Cyber Security and Resilience  

Secure by Design is one of the pillars of an Adaptive Technology Model. To view it purely as a function of your IT team, or through the prism of technology alone, could needlessly expose your organisation to risk.

Mimecast is IT Lab’s trusted security partner. Dan Sloshberg, its Director of Product Marketing, agrees that the most successful security strategies are owned by everyone in a business: “The Secure by Design principle helps people to think about security in the broadest sense. For example, the security posture of their vendors, how vulnerable their legacy and on-premise systems are to attack, and the risks their users present.”

We asked Dan Sloshberg to address three vital questions:

  1. As more companies entrust their data to the cloud, they must have confidence in the security of their potential vendors. How can they best determine this?
  2. Many organisations are journeying to a full app driven environment served by SaaS. As they transition from legacy and on-premise systems, how can they improve the security of their older systems in the interim?
  3. What's the biggest risk posed by users, and how can it be reduced? 

Secure by Design: Selecting a Vendor

Dan Sloshberg: “When evaluating vendors, there are a number of things you should look at. First and foremost is where does security sit in that vendