cybersecurity Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

cybersecurity

Fintech: How financial technology is benefitting businesses, and impacting security

 960 640 Guest Post
By:
0
0

Is your business operating as efficiently as it could be? For smaller businesses and startups, maximising efficiency can be the difference between surviving and thriving. In today’s rapidly-evolving commercial landscape, being an early adopter of the latest technology can set your business apart from the rest, open the door to a wider market of potential customers or simply help cut costs.

Fintech – a portmanteau of “financial technology” – is helping both businesses and individuals to take better control of their finances. We spoke with Carl Johnson, UK Sales Director at Anglo Scottish Asset Finance, about some of the ways in which fintech is benefitting businesses – and how it could benefit yours…

How has fintech affected the market?

One of fintech’s most important impacts is its ability to democratise finance, making it easier for anyone to manage their money in a user-friendly way. Online banking and phone banking apps are one example of this – now it’s easier than ever for people to manage their money.

This brings about various advantages for marginalised communities, such as people with disabilities, can manage their money from their own homes. The ability to customise your experience on a PC or mobile banking device could alleviate the pressure on neurodivergent people who may struggle with the stimulating experience of going to the bank in person.

In many cases, fintech benefits both the business – who make their services more accessible and inclusive to a wider market – and the user, who can interact with the service in the way best-suited to them.

Johnson comments: “The same applies from a business perspective – fintech has helped level the playing field for smaller businesses. Amongst the current landscape of rising operating costs, fintech can help cut crippling overheads with increased automation or protect your business from online scams.”

Increasing cybersecurity

If you’re looking to increase the cybersecurity measures in place at your business, fintech can help you do so. AI-powered fraud detection algorithms can analyse user patterns to identify when a fraudulent transaction is happening in real time.

For large-scale transactions, advanced authentication features like biometrics and multi-factor processes can help put new clients at ease, and increase the security of your business.  This additional level of security can help put older customers’ mind at rest – people who are wary of tech can rest easy knowing their concerns are accounted for.

Digital wallets

In today’s world, businesses can maximise their revenue by accepting multiple forms of payment. Businesses which accept cryptocurrency as a form of payment are opening their doors to an entirely new revenue stream, which can set them apart from competitors.

There are plenty of other benefits for businesses which accept crypto – the currency is international, meaning no worrying about exchange rates. Transactions are processed more quickly than a traditional monetary transfer, which means cash flow problems can be alleviated with ease.

Customer experience

Fintech can also be used to help streamline the customer experience and increase your understanding of your audience base. Smaller businesses may not have the manpower to run a manned customer support service at all times – AI-powered customer service tools like Chatbots can help with more standardised queries.

In most cases, today’s customers like an immediate, personalised service. Using automated technology can provide this – advanced AI can address your customers by name, and recommend items based on their earlier buying habits.

Physical payments for small businesses

In recent years, the development and democratisation of card payment terminals has enabled small businesses to grow more easily than ever. Companies like Square have made it affordable for small businesses to accept card payments, thanks to a flat rate processing fee in lieu of monthly subscription or account maintenance fees.

This, in turn, attracts a wider customer base. With fewer people carrying cash – especially since COVID – businesses lose out on revenue if they’re unable to support card payments.

Sourcing funding

Looking for external funding to help take your business to the next level? Crowdfunding platforms are another form of fintech at your business’s disposal.

Look out for platforms like Crowdcube, a fully-regulated crowdfunding investment platform with over 6,500 investors. Businesses can choose whether they’re asking for seed funding (£150k-£249k), early funding (£250k-£750k), or growth funding (£750k+).

Streamlining

Another way in which Fintech can benefit businesses is through cost-saving. Greater potential for automation as a result of technology like AvidXchange has reduced the need for manual invoicing and payment processing, freeing up your employees to deal with more complex requests.

By streamlining your payment process, your business saves time and money – and your customers and partners will benefit by receiving invoices faster than ever.

The future of fintech

Johnson expects the booming fintech industry to continue expanding in the coming years: “With a growing number of businesses adopting fintech every year, we can expect the number of financial technologies – and their myriad potential applications – to continue to grow.

Expect to see new fintech innovations for both personal and commercial use. For small businesses and startups, it’s vital to stay on top of any new technologies that could help improve your operations.”

