In the modern digital landscape where the cloud is so widely adopted, it is vital to secure your organisation’s infrastructure and take proactive measures to enhance and secure your cybersecurity position.
1. Enable Multi-Factor Authentication (MFA)
Today we expect to be able to access data anytime, from anywhere, on any device. The modern workforce lives in a world without boundaries, where employees access applications in the cloud or on premise, using all kinds of devices. Users are not just employees, but also business partners, third party suppliers and customers, all of whom sometimes need on-demand access to software and data.
The biggest challenge for organisations is finding a solution that provides a perfect balance between data security and accessibility. Simple password protection is not strong enough for this purpose, given poor password discipline, password-cracking programmes and social engineering.
You need to ensure that those accessing your IT infrastructure are legitimate users. This is where Multi-Factor Authentication comes into play, ensuring that at least two levels of authentication exist to validate a legitimate user.
It’s very worrying just how many organisations still have not implemented this. MFA is the most fundamental step in securing your IT environment. Even if passwords are compromised, unauthorised access by malicious actors is significantly more difficult to achieve.
2. Implement Access Control Systems
An effective security solution should include access control systems. Network access control (NAC) detects all devices on the network and provides full visibility into those devices. NAC systems allow organisations to define network access rules based on specific conditions that ensure controls are in place to allow only trusted devices and users appropriate permissions to access your organisation’s data.
The software prevents unauthorised users from entering the network and reduces the risk of unauthorised access, data breaches and the spread of malware or other malicious activity. It also enforces policies on endpoints to ensure devices comply with network security policies.
The primary users for NAC systems are larger enterprise organisations, due to their greater number of employees and the need to grant access to contractors, visitors and third party suppliers. However, there is also an increase in demand in the SME market, largely driven by reports of breaches and the potential reputational and financial damage that cyberattacks can cause.
BYOD and IoT threats
NAC systems’ usage is increasing, thanks to the increase in BYOD devices and IoT devices, and the integration of NAC technology into mobile device management, next-generation firewalls and threat detection products. As the line between personal and professional time blurs, end users are demanding to use not just company-owned devices, such as smartphones, tablets and laptops, but also personal devices for business too.
Mobile devices are increasingly being targeted by criminals, and apps containing malware have become a popular attack vector. Personal devices generally do not have enterprise-level MDM (Mobile Device Management) and anti-virus products installed. Users quite commonly install apps that appear to be genuine, but may actually perform actions that compromise the security of the device, which could lead to threats or ransomware infections. The more devices that connect, the greater the risk of the network becoming compromised.
By controlling and monitoring access to the network, NAC reduces the attack risk by limiting the number of potential entry points for attackers, making it more difficult for threats to infiltrate the network.
Delivering network access on a granular level
Any device that connects to the network has to be authorised, giving organisations full control over their remote estate. One of the major advantages of a NAC solution is its ability to deliver network access on a granular basis. It can be integrated with Active Directory controls to provide network access only to areas of the network that allow the particular owner of the device to perform their job role.
At Securus, we work with a number of vendors – predominantly Fortinet – who can provide flexible, scalable and robust access control, either as a standalone system or multi-site solution.
Their solution, FortiNAC, provides protection against IoT threats, extends control to third-party network devices and orchestrates automatic response to a wide range of network events. It is a natural extension of ‘zero trust’: by default, nothing’s trusted. They have a wide range of powerful features that make managing network access easier and quicker. When Securus is the incumbent WAN provider, the NAC implementation, FortiNAC, becomes a natural extension of the network solution.
Choosing to implement a NAC solution can drastically improve an organisation’s network security posture. However, it’s wise to take into account that implementing NAC not only requires upfront expenditure, it also entails ongoing investment in the form of additional licenses, training, monitoring and interpretation of alerts, then responding to them in a timely manner.
3. Use Privileged Identity Management
There are many roles within business that have powerful privileges, and which can have dangerous consequences in the wrong hands.
Organisations need to minimise the number of people who have access to secure or confidential information or resources, because it will reduce the chance of a malicious actor getting access or an authorised user inadvertently impacting a sensitive resource.
Roles such as global administrators should be kept to an absolute minimum, and wherever possible, privileged admin roles should not be permanently assigned to your users.
Privileged Identity Management (PIM) focuses on resource management and defining which roles or attributes determine that a user gains access to particular resources. For example, determining which resources a new employee needs access to during onboarding.
