Jon Fielding at Apricorn describes how so many UK organisations are unprepared for a data breach
Apricorn’s annual IT security survey indicated a lack of cyber-resilience among UK organisations – the ability to prepare for, respond to and recover from a data breach. Respondents also reported difficulties with the basics of locating or securing data and understanding their data obligations.
Four key pillars of cyber-resilience include educating employees, mandatory encryption, a fully realised backup strategy and process that includes offline storage, and sustained all-round visibility of data.
A fifth pillar is the need to check that policy and practical measures are working in the real world.
Test, review, revise – and test again
Failing to enforce best practice when any organisation can be disrupted is surely unwise. Yet that’s so often what we see in the market – a failure to actually test and practise resilience plans.
Organisations must consistently re-evaluate data protection practices and review chinks in their armour, be it in mobile working practices, a weakness or evolving blind spot, or employee’s understanding of information security.
This should be a routine that includes regularly backup testing and running ‘war games’ at board level that exercise all defences.
Incentivise employees to scrutinise the security posture and solutions – for example by looking for data streams that are either unencrypted or that don’t comply with the latest guidance, or by evaluating and recommending hardware they feel would bring value. Vendors can sometimes offer assistance in this respect.
Incorporating the ‘fifth pillar’ creates a continuous feedback loop that enables ongoing improvement of pillars 1 through 4.
For example, routine practice of defences entails regular engagement with data generated, transmitted and stored – helping reinforce and update data visibility.
The importance of sustaining full visibility of data
Gaining full visibility means being able to monitor and manage data transparently across BYOD, home or work, regardless of device, and facilitates both a fast, specific and accurate response to any potential breach and to regulator questions.
Companies must be able to map the data life cycle from collection to storage to archive and, finally, to deletion. Details should include who has access at any one time and risk profiling of whether it has been or could be put at risk and any resultant consequences.
Being able to monitor and manage your data transparently across BYOD, home or work and on the range of devices currently used also helps guarantee a rapid response to cyber incidents and data breaches
Our 2021 Global Security Survey highlights that many organisations take too much for granted when it comes to data handling. Only around two in five even mandate encryption of sensitive data.
In the annual IT security survey, nine percent of IT leaders surveyed did not know whether breaches at their organisation had been reported to the ICO. This suggests that even the tracking and tracing of events and incidents may not be adequate either – underlining the need for testing of plans.
Rehearsing delivers knowledge and helps educate employees
Cyber threats to data take multiple, ever-evolving forms – so ongoing education of all employees is crucial. If people are expected to defend their workplace and support compliance needs, they should understand the reasons why, as well as the steps they must take.
This means helping them stay abreast of changes in both battlefield and armoury – something that regular engagement with the issues and practices via a testing and ‘battle readiness’ programme can help achieve.
Our survey pinpointed areas where specific education strategies may be likely to be needed when we asked about the biggest challenges associated with implementing a cybersecurity plan for remote/mobile working.
In our survey, 39% of IT leaders admitted they cannot be certain that their data is adequately secured, 18% said they don’t have a good understanding of which data sets need to be encrypted, and 15% have no control over where company data goes and where it is stored.
Testing should include reviews of encryption
Part and parcel of any effective cyber-resilience strategy should be to encrypt all corporate data as standard, not just at the storage layer alone. This solidifies a potential last line of defence in any attack by protecting information and data both at rest and in transit.
With full best-of-breed encryption, even if criminals manage to break gateway defences and access internal servers or intercept data in transit, the bits and bytes recovered remain unintelligible to unauthorised recipients without the required encryption key. This would greatly assist with regulatory compliance – for example GDPR requires the pseudonymisation and encryption of personal data.
Software-free 256-bit AES XTS hardware-encrypted USB drives provide a portable and platform- agnostic technology that any organisation can quickly implement for both in-house and remote workers in support of this.
Testing should therefore include consideration of the encryption strategy. Which data sets require encryption, is appropriate whitelisting and port control implemented to ensure data remains protected when crossing the USB port? Who should have access to encrypted devices and for what purpose?
Check backup policy is being enforced, including offline back-ups
All data should be automatically and regularly backed up. The backups should also be tested regularly to ensure they’ll work when recovery is needed.
Crucially, backups shouldn’t all be network-attached or even in the cloud: copies of all critical data should also be made and stored offline, disconnected from the network and – ideally – offsite in addition to this.
Having offline backups of all data that are not accessible by anyone logged onto the network not only protects against solution failure but defends against the rising threat of ransomware.
Appropriate practice should be reviewed and reinforced with regular checks, including recovery procedures.
None of these strategies, not even data encryption, is a silver bullet on its own. However, in combination with regular reviewing, testing and practice, each guides organisations towards effective cyber-resilience in the face of the most dynamic and difficult of circumstances.
Jon Fielding is managing director EMEA, Apricorn
Main image courtesy of iStockPhoto.com