response plan, substantial damage may have already been caused before discovery. Surprisingly, despite all the media attention, companies took on average 197 days (6 months) to identify a breach and a further 69 days to contain it. In a time of increased remote working, employing micro-segmentation will protect all virtual machines on a network, stopping the hacker moving through the system if they do gain entry.
For those who pride themselves on military-level end-point security, even your systems have accessible vulnerabilities. After all, no padlock is secure if your employees hold the door open for the criminals. In 2020, half of all cyber-attacks in the UK involved Phishing. Recent research by Tessian showed that nearly ¼ of employees said they hadn’t received any training on how to spot a Phishing attack. An ongoing employee education program is essential in the protection of your business as the vast majority of malware and ransomware infections are deployed completely accidentally. Prevention is better than cure.
It is essential that you have a robust enterprise security crisis plan in place for immediate deployment – helping you shorten the duration of a breach and limiting the damage caused.
The multiplicity of a modern IT network calls for complex, and thorough approach to enterprise cybersecurity. Every major corporation needs sensitive data to operate and build business – but the data protection laws are simple; protect company data at all costs.
Senior IT professionals must undertake regular inventories of entry points and apply all known methods of defence. However, whilst they make the headlines, it isn’t all about the hackers. A strict IT asset disposal policy and regular employee education is crucial in the avoidance of accidental breaches. Should a breach or attack occur, a robust crisis management strategy would ensure no time is wasted, significantly limiting any damage to your corporation.
Contact us today on 0161 777 1000 or visit https://www.tier1.com to find out how we can help you dispose of your data safely and reliably.
Data Basix, Sophos, IT Governance, Statisica, CSO, Consolidated Technologies, VMware, Six Degrees, Lifewire, Varonis, Tessian,