2023’s most in-demand cyber security solutions revealed

 960 640 Stuart O'Brien
By:
0
0

Access Control, Vulnerability Management and Application Security top the list of solutions and services the UK’s leading IT security professionals are sourcing in 2023 and beyond.

The findings have been revealed ahead of next month’s Security IT Summit and are based on delegate requirements at the upcoming event.

Delegates registering to attend were asked which areas they needed to invest in during 2023 and beyond.

Employee Security Awareness and UK Cyber Strategy rounded out the Top 5.

The results show a marked difference compared to the same event in November last year, when Employee Security Awareness, Cyber Strategy and Access Control top the list.

Top 10 products & solutions being sourced by Security IT Summit delegates:

Access Control

Vulnerability Management

Application Security

Employee Security Awareness

UK Cyber Strategy

Endpoint Detection & Response (EDR)

Compliance

Firewalls

Penetration Testing

AI/Machine Learning

To find out more about the Security IT Summit, click here.

Schoolgirls encouraged to consider careers in cybersecurity by Aston University

 960 640 Stuart O'Brien
By:
0
0

One hundred female Year 8 student from Birmingham schools took part in an ‘explorer day’ organised by the Cyber Security Innovation (CSI) Centre at Aston Business School.

The Cyber girls event is part of the Cyber Kali project, for which a team of academics at Aston and Warwick Universities have been awarded funding by the UK National Cyber Security Centre (NCSC).

The CSI Centre at Aston University has a sustained record of engaging with schools in Birmingham through educational events in cybersecurity since the pandemic.

The event brought together role models from the industry and local government, including Vickie C (senior cyber consultant, CGI), Daljinder Mattu (senior policy advisor, Department for Science Information and Technology) and CyberWomen@Warwick representatives. UK Cyber Security Council CEO, Simon Hepburn, also shared his career journey into cyber security and the opportunities the sector offers.

Dr Anitha Chinnaswamy and Professor Vladlena Benson led the project from the CSI, which was funded by the NCSC’s Academic Centres of Excellence programme.

There were interactive workshops emphasising the importance of online safety, cyber-hacking, and how to protect oneself from online threats. The Gadget Guru Competition provided an avenue for the students to showcase their creativity and inventiveness. The day concluded with an award ceremony that recognised the competition winners for their exceptional efforts.

Dr Chinnaswamy said: “We would like to thank all who contributed to making ‘Cyber Kali Explorer Day’ a triumph, and we are confident that our efforts will bear fruit in the future.

“It is our responsibility to continue nurturing these bright young minds, providing them with the tools they need to succeed, and supporting them as they embark on their unique journeys.

“Our goal goes beyond this project, we work towards every opportunity inspire and empower the next generation of cybersecurity professionals, especially young women, to pursue their dreams and explore a field that has traditionally been male-dominated.

Professor Helen Higson also supported the event and said: “I am proud of the ongoing work of the CSI Centre, which continues to support the objectives of the National Cyber Strategy 2022.

“At Aston University, we recognise the importance of promoting diversity and inclusion, and equality, diversity and inclusion (EDI) is an integral part of our agenda.

Professor Zoe Radnor, Pro-Vice-Chancellor and Executive Dean of the College of Business and Social Sciences at Aston University, said: “Through our Cyber Security Innovation Centre and other initiatives, we aim to create opportunities for all individuals, regardless of their background or identity, to excel in the field of cybersecurity and contribute to building a safer and more secure digital world.”

Research pinpoints advanced persistent threats to businesses in Europe

 960 640 Stuart O'Brien
By:
0
0

A new study has revealed a ‘worrying’ lack of visibility into networks that exposes organisations to cyber risks and large-scale disruptions that can inflict substantial losses.

Gatewatcher’s inaugural analysis of the pan-European, advanced persistent threat (APT) landscape draws on responses from of 300 IT decision-makers across the UK, France and Germany, highlighting the main fears faced by organisations and the solutions they use to address the challenges of APT threats.

The survey shows a clear awareness of APT threat detection with more than 9 in 10 currently looking for APTs. When asked about their attitudes and the main obstacles they face in their fight against these threats, 25% of respondents currently seek to detect and discover APTs but face challenges identifying the method of entry.  A further 21% face challenges supporting the technology.

These concerns are within the context of APTs being addressed within the organization – the study also revealed that just under 1 in 5 (19%) currently outsource their protection against APTs to a managed service provider (MSP) or managed security service provider (MSSP).

