Data security is far bigger an issue today than it was just a year ago, and tomorrow, with the introduction of GDPR, it will become an even more important topic as firms begin to receive huge, potentially crippling, fines for non-compliance.
The UK Government revealed the findings of their Cyber Security Breaches Survey in the Spring where it found that just under half (46%) of all UK businesses identified at least one cyber security breach or attack in the last 12 months.
Despite three-fifths (61%) of firms holding personal data on customers electronically, only 37% of businesses have any rules around its encryption. What’s more, only a quarter (26%) of businesses reported the most disruptive breach externally to anyone other than a cyber security provider, a statistic that will undoubtedly change when the EU GDPR is enforced in 2018.
What is worrying end users?
Well, nearly half of companies identify data loss protection as the number one cloud security priority.
In their Cybersecurity Trends 2017 Spotlight Report, security firm Alert Logic explores the latest cybersecurity trends and organisational investment priorities among companies and says that while cloud adoption is on the rise, the top concern is how to secure data in the cloud and protect against data loss (48 per cent). The next two biggest priorities for security professionals were threats to data privacy (43 per cent) and regulatory compliance (39 per cent).
The study also examined the top constraints faced by these organisations in securing cloud computing infrastructures.
Worryingly, and especially in the light of the new GDPR regime that comes in to force across Europe in May 2018, the study found that 42% of organisations lack internal security resources and expertise to cope with the growing demands of protecting data, systems and applications against increasingly sophisticated threats.
It gets worse. With a third of firms already wanting to reduce the cost of security, concerns over a move to continuous 24x7 security coverage, improving compliance and increasing the speed of response to incidents we would say there is no hope whatsoever of reducing the cost of security and compliance any time soon.
Alert Logic makes a good, valid and accurate point when it reminds us, “Public cloud platform providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform offer many security measures, but organisations are ultimately responsible for securing their own data and the applications running on those cloud platforms.”
According to Verizon’s recent security report, attacks on web applications are now the source of choice for data enterprise breaches, up 300 per cent since 2014. Similarly, the report found cybersecurity professionals – more than half of survey participants – to be most concerned about customer-facing web applications introducing security risk to their business (53 per cent). This is followed by mobile applications (48 per cent), desktop applications (33 per cent) and business applications such as ERP platforms (31 per cent).
Application related breaches have negative consequences and can lead to revenue loss, significant recovery expense, and damaged reputation.
“Web applications are the most significant source of breaches for organisations leveraging cloud and cloud hybrid computing infrastructures,” said Oliver Pinson-Roxburgh, EMEA Director at Alert Logic. “They are complex, with a large attack surface that can be compromised at any layer of the application stack and often utilise open source and third-party development tools that can introduce vulnerabilities into an enterprise.”
Organisations can implement incentives to prevent gaps in the security policy of an application or to avoid vulnerabilities in the underlying system that are caused by flaws in the design, development, deployment, upgrade, maintenance or database of the application. Additionally, many businesses turn to cloud security vendors with a ‘products + services’ strategy rather than technologies alone to fight web application attacks. Businesses increasingly find that a combination of cloud-native security tools provided in combination with 24x7 security monitoring by security and compliance experts is the best way to secure their sensitive data – and the sensitive data of their customers – in the cloud.
“A multi-layer web application attack defence is the cornerstone of any effective cloud security solution and strategy,” said Pinson-Roxburgh.
Brian Chappell, Senior Director, Enterprise & Solution Architecture at cyber security solutions firm BeyondTrust, calls a spade a spade when he says anyone selling solutions in the data security and privacy space has a minefield to navigate.
“Trying to match products to frequently changing regulatory requirements to deliver robust, reliable solutions for your customers can seem a never-ending challenge. New regulations, such as the GDPR, come with a significant sting in their tail that makes selecting the right solutions more urgent.
Each new regulation or change to a regulation seems to bring a flurry of new and existing products claiming to solve the latest concern. We believe the solution starts with simplicity. Data security is not going to stop being a challenge anytime soon and technology alone will not solve the problem. We need people to change and evolve as well, it’s hard for people to change when the way forward is obscured by poor information or limited visibility. The more you can do to help you simplify your customer’s security landscape, the better they can see where they are and what’s needed next. Customers who can quickly and easily join you in understanding their next steps will result in a shorter sales cycle and ultimately a better the solution.
Good product vision is essential; focus each product on a specific security space and ensure that the product interacts well with others. The adage that the whole is greater than the sum of the parts was never more poignant. Each product helps simplify the security model by moving from the difficult scenario of managing implicit privileges down to granting explicit privileges cuts complexity dramatically. Training partners through extensive on-line and instructor-led learning also help ensure that the message of simplicity can be achieved.
A simple security model is easier to manage and easier to identify where it fits or doesn’t with new or existing regulations. Don’t confuse simple with less secure, the ability to effectively manage while able to quickly adapt and evolve leads to greater security.
Simplicity isn’t easy, as Steve Jobs once said, ‘Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains’.”
Reseller Comment
Tom Sime, Managing Director of Glasgow based Exchange Communications, told us that with changes to data protection law afoot, companies are getting their houses in order to ensure compliance ahead of time. And with D-day set for 25 May 2018, data security is one of 2017’s hottest boardroom topics.
“The introduction of the General Data Protection Regulation (GDPR) will see stringent rules enforced surrounding the collection and storage of personal data and its scope will be far-reaching, covering all ‘personally identifiable information’, known as PII.
This is where we come in.
As well as adhering to the new legislation here at Exchange Communications, we also have an additional role to play in supporting other organisations adopt best practice in relation to their telecommunication systems.
While telecoms fraud is primarily concerned with selling on airspace, security breaches of this sort can create the perception that customer details are not safe. Indeed, network insecurity can make it easier for fraudsters to collect PII.
So, what should you do to protect your business from telecoms fraud?
There are five simple steps you can adopt today.
It will sound like common sense to most, but it is vitally important that you protect your passwords. So, update yours from the default system passwords if you haven’t done so already, then, be sure to change them regularly, and again when staff members leave the business.
You should also be aware of who has access to your systems and what they’re using them for. With an understanding of this, you can limit access where necessary, putting restrictions in place to prevent international and premium rate outbound calls.
Thirdly, be sure to turn off unnecessary high risk features, such as those which allow the auto-creation of new extensions. You may rely on the likes of Direct Inward System Access (DISA), but be sure to monitor it closely.
Another simple step you can take to better protect yourself is to review your call logs and bills regularly. It’s not the most exciting task, but it is an opportunity to spot unusual activity.
And last, but not least, book in a thorough audit of your systems to identity areas of weakness - don’t leave them unlocked.
Help is out there. As part of our managed services package, we offer fraud alerts, and an audit can be carried out free of charge.
Telecoms fraud costs businesses tens of billions of pounds every year in the UK, not to mention the reputational cost of a breach. And with tighter data protection regulations on the way, act now to secure your business.”