What does ‘perimeter’ mean these days? With mobile application access, remote working, employee use of cloud-based information sharing and other activities taking place beyond the corporate boundary, many organisations struggle to determine where this perimeter actually lies. As these use cases grow, securing perimeters is becoming an even bigger issue to contend with.
However, with such an abundance of sophisticated cyber-attacks, many corporations are failing to see the value of perimeter security in the first place. In fact, a recent study by Gemalto found that 97 per cent of UK companies feel that their perimeter security systems are ineffective at keeping unauthorised users out of their network.
Perimeter security incorporates an extensive set of systems – from firewalls, to content filtering and anomaly detection. While these measures may seem robust, in isolation they aren’t enough and an exclusive focus on securing the corporate boundary is ineffective. With vast legacy infrastructures in play at organisations nationwide, perimeter security can cause budget, legal and HR related hurdles for CSOs to overcome. But it’s imperative that the business leaders come together to protect the organisation.
Unfortunately, there may be a gap in the reality many businesses face, as just seven per cent in the UK are confident that their organisations’ data would be secure if their perimeter was breached. To close this gap, organisations must look beyond perimeter security and do what matters most – protect the data itself. It’s a business’s intellectual property (IP), after all.
One factor that could be contributing to this is ‘breach acceptance’. Today, security teams are following security vendors’ lead in the fundamental shift in mentality from ‘breach prevention’ to ‘breach acceptance’. In other words, they believe that a breach is inevitable and, rather than focusing efforts on keeping hackers out of the network, they’re focused on strategies that protect important data once they’re in. This is because hackers are more adept than ever before, and will try all avenues to enter corporate networks. And, according to the UK Government, two-thirds of large UK businesses were hit by a cyber-breach or attack in the past year.
This number is only increasing – we can thank the accelerating number of connected devices, and the data that they create for that. Each device that is connected to a corporate network is a portal that hackers can manipulate to access valuable data. And, as the number of devices that are connected to corporate networks increases, whether that be smartphones, tablets or IoT enabled devices, so too does the surface area for a hacker to gain access to.
It’s therefore imperative that a bigger focus is placed on the data that organisations are trying to protect rather than the networking infrastructure used to transport it. But what can companies do to keep data protected?
Encryption is key
Many high profile breaches from the last two years have had damaging consequences for the company affected, and all because customer data was not encrypted. Look at the recent Three mobile hack – hackers were able to gain access to customer data to fraudulently claim over 400 high value mobile handsets. If this data had been encrypted, the company, and the customers affected, would have been safe.
Encryption is the number one priority because when the perimeter security of a company is breached, the data that these hackers access will be illegible. Hackers have no use for this data, and it has no value on the dark web if it cannot be deciphered. Incorporating encryption into every stage of the organisation, across networks and the cloud, and a complete solution must be implemented that protects the data, is essential.
However, encryption is only as good as the key management strategy employed. If hackers gain access to the key, the data might as well not have been encrypted in the first place. Securing the encryption key within the corresponding hardware is a good place to start, rather than leaving it out in the open on software.
We are already witnessing Artificial Intelligence playing a part in bolstering encryption techniques, with Google inventing an AI platform that can rewrite its own encryption keys, and there will be some interesting revelations in the encryption space for years to come.
No password is secure
Believe it or not, the most commonly used passwords are still ‘123456’, ‘password’ and ‘qwerty’. While these passwords can be easily hacked, even the most complex passwords will not suffice. Put simply: there’s no such thing as a safe password, and they all carry a risk of being hacked. Organisations must therefore implement alternative methods to authenticate their users and improve security.
Today, organisations have a variety of ways to authenticate a user. Biometric authentication is particularly robust, including voice recognition, finger vein technology or iris scanners. But simpler measures can also be implemented, such as two-factor authentication where users are verified via their mobile with a text message, or by sending an authentication code to an email address.
When identity access measure is so critical, what is most important for organisations is that they adopt a holistic security strategy that offers multiple layers of protection. Two-factor authentication ensures that multiple layers of protection are in place. While Gemalto’s research found that two thirds of IT professionals believe that unauthorised users can access their networks, having this multi-layered approach to identity management should lead to this number being drastically reduced in 2017.
Securing the weakest link
As recent high-profile breaches of late can confirm, organisations are too reliant on perimeter security. ‘Doing things as they have always been done’ is no longer workable as there are simply too many gaps in the periphery to make this approach viable.
A report from BI Intelligence discovered that the average cost of a data breach was $3.79 million. With such damaging commercial consequences, securing company data is not just the responsibility of IT departments. A business’ security is only as good as its weakest link, and so the task at hand today is to educate stakeholders and boardrooms about the importance of keeping data protected, so that they can roll-out a multi-layered approach to security.
We’re yet to see a company completely defeated by a cyber-attack, but it doesn’t mean that won’t be on the cards for 2017. Looking beyond perimeter security is imperative for every single organisation, and if the whole company isn’t on board with keeping its data and IP protected, it may get to market and find there is no business left to sell.
Jason Hart, CTO Data Protection, Gemalto
Image Credit: Elena11 / Shutterstock