APT: lack of visibility as a risk factor

When asked to address the specific issues surrounding APTs and how they might compromise the security posture or their organisation, just under half (47%) of respondents identified a lack of visibility throughout the network as a key factor, whilst a further 40% disclosed a lack of the necessary skills within their security teams.

A further 35% also mentioned gaps in current endpoint provision and nearly a third (30%) cited false positive and the subsequent alert fatigue as a source of security compromise. Reflecting the increased awareness of the importance of securing the supply chain, 29% identified third-party subcontractors that are connected to an organisation’s systems as a source of APT threat.

 Security Challenges Ranking: Perception gaps

 The survey also identifies six security challenges ranked by perceived risk level. Across all three markets, the cybercrime threat of individual bad actors, such as independent black hats, hacktivists or script kiddies is seen as the most pressing cyber security challenge faced by organisations, identified by 54% of respondents.

The study also points to differences in perception between British, French, and German decision-makers. In France, data loss tops the list of concerns (65%), while the threat from independent hackers is the top concern in Germany and the UK (62% and 52% respectively). Ransomware is also the second biggest concern for German IT decision makers (52%), compared to 47% and 43% in France and the UK.

NDR: a future solution to APTs

When asked to detail the technology portfolio used against APTs, Endpoint Detection & Response (EDR) was the most present, cited by nearly two-thirds (62%) of respondents.  This was followed by firewalls (57%) and then a very close third and fourth between Security Information and Event Management (SIEM) and Network Detection and Response (NDR) with 56% and 55% respectively.

The emergence of NDR solutions in fourth place illustrates the growing need for IT decision-makers to have visibility across the entire IT network and to protect themselves against large-scale threats, with potentially catastrophic impacts.

Gatewatcher’s Cyber Threat Barometer – our monthly, active monitoring and Cyber Threat Intelligence solution -, provides an overview of cyber threats, including the evolution of certain advanced persistent threats – but this is only the thin end of an extremely dangerous wedge,” said Philippe Gillet, CTO of Gatewatcher. He adds: “By providing a snapshot of APT threats and challenges, this study conducted by Vanson Bourne aims to contribute to the constructive search for solutions for the future. The results are encouraging: it shows us that businesses are still relying heavily on endpoint protection, whilst recognising that it is visibility across the network that is now needed to address APTs. As recent examples have shown, these advanced attacks exhibit patience and strategic thinking.  As such, it is time to evolve and adapt our approach to the threat landscape and see APTs as the new normal in cybersecurity. This will mandate network technologies that offer high visibility of threats hidden in the network and represent an essential lever for strengthening the cybersecurity posture of businesses.’’

The risk of IT business as usual 

 960 640 Stuart O'Brien
By:
0
0

IT teams within mid-sized organisations are over-stretched. Resources are scarce, with sometimes skeleton teams responsible for all aspects of IT delivery across large numbers of users. With up to 90% of the team’s time being spent ‘keeping the lights on’, there is minimal scope for the strategic thinking and infrastructure optimisation that business leaders increasingly demand. Yet without IT, businesses cannot function. And in many cases, there will be compliance or regulatory consequences in the event of a data breach.

With cyber security threats rising daily, businesses cannot afford to focus only on Business as Usual (BAU). But without the in-house expertise in security, backup and recovery, or the time to keep existing skills and knowledge at the cutting edge, IT teams are in a high-risk catch-22.

Steve Hollingsworth, Director, Covenco and Gurdip Sohal, Sales Director, Covenco explain why a trusted IT partner with dedicated expertise in key areas such as infrastructure, backup and security to the existing IT team, is now a vital component of supporting and safeguarding business…

Unattainable Objectives

Prioritising IT activity and investment is incredibly challenging. While IT teams are being pulled from pillar to post simply to maintain essential services, there is an urgent need to make critical upgrades to both infrastructure and strategy. The challenges are those IT teams will recognise well: cyber security threats continue to increase, creating new risks that cannot be ignored. Business goals – and the reliance on IT – are evolving, demanding more resilience, higher availability and a robust data recovery strategy. Plus, of course, any changes must be achieved with sustainability in mind: a recent Gartner survey revealed that 87% of business leaders expect to increase their investment in sustainability over the next two years to support organisation-wide Environmental, Social and Governance (ESG) goals.

But how can IT Operations meet these essential goals while also responding to network glitches, managing databases and, of course, dealing with the additional demands created by Working from Home (WFH)? Especially when skills and resources are so thin on the ground. While there are some indications that the continued shortage of IT staff may abate by the end of 2023, that doesn’t help any business today.

Right now, there is simply no time to upskill or reskill existing staff. Indeed, many companies are struggling to keep hold of valuable individuals who are being tempted elsewhere by ever rising salaries. Yet the business risk created by understaffed and overstretched IT teams is very significant: in the most recent fine imposed by the Information Commissioner’s Office (ICO), for example, companies are being warned of complacency and failing to take the essential steps of upgrading software and training staff.

Differing Demands

With four out of five CEOs increasing digital technology investments to counter current economic pressures, including inflation, scarce talent, and supply constraints, according to Gartner, something has to give if resources remain so stretched. And most IT people will point immediately to the risk of cyber security breach. Few companies now expect to avoid a data breach. According to the 2022 IBM Data Breach survey, for 83% of companies, it’s not if a data breach will happen, but when. And they expect a breach to occur more than once.

The research confirms that faster is always better when detecting, responding to and recovering from threats. The quicker the resolution, the lower the business cost.  But how many IT teams have the resources on tap to feel confident in the latest securitypostures or create relevant data backup and recovery strategies?

These issues place different demands on IT teams. While most organisations will need 24/7 monitoring against the threat of a cyber-attack, in contrast establishing and then maintaining data backup and recovery policies are not skills that are required full time. Most companies need only an annual or bi-annual review and upgrade. Which is where a trusted partner with the ability to deliver an end-to-end service covering infrastructure, backup, managed services and security – that can flex up and down as the business needs it – is now becoming a core resource within the IT Operations team.

Extended Expertise Resource

A partner with dedicated technical expertise can augment existing skills in such specialist areas. These are individuals who spend every day assessing the latest technologies and solutions, who understand business needs and know how to achieve a best practice deployment quickly and, crucially, right first time.

Taking the time to understand the entire IT environment and assessing the backup and recovery needs, for example, is something that an expert can confidently and quickly achieve without the Business-as-Usual distractions a member of the IT team faces. What is the company’s Recovery Point Objective (RPO) or Recovery Time Objective (RTO)? How long will it take to get back up and running in the event of an attack or server failure? What are the priority systems? How is the business going to deal with a cyber-attack?

By focusing exclusively on where risks may lie and then implementing the right solutions quickly and effectively, a partner can de-risk the operation. From a VEEAM backup vault in the cloud or instant database copies using IBM FlashSystem, a disaster recovery plan that includes relocation or high availability with a goal of achieving a local recovery within minutes, the entire process can be achieved while allowing the IT team to concentrate on their existing, demanding, roles.

Conclusion

Whether a company needs to expand its infrastructure to support the CEO’s digital agenda or radically improve cyber security, or both, very few IT teams have either the spare capacity or dedicated expertise to deliver. Focusing on Business as Usual is, of course, an imperative – but unfortunately just not enough in a constantly changing technology landscape.

Partnering with a trusted provider with the capability to deliver a flexible end-to-end service with dedicated skills as and when required to supplement and support the overstretched IT team, is, therefore key to not only keeping the lights on, but also ensuring the business’ current and future needs are effectively addressed.

Say goodbye to traditional security training: How to keep your staff engaged!

 960 640 Guest Post
By:
0
0

As the saying goes, what got you here, won’t get you there. While the traditional method of once-a-year security awareness training for your staff may have been an acceptable method in the early 2000’s, times change, and so do the needs of staff. Simply providing information to employees is not enough. For best results, information delivered needs to be relevant, timely, and appropriate.

Take the example of teaching a child to cross the road. The best time to teach them is when you’re at a road. This makes the lesson timely and relevant. It also needs to be explained to them in terms they will understand and connect to, this makes it appropriate.

With KnowBe4, you can deliver training to employees which is relevant, timely, and appropriate. It contains a huge library of content covering training modules, video modules, mobile optimised content, assessments, games, newsletters, posters, and much more. Plus, the content is localised in many languages and with many different tones and formats available, there is certainly something for every organisation.

Smart groups can also be used to deliver specific training to selected users. For example, there is no point in making everyone go through security awareness tips when travelling, if most people never travel to a remote location. Putting your road warrior employees in one group and only sending them the training makes it far more relevant.

Perhaps the hardest part of training is delivering it at the right time. There is never an ideal time for employees to take time out of their day to complete their training. Which is why it’s important to not just provide the option of short and quick modules which can be completed during a tea break. But have a method to intervene with training when it is needed the most. With SecurityCoach users can be coached in real-time based on their real-world behaviours.

Whichever tool you use, make sure the training provided is relevant, timely, and appropriate to make it stick.

Find out what percentage of your employees are Phish-prone™ with our free test.

INDUSTRY SPOTLIGHT: Protect your top attack vectors, across all channels by Perception Point

 960 640 Guest Post
By:
0
0

Perception Point is a Prevention-as-a-Service company for the fastest and most accurate next-generation detection, investigation, and remediation of all threats across an organisation’s main attack vectors – email, web browsers, and cloud collaboration apps.

Perception Point streamlines the security environment for unmatched protection against spam, phishing, BEC, ATO, ransomware, malware, Zero-days, and N-days well before they reach end-users.

The use of multiple layers of next-gen static and dynamic engines along with patented technology protects organizations against malicious files, URLs, and social engineering-based techniques. All content is scanned in near real-time, ensuring no delays in receipt, regardless of scale and traffic volume. Cloud-based architecture shortens development and deployment cycles as new cyber attacks emerge, keeping you steps ahead of attackers.

The solution’s natively integrated, free of charge, and fully managed incident response service acts as a force multiplier to the SOC team, reducing management overhead, improving user experience and delivering continuous insights. By eliminating false negatives and reducing false positives to bare minimum, the solution provides proven best protection for all organizations.

Perception Point empowers security professionals to control their full security stack with one solution, viewed from an intuitive, unified dashboard. Users can add any channel, including cloud storage, CRM, instant messaging, and web apps, in just one-click to provide threat detection coverage across the entire organization.

Deployed in minutes, with no change to the enterprise’s infrastructure, the patented, cloud-native and easy-to-use service replaces cumbersome legacy systems.

Fortune 500 enterprises and organizations across the globe are preventing attacks across their email, web browsers and cloud collaboration channels with Perception Point.

Contact us to learn more about how Perception Point can secure your business. 

Connect with us on LinkedIn, Twitter, and Facebook.

What more, if anything, should governments be doing about cyber actors?

 960 640 Guest Post
By:
0
0

By Will Dixon, Global Head of the Academy and Community at ISTARI

Cyberattacks are becoming more frequent, and their potential consequences are becoming more severe. With Critical National Infrastructure and other important services constantly in the virtual crosshairs of both state actors and cybercriminals, it is entirely conceivable that an attack, or a series of attacks, will lead to significant public harm.

In the event that this happens, governments and law enforcement will find themselves facing calls to act. In the eyes of the public, we might assume that doing so would seem natural; after all, offensive cyber operations are not as risky as military operations in the real world, so why not do more to disrupt these groups?

The picture is, of course, not as simplistic. The negotiations currently taking place at the United Nations on a treaty on cybercrime are demonstrative of the complexity of getting international agreements on what constitutes a cybercrime. The penalties that should be enacted against the perpetrators and the powers global law enforcement agencies should have in order to prosecute these perpetrators are also up for debate.

That definition is fiercely contested, given the significant implications for countries such as Russia and China that want the definition to include terms allowing them to impose strict censorship laws and pursue dissidents. While this debate continues, the lack of agreed rules of the road is leading to action against cyber criminals.

Nonetheless, the relentlessness of cybercrime means that it is worth considering how governments and law enforcement should deal with cyber criminals. We have seen how knee-jerk reactions to major events have led to poor outcomes in the past. The cyber community should endeavour to avoid making the same mistakes.

Change in Policy

There needs to be more cooperation between national and supranational agencies, which includes better access to global data sources. This would require deep, scalable operations and partnerships with law enforcement agencies on an international scale. Some of these partnerships will likely involve countries that would rather not collaborate.

It will also require better collaboration between victim organisations and law enforcement, as the recent takedown of Hive, a ransomware group that targeted more than 1,500 victims in over 80 countries around the world, has shown. Close cooperation between victims and forensics investigators at the FBI ultimately allowed law enforcement to map and disrupt the entire Hive network. If law enforcement agencies want to do this on a wider scale, they must open their doors to victims and make sure that these victims are not afraid of further penalties for being more open about the events that resulted in an attack.

