It’s fair to say that businesses have never been under more pressure to protect the data they hold. From the introduction of the GDPR in 2018, to the stratospheric rise in cybercrime observed during the covid pandemic, numerous events in recent years have thrown data protection into sharp focus and made businesses mindful of the risks they face in terms of data security.
The 2022 Cyber Security Breaches Survey – published by the National Cyber Security Centre – painted a worrying picture. It found that roughly two fifths of UK businesses reported a cyber-attack in the 12-month survey period, and of those, almost a third reported experiencing attacks at least weekly. The survey also discovered that the average cost of materially damaging cyber-attacks was £4200, with this figure rising to £19,400 for medium to large businesses. Unfortunately, the bad news doesn’t end there, with many experts predicting a worsening cyber security picture over the coming years. Cyber Security Ventures for example, expects cybercrime to cost the global economy $10.5 trillion in 2025; up from $6 trillion in 2021.
Fortunately, data security risks can be managed, and many statistics – particularly those relating to the cost of cybercrime – include organisations that have made little effort to safeguard their data from online threats. With a comprehensive, considered approach to data protection, you can stop your business becoming a cybercrime statistic, but we know that approaching the unwieldy topic of data security can be a daunting prospect. To help, we’ve assembled a list of the top data protection measures you should be implementing to defend your business’s sensitive information in 2023 and beyond. Let’s Begin!
Identity and Access Management (IAM)
Identity and access management refers to controls, policies and practices which help manage digital identities and allow resource access to be controlled in a way that minimizes risk. To create a robust IAM strategy there are a number of key practices and controls you should undertake to ensure that your data is only accessible to authorised, authenticated individuals:
Multi-Factor Authentication. Traditional username/password combinations no longer cut it when it comes to authentication, particularly in the age of remote work. Multi-factor authentication works by including the submission of a piece of information that only the authorised user would be able to provide. This might be biometric data (fingerprints or a face scan), a code sent to a user-registered device or account, the answer to a question that only the intended user would know (security questions) or location data.
The Principle of Least Privilege. This is a risk mitigation measure that seeks to limit access to data and resources on a strictly as-needed basis. By restricting a user account’s ability to change settings, download files and access sensitive information you reduce the scope for network-wide harm should that account be compromised by a bad actor. This practice also reduces chance of data being inadvertently modified or deleted by someone who shouldn’t have access, and minimises the risk associated with insider threats. Role-based access control (RBAC) is a common way to implement the principle of least privilege, which sees access granted on the basis of an individual’s position and job role within a company.
Establish a strong password policy. Where multi-factor authentication is not available or unworkable, you should urge users to set strong, unique passwords that are hard to guess but easy to remember. Avoid predictable number sequences, words or phrases have an obvious link to your business and ensure that passwords are never written down. You should also encourage users to change passwords on a regular basis and, consider undertaking a regular audit of login credentials to ensure passwords continue to meet the required standard.
Use Identity and Access Management tools. IAM tools make it easy to extend and withdraw resource access, enforce multi-factor authentication and conditional access, and generally keep on top of identity and access governance. For Microsoft Users, Azure Active directory is the obvious choice, but there are many other third-party options available for as little as a few pounds per user per month.
Cyber Threat Mitigation
Cyber Criminals are often mischaracterised as computer geniuses who spend hours of brute-force hacking their way into corporate server systems, with their focus on an eye-watering ransom payment. While this may be accurate for a select few, the majority have a far more basic modus operandi, often using opportunistic hacks, basic acts of deception and pre-made malware that is readily available on the dark web. While nothing can make a computer network completely impervious to cybercrime, a range of security controls, when used in unison, can be effective at thwarting the majority of these opportunistic, low-sophistication threats. For robust protection, make sure your network features the following:
Firewall Protections. Firewalls are security instruments that control traffic flowing into and out of a network in accordance with a set of user-determined rules. The goal of a firewall is to prevent users inadvertently straying into untrusted, potentially dangerous corners of the internet where malware and criminal activity is more likely to be found.
Firewalls can come in the form of physical devices or software. Network perimeter firewalls for example can take the form of a physical appliance that operate at the edge of a network, whereas host-level firewalls designed to protect devices such as servers or desktops, take the form of software. Firewalls can also be implemented to protect cloud-hosted resources, and they can even be configured to manage traffic flowing within a network. For maximum protection, ensure your business premises is protected by a network perimeter firewall, and install software firewalls on any work devices likely to be used within this trusted network.
Maintain Software Rigorously. Following the release of software programmes, developers become aware of defects in their code, some of which present as security vulnerabilities. To correct these issues, the developers release fixes known as ‘patches,’ which customers are required to install to maintain the integrity of the programme. These fixes should be installed as soon as they become available, and ‘auto update’ features should be activated where available. This minimises the window of opportunity available to cyber criminals seeking to exploit these security loopholes and thus helps mitigate risks to your data.
Sadly, some software vulnerabilities become known to hackers before vendors have identified them and made an update available. Known as ‘zero day’ vulnerabilities, these present an open window through which a cyber-criminal can launch an attack, making it vitally important to deploy a range of security measures as part of a multi-layered security strategy in order to reduce your overall risk profile.
Use Endpoint Detection and Response Solutions. Ultimately, you want to do everything in your power to keep the bad guys from infiltrating your network, but if they manage to evade your defences it’s important to be prepared. Endpoint detection and response refers to security platforms that combine real-time threat monitoring across a network of endpoint devices with automated response and security event analysis capabilities. Modern iterations of such solutions often combine signature-based threat detection with more advanced techniques, such as AI-powered behavioural analysis capable of detecting network activity that might signal an imminent attack.
Email Security
Estimates vary, but some reports suggest as many as 91% of cyber-attacks begin as email-borne threats. Email-based threats can be difficult to counter, as attackers use numerous techniques to evade detection by conventional measures, and social media profiles provide a wealth of information for scammers to use to impersonate trusted individuals. Guarding against email-based threats therefore requires a multi-pronged approach that incorporates email-specific technical measures, employee awareness/training and some of the more general security measures we’ve already discussed.
Email filters, won’t completely eliminate your email security challenges, but they will reduce the volume of pernicious emails reaching your employees’ inboxes. Next-generation email security solutions are particularly effective, often combining machine-learning behavioural analytics with signature-based detection for greater results than traditional filtering tools. Some even feature ‘sandboxing,’ to execute untrusted email attachments in a safe, isolated environment, in order to prevent potentially malicious programmes wreaking systemwide havoc. In addition to the obvious security benefits, email filters have the added benefit of reducing the amount of spam your employees will have to contend with.
Email Threat Awareness is a vital line of defence when it comes to countering email security threats, as more sophisticated attackers know how to evade detection by even the best filters. Educate your staff on the coercive techniques email Phishing scammers use and encourage employees to carefully inspect email headers from suspicious or unexpected senders: scammers often use a technique called ‘spoofing’ which alters the ‘sender’ field of an email so that it appears to originate from a trusted source. You may even want to consider investing in email security awareness training. Often provided via online learning platforms, such training will familiarise your team with the hallmarks of email-based threats, and often features phishing simulation exercises to test the ability of staff to detect rogue correspondence.
Business Continuity and Disaster Recovery
Often abbreviated to BCDR, business continuity and disaster recovery is a field of business planning that focuses on post-incident recovery following a disruptive or disastrous incident. A sound BCDR strategy consists of a number of key elements:
A Plan. A business continuity and disaster recovery plan should seek to enable a swift recovery, and feature efforts to minimise the impact of a disruptive event on staff, customers, profitability and data integrity. The plan should be comprised of a number of physical documents, each relating to a business department or business activity. Each document should list its scope (the people, processes, infrastructure it makes provisions for), its actors (those individuals tasked with undertaking the recovery process) and any backup services, contingency systems, or third-party provider to be called upon for assistance.
A Reliable Backup Solution. A reliable data backup solution that extends across all your business-critical data assets is a critical component of BCDR. Using the 3-2-1 backup principle to guide the deployment of your backup is a good place to start. It advises that 3 copies of data should be held – one of which can be the origin copy. It recommends two separate storage media – common options include tape, hard disk drives, network attached storage and cloud storage. And it advocates backing up data to at least one offsite location, to aid data recoverability in the event that the main backup location becomes inoperable. A good data backup service will feature automation that allows the backup to be performed to a regular schedule, encryption to protect data in transit, and intuitive data discoverability features to allow for the easy retrieval of individual files and folders.
Information Security Policies
In addition to a raft of technical measures to keep data safe, it’s important to lay the groundwork for cyber security best practice by establishing information security policies. Designed to ensure consistency of procedure and a culture of data protection accountability, these policies should cover a number of key areas, with specific attention paid to activities that might place data at heightened risk of compromise. Ensure your information security policies cover the following key areas:
Acceptable use. An acceptable use policy should outline the behaviour and practices expected of employees in relation to handling company information, accessing network resources and using work devices. Your acceptable use policy should seek to enforce password best practice, prohibit the use of unsanctioned devices for work purposes, prohibit the downloading of unauthorized files onto work devices and discourage or prohibit discussion of work-related topics on social media. For the most serious offences (whatever you deem those to be) the acceptable use policy should outline the consequences of violation.
Data Classification. Depending on the nature of your business, you might want to create an information security policy document that outlines how different data types should be classified. It should also detail how each data class should be handled, stored and transmitted, with consideration given to the sensitivity of each type and the likely impact that would result from loss or compromise.
Security Training and Awareness. It can be beneficial to establish an information security policy that adds structure to the delivery of cyber security awareness training. It should include details of training milestones employees are required to achieve, as well as roles or responsibilities that require staff to have undergone an applicable security training programme.
Conclusion
A lax approach to data security could see your business’s reputation ruined, legal action pursued against you by affected parties and the issuance of substantial fines by the Information Commissioner’s Office for GDPR non-compliance. By undertaking the measures outlined in this article as part of a wider, multi-layered security strategy, you’ll be well on your way to defending your business from the cyber crooks and protecting the interests of you, your team and your clients and partners.
We are Blucando, the Southeast’s Premier IT Support Provider
From our base in Farnborough, Hampshire; we are a full-suite IT provider offering technology support, management and consultancy to businesses across Surrey, Hampshire, London and the wider southeast region. We pride ourselves on delivering robust, dependable IT systems our clients can rely on, coupled with strategic guidance that helps unlock business potential through technology. Get in touch today to find out how Blucando could help level up your business through technology.
