The top seven ways for UK business to protect themselves in today's cloud-enabled world
Steve Nice discusses where UK businesses are falling short on security, what's at stake for them, and what they need to do to protect themselves.
Steve Nice, security technologist, Node4
The modern threat landscape, and the vectors via which security attacks might occur in today's businesses, are diversifying day-on-day. IT security professionals are catering to a rich mixture of employee devices and working within increasingly heterogeneous IT architectures, with most businesses today using a mixture of on-premise systems, potentially spread out across several sites, as well as both private and public cloud systems and co-located systems. At the same time, malicious parties are growing increasingly sophisticated in their attacks. All of which underlines the importance of adopting a resilient security approach to protect the business, and following a few simple guidelines.
1. Establish good security policies, and train your staff, but don't rely on them
Staff should be made aware, and constantly trained into, security best practice. Make it clear what behaviours are in breach of your company's policies, where dangers can come from, and how they might affect the business. However, as any security professional will tell you, you can't rely on staff to keep your business safe. In a recent Node4 poll, ‘human error' was ranked as the biggest security threat to businesses, (by 65 percent of ITDMs, way out ahead of anything else). So make sure you shore up your defence strategy with appropriate technical safeguards as well.
2. Audit continuously
People have a tendency to buy a burglar alarm only after their house has been burgled. The trick is to assume from the outset that you'll be a target. To be effective, you should audit continuously and develop policies accordingly. Any such audit should assess the needs and vulnerabilities of existing infrastructures to predict and mitigate any threats before they damage your business. Don't wait until your cloud or on-premise data has been raided.
3. Use a SIEM strategy for complex architectures
In today's rich, heterogeneous enterprise IT environments, it is increasingly difficult to take the birds-eye view needed to spot security events as they occur. A Security Information and Event Management (SIEM) strategy will allow you to do this, providing the ability to mitigate threats as they develop, and report upon them to better-inform a future defence strategy. Given the complexity of today's architectures, and the developing nature of threats, it seems surprising that the majority of companies aren't currently employing a SIEM approach, as recent Node4 research uncovered.
4. Firewalls are still fundamental
Some might dismiss firewalls as ill suited to the requirements of today's security landscape. But, the truth is that Firewalls, which allow businesses to block or allow traffic automatically, are pretty much the most fundamental and basic element in any security strategy, (more frequently implemented than any other form of IT security). However, despite this, surprisingly, only half of businesses actually use some form of firewall.
5. But don't stop there…
At the very least, both your business and your cloud providers should provide for firewalling technologies. But used in isolation, firewalls present a weak defence against today's threat landscape. Instead, use them as part of a ‘defence in depth' strategy, combined with various other approaches, including Unified Threat Management (UTM), which allows you to collate various security threads and control policies within one system, plus Intrusion Prevention and Data Leak Prevention systems.
There are many different types of tools that have a part to play in a comprehensive security strategy. These might include choices as simple as implementing two-factor authentication and/or data encryption, picking the right (secure) operating system for your needs, incorporating anti-virus software, anti-malware, email management, etc, to adopting DDoS protection, encrypted remote access, secure authentication, application control, load balancing, sandboxing, etc. Where you draw the line depends upon your assessment of risk and the value and criticality of the systems involved.
6. Consider bringing in a managed service security specialist
Overseeing IT security today is becoming so complex that understanding the threat landscape and the myriad tools and approaches to combat attacks is difficult. For many businesses, it makes sense to employ a dedicated security strategist who can bring the technical expertise and in-depth understanding of the cyber-security sector that you can't access internally. Many such services exist, and you'll usually be able to find one at a price to suit your business.
7. Think about security holistically
It's almost a cliché, but good security practices today require security professionals to adopt an umbrella view, not just of their IT estate, but of the people that use it. As well as the technological solutions, a successful strategy must encompass employee awareness, policy enforcement, and on-going penetration testing and risk analysis.
Contributed by Steve Nice, security technologist, Node4