Implementing Positive Incentive Models

It is an unfortunate reality that there are not nearly enough cybersecurity companies or organisations that possess the bespoke capabilities, human resources, and training to safely secure the convergence of enterprise software, the Internet of Things (IoT), and Operational Technology (OT) environments associated with Critical National Infrastructure. Preventing harm to the public requires that we fix this.

While there are many negative incentive models, such as regulation and fines for non-compliance, this can only take us so far. More positive incentive models are needed, whereby the government works alongside the community to provide resources and the financial support required to create a strong ecosystem of organisations that can navigate the complexity of critical national infrastructure environments. There has been some evidence of this in the USA, such as the federal government’s investment in cybersecurity controls following the Colonial Pipeline attack. However, more meaningful public-private cooperation is needed in order to create the ecosystem of advanced capabilities we need.

Moving Forward

There is no escaping the fact that the cyber-threat level is growing, and it appears that we are on an unavoidable path towards law enforcement campaigns acting against cyber criminals. Whilst an appetite for more muscular action against cybercriminals is entirely understandable, we must also accept that it is not guaranteed to make a positive difference; campaigns against international criminal networks of other kinds have proved ineffective before. If we want to keep digital systems and the public they serve safe from harm, we need to invest more time and effort in creating the capabilities to do so.

Should I switch penetration testing provider every year? A pentester’s perspective…

 960 640 Guest Post
By:
0
0

By Greg Charman – Pentester at iSTORM Solutions

It’s that time again. Time to reach out to several pentest providers and get the ball rolling for scoping calls, quoting then re-quoting. Once this is completed and you’ve chosen this year’s provider – you have hope that they have availability that aligns with your timeframes.

All this in the interest of having a “fresh pair of eyes” have a look at your systems. Wouldn’t it be easier if you were able to build a relationship with the provider you will be trusting your most valuable information with?

As a pentester myself, I find that the process of planning an engagement is much more efficient for everyone involved when we already have a relationship with the client. As a consultant, my job is not only to scope, complete and report the test but to make sure that we are making the best use of your budget and our time during the process. This is much easier if I already have an understanding of your business. An insight into your organisation’s infrastructure is essential when trying to prioritise risks and enables me to identify the best techniques to accommodate those priorities. Ultimately, a pentest works best when it’s a collaborative effort between both organisations.

Another benefit of partnering with a pentest provider is to avoid the headache of tracking vulnerabilities year on year. Remediation advice is great but keeping metrics around your organisations evolving security posture can be difficult if you have data from several different sources. Why not make it easier by using a provider who can provide a consolidated view of this?

Repeat partnering with a pentest provider may also result in loyalty discounts when it comes to pricing – helping your organization utilize their budget better!

For more info on how iSTORM can provide a tailored solution for your privacy, security and pentesting needs visit: https://istormsolutions.co.uk/

Protecting data irrespective of infrastructure 

 960 640 Guest Post
By:
0
0

The cyber security threat has risen so high in recent years that most companies globally now accept that a data breach is almost inevitable. But what does this mean for the data protection and compliance officers, as well as senior managers, now personally liable for protecting sensitive company, customer and partner data?

Investing in security infrastructure is not enough to demonstrate compliance in protecting data. Software Defined Wide Area Networks (SD WAN), Firewalls and Virtual Private Networks (VPN) play a role within an overall security posture but they are Infrastructure solutions and do not safeguard data. What happens when the data crosses outside the network to the cloud or a third-party network? How is the business data on the LAN side protected if an SD WAN vulnerability or misconfiguration is exploited? What additional vulnerability is created by relying on the same network security team to both set policies and manage the environment, in direct conflict with Zero Trust guidance?

The only way to ensure the business is protected and compliant is to abstract data protection from the underlying infrastructure. Simon Pamplin, CTO, Certes Networks, insists it is now essential to shift the focus, stop relying on infrastructure security and use Layer 4 encryption to proactively protect business sensitive data irrespective of location…

Acknowledging Escalating Risk

Attitudes to data security need to change fast because today’s infrastructure-led model is creating too much risk. According to the 2022 IBM Data Breach survey, 83% of companies confirm they expect a security breach – and many accept that breaches will occur more than once. Given this perception, the question has to be asked: why are businesses still reliant on a security posture focused on locking the infrastructure down?

