If it sometimes feels like cyber threats are approaching your organization from all angles, it’s because they are. To protect yourself, you need to secure as many threat vectors as possible. Andy Swift highlights two critical data protection steps everyone should take, and yet many organizations seem to miss.
What does maintaining a secure IT estate have in common with riding a unicycle on a tightrope whilst juggling knives? You can probably make up your own punchline. The recent ransomware attack on Travelex and data breach fine handed down to Dixons Carphone have highlighted the critical importance of data protection to all organizations. Travelex in particular has already suffered catastrophic financial, operational and reputational damage, and that’s before the Information Commissioner’s Office reviews the case and hands a potentially significant fine down to the foreign exchange company.
Unfortunately, there’s no magic bullet that will enable you to secure your data and guarantee its confidentiality, integrity and availability. In order to protect your data appropriately, your organization will need to assess its overall cyber security maturity, spanning the entire breadth of its people, processes and systems.
Two areas I’d like to highlight in this article are your users and your backups. I carry out penetration tests for organizations of all sizes, across the public and private sectors, and you’d be surprised how many neglect to properly train their users and secure their backups. This increases their threat vectors and potential exposure to cyber attack, resulting in unnecessary data protection risks. Make sure you don’t make the same mistake.
End user training
Security ends with your users – when all other technical controls have failed, they are the final control you should have in place to filter out malicious content. Investing in training to help users spot common phishing, smishing and other human-facing attack vectors is highly valuable, and helps promote buy-in from all users when your organization introduces tighter technical controls.
Just remember that training should be engaging, timely and relevant to your users’ day-to-day working practices. An uninspiring annual online course just won’t cut it nowadays – embed cyber security training into your users’ monthly working cadence, keep it punchy, and be creative. I guarantee that putting a little more effort into your cyber security awareness programme will pay off tenfold when your users remember exactly what to do if (and let’s face it, when) compromised emails land in their inboxes.
You should also consider the architecture of your file share and backup environments. Far too often I see backup servers configured without any segregation from the regular network, which in the worst case scenario can result in ransomware attacks infecting backups and rendering them useless. Ransomware is constantly getting smarter – if an attack can access your backups it has the potential to seriously damage your data integrity.
Ensure your backups are fully encrypted both in-flight and at-rest, and make absolutely certain that there is sufficient segregation between your production and backup environments. If your production data is infected with ransomware and the infection cross-contaminates into your backup environment, you may have to throw ethics and best practices to the wind and engage with your attackers – a scenario which I would advise to avoid at all costs.
The importance of data protection
Effective data protection requires a holistic view of your organization’s people, processes and systems. These are just two areas for consideration – there are many more. Take the right steps and you will significantly enhance your cyber security maturity and reduce organizational risks. Leave any gaps, however, and cybercriminals will be sure to attempt to exploit them. Just ask Travelex and Dixons Carphone…
Whilst protecting your data by assessing your people, processes and systems may sound a little too much like boiling the ocean, it needn’t be intimidating. By carrying out a cyber security maturity assessment, you can establish your organization’s risk posture and create an action plan to address any weaknesses that are uncovered. In this way you can ensure your data’s confidentiality, integrity and availability is protected, enabling you to maintain your clients’ trust and preventing you from becoming a terrible lesson for other organizations to learn from.
Andy Swift is Head of Offensive Security at Six Degrees, a leading secure cloud-led managed service provider that works as a collaborative technology partner to organizations making a digital transition.