08-06-20 | Blog Post
“5,183 breaches reported in the first nine months of 2019 exposing 7.9 billion records” is an astonishing number until you read: “records exposed in Q1 2020 skyrocketed to 8.4 billion – a 273% increase compared to Q1 2019.” If the average, all-inclusive cost [2019] to business for a data breach is $3.9M, then the issue of data and record security gains more relevance for all sizes of businesses. Adding to this concern is timing: While the business is concentrating on an immediate crisis, cyber criminals focus on exploiting security gaps. The media is rife with stories of significant acts of state-sponsored cyber terrorism and spectacular tales of cybercrime by hacktivists and Advanced Persistent Threat groups. There’s also a seemingly less significant contributor to cybercrime – data leakage. Data leakage can be broadly defined as the transport of data or IP to an external location or party without appropriate authorization. Some of the causes of data leakage are open databases that lack security or encryption (whether intentionally or not) and malware and phishing, which represent malicious forms of data leakage. According to a 2019 report, “Companies hacked in the last 18 months say half these incidents were an inside job.” We can all agree that data security and protection is a wide and all-encompassing concern.
The technologies we adopt in business today to increase our competitive advantages and improve business economics: e.g. cloud, IoT, SaaS and mobility, also increase the amount of high-value data that is created. They require dynamic storage and transport and demand additional provisions for protection and security. An illuminating 2020 study, produced by IDC and The Thales Group, states that “data security averages just 15% of overall IT security budget.” If the end result of using new technologies is a permanent change in the way business serves customers and employees, then a comprehensive plan for data security and protection should take its place atop every cyber security and response plan. The near future will bring even more technologies that require shifting focus and budget from network security to data protection and security; Big Data and its analytics tools, the maturation of DevOps to reduce time to develop and deploy new applications and processes, and even Blockchain for supply chain, contracts and storage. Are your cybersecurity and data protection plans flexible enough to keep up with the rapid deployment of new technologies?
Have a plan and train: 77% of enterprises don’t have a cybersecurity response plan. This all may seem very basic, but if you don’t have a well-designed security plan, create it tomorrow. If you already have a security plan, there must be strong and vigilant enforcement efforts. If you have a security plan but don’t train all employees frequently, enforcement is almost impossible.
Have a strong password strategy: Implement strict password management including password rotation/changes, institute access levels and access level credentials, improve password strength requirements, adopt two factor or multi-factor authentication, and review the potential benefits of a password management system for your business.
Consider the cloud: Gartner predicts that public cloud for infrastructure workloads will suffer at least 60% fewer security incidents than data centers. While there is still some concern for a cloud service’s ability to execute at or above the required levels of security, high rates of investment in state-of-the-art security CSP compliance certifications (and the requirement for frequent CSP security audits); redundancies across the physical, virtual and geographical landscapes, 24×7 monitoring, and the industry’s best security resources all give credence to coud services as a highly secure alternative to prem-based data centers.
Monitor, monitor, monitor: Monitoring may be the most critical of IT functions as new technologies, cloud and XaaS are deployed. Your cloud and XaaS partners must provide the required tools that allow visibility into access, users, and transactions; both real time and as forensics on demand. Also, be sure to consider for both monitoring and policy, external file sharing and storage sites, frequently referred to as shadow IT.
Encryption for data at rest and in transit: Regardless of current security policy, the business may want to consider encryption for data at rest and always assure encryption for data in transit. Many compliance regulations dictate encryption, and encrypted data is not considered compromised if the encryption keys remain safe. Err on the safe side and combine two methods of encryption – send encrypted files over an encrypted connection. Needless to say, especially in the wake of mass remote worker distribution in the time of the pandemic, network end points typically lead every business in the number of security vulnerabilities and should be strongly considered for encryption.
Data redundancy: In today’s world, you can’t rely on just one copy of your data. What’s your backup strategy? If part of your environment goes down, can you still access your data So, what should you do? Take advantage of multiple data centers from your provider. In case of an outage at one, you can rest assured knowing your data is backed up at another. Disaster Recovery as a Service (DRaaS) or Backup as a Service (BaaS) are two different ways you can address potential downtime and data loss effectively, no matter what cloud environment you have.
Backing up your data regularly to a secure, offsite facility is also smart. Some versions of ransomware can encrypt onsite backups, meaning they are useless to you if ransomware affects those files as well. Have a strong backup solution in place that is easily recoverable should you need it. It exists for a reason!
Remember, always be vigilant about your security. Train your employees to recognize and avoid suspicious content, including untrusted websites that are malware breeding grounds. Having a strong technical security solution can also help prevent ransomware attacks.
Four Security Considerations For Your Hybrid Cloud: Most enterprises today have a multi-cloud environment and more than half have a hybrid cloud strategy, combining both public and private clouds. The continued migration to hybrid cloud validates its clear advantages, but as environments grow and evolve, things can quickly become complex – and those of us in IT must figure out how to manage it all.
Achieving Security In the Cloud: One of the biggest concerns around hybrid cloud for organizations is data security. That’s rightfully so–according to Gartner, at least 95 percent of cloud security failures will be the fault of the customer through 2022.
Encryption is the key to the data kingdom: Encryption is becoming more and more a part of our personal and professional lives. One could even argue that we can’t live without it.
Ransomware preparedness with Otava, Veeam and MSPs: Our panel covered many topics throughout the roundtable, starting first by discussing the main strains of ransomware prevalent in the industry today, and what they’re seeing in terms of risk mitigation.