Clearly that doesn’t work. While not every company will experience the catastrophic impact of the four-year-long data breach that ultimately affected 300 million guests of Marriott Hotels, attackers are routinely spending months inside businesses looking for data. In 2022, it took an average of 277 days—about nine months—to identify and contain a breach. Throughout this time, bad actors have access to corporate data; they have the time to explore and identify the most valuable information. And the chance to copy and/or delete that data – depending on the attack’s objective.

The costs are huge: the average cost of a data breach in the US is now $9.44 million ($4.35 is the average cost globally). From regulatory fines – which are increasingly punitive across the globe – to the impact on share value, customer trust, even business partnerships, the long-term implications of a data breach are potentially devastating.

Misplaced Trust in Infrastructure

Yet these affected companies have ostensibly robust security postures. They have highly experienced security teams and an extensive investment in infrastructure. But they have bought into the security industry’s long perpetuated myth that locking down infrastructure, using VPNs, SD WANs and firewalls, will protect a business’ data.

As breach after breach has confirmed, relying on infrastructure security fails to provide the level of control needed to safeguard data from bad actors. For the vast majority of businesses, data is rarely restricted to the corporate network environment. It is in the cloud, on a user’s laptop, on a supplier’s network. Those perimeters cannot be controlled, especially for any business that is part of supply chain and third-party networks. How does Vendor A protect third party Supplier B when the business has no control over their network? Using traditional, infrastructure dependent security, it can’t.

Furthermore, while an SD WAN is a more secure way of sending data across the Internet, it only provides control from the network egress point to the end destination. It provides no control over what happens on an organisation’s LAN side. It cannot prohibit data being forwarded on to another location or person. Plus, of course, it is accepted that SD WAN misconfiguration can add a risk of breach, which means the data is exposed – as shown by the public CVE’s (Common Vulnerabilities and Exposures) available to review on most SD WAN vendors’ websites. And while SD WANs, VPNs and firewalls use IPSEC as an encryption protocol, their approach to encryption is flawed: the encryption keys and management are handled by the same group, in direct contravention of accepted zero trust standards of “Separation of Duties”.

Protect the Data

It is, therefore, essential to take another approach, to focus on protecting the data. By wrapping security around the data, a business can safeguard this vital asset irrespective of infrastructure. Adopting Layer 4, policy-based encryption ensures the data payload is protected for its entire journey – whether it was generated within the business or by a third party.

If it crosses a misconfigured SD WAN, the data is still safeguarded: it is encrypted, making it valueless to any hacker. However long an attack may continue, however long an individual or group can be camped out in the business looking for data to use in a ransomware attack, if the sensitive data is encrypted, there is nothing to work with.

The fact that the payload data only is encrypted, while header data remains in the clear means minimal disruption to network services or applications, as well as making troubleshooting an encrypted network easier.

This mindset shift protects not only the data and, by default, the business, but also the senior management team responsible – indeed personally liable – for security and information protection compliance. Rather than placing the burden of data protection onto network security teams, this approach realises the true goal of zero trust: separating policy setting responsibility from system administration. The securityposture is defined from a business standpoint, rather than a network security and infrastructure position – and that is an essential and long overdue mindset change.

Conclusion

This mindset change is becoming critical – from both a business and regulatory perspective. Over the past few years, regulators globally have increased their focus on data protection. From punitive fines, including the maximum with its €20 million (or 25% of global revenue, whichever is the higher) per breach of European Union’s General Data Protection Regulation (GDPR) to the risk of imprisonment, the rise in regulation across China and the Middle East reinforces the global clear recognition that data loss has a material cost to businesses.

Until recently, however, regulators have not been prescriptive about the way in which that data is secured – an approach that has allowed the ‘lock down infrastructure’ security model to continue. This attitude is changing.  In North America, new laws demand encryption between Utilities’ Command and Control centres to safeguard national infrastructure. This approach is set to expand as regulators and businesses recognise that the only way to safeguard data crossing increasingly dispersed infrastructures, from SD WAN to the cloud, is to encrypt it – and do so in a way that doesn’t impede the ability of the business to function.

It is now essential that companies recognise the limitations of relying on SD WANs, VPNs and firewalls. Abstracting data protection from the underlying infrastructure is the only way to ensure the business is protected and compliant.