PIM allows your organisation to reduce the risk of your privileged admin roles becoming compromised by making users eligible to activate the roles for short periods of time when they need elevated access on a just-in-time basis. To find out more, just ask one of our Securus IT experts for advice.
4. User education and awareness is key
The importance of the human factor in relation to cybersecurity cannot be underestimated, and it’s crucial to promote user awareness throughout your organisation.
The costs associated with data breaches can have a devastating impact, not just to your business, but also to your customers, who can potentially lose their personal data and money.
A penetration test, also known as a ‘pen test’, is a simulated cyberattack against your organisation’s system. The objective of a pen test is to identify vulnerabilities within an organisation, and to realise the impact of those vulnerabilities on your technology, people and processes. In order to protect your business and your customers, you need to understand the issues that may be uncovered during a pen test, and know how to resolve them to help mitigate those risks.
Simulated phishing attacks
Testing the humans in your system is the priority as 91% of all attacks begin with a phishing email to an unsuspecting victim. Phishing attacks are innocent-looking emails, pop-ups, adverts or company communications that tempt you to click so they can install spyware, viruses and other malware on your computer or phone.
Securus uses our partners to simulate phishing attacks, testing our customers’ cyber protection response and assessing their response behaviour by sending fraudulent, malicious-like emails to their employees.
Simulated phishing emails teach staff how to spot a phishing attack so that they are less likely to fall victim to a real one by clicking on a malicious attachment or URL. They help employees recognise, avoid and report potential threats that can compromise critical business data and systems, including phishing, malware, ransomware and spyware.
It is vital to educate your users, and try and make sure each member of staff is receiving a phishing simulation at least once a quarter to help track risk and keep the safety hygiene of the organisation at the forefront.
There are many more social engineering techniques, which Securus talks about here. Any of these social engineering techniques exploit fundamental human decision-making and cognitive biases.
Recognising these common social engineering techniques is the first step in strengthening your security systems and preventing data breaches. By training your employees on how to handle potential threats, you will ensure you are employing the best defence possible.
5. Understand that data is your most precious asset
All too often, organisations will focus on protecting their apps and devices. However, data is the linchpin of any business, and it is your data that cybercriminals focus on when they launch an attack. Data is gold dust to an attacker: they can sell it, ransom it and once they have access to it, your organisation is at risk of loss of productivity and reputational damage.
Having an effective data protection strategy is crucial, and will help you to not only protect and govern your data, but also prevent data loss. The 2018 UK Data Protection Act regulates how businesses, governments or other organisations use personal information. It is the UK’s implementation of the General Data Protection Regulation (GDPR).
As per the Data Protection Act, businesses are responsible for using personal data and must follow strict rules; called data protection principles. Those principles include ensuring that information is:
- Used lawfully, fairly, and transparently
- Used for specified purposes
- Used in a way that limits only what is necessary
- Accurate and up to date
- Kept for only as long as necessary
- handled with appropriate security and protected against unauthorised processing, access, loss, or damage
According to the International Data Corporation (IDC), 70% of all successful data breaches begin at an endpoint. The endpoints, or outer perimeters of an organisation’s network, have increased over the last few years as the mobile workforce has grown.
Two leading endpoint security technology categories are Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR). EPP is an integrated security solution that detects and blocks threats at the endpoint device level. Endpoint protection is a critical security element for all endpoints, including computers, laptops, smartphones, and IoT devices. Whereas EPP is an integrated solution that combines antivirus, anti-malware, personal firewalls, VPN data encryption, and Data Loss Prevention (DLP).
Both EPP and EDR technologies are often bundled together as one system; however, there are differences between them. EPP solutions identify signatures and other attributes that notify IT security of a threat, whereas EDR adds an extra layer by employing threat hunting tools that detect behaviour-based endpoint threats. As an enhancement to endpoint security, EDR integrates continuous real-time monitoring with endpoint data collection, rules-based automated response and analysis functions. It detects suspicious activities and investigates them on both hosts and endpoints. EPP and EDR depend on the other’s functionality. Combined, they create a holistic, comprehensive endpoint security solution.
The next five years are likely to see a continued focus on data protection and privacy as organisations seek to secure their data from ongoing cyberthreats and comply with stricter data privacy regulations. By year-end 2024, Gartner predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations.
Please get in touch with the Securus cybersecurity experts to discuss any of the subjects touched on in this article and find out how we can help you.
You can call us on 03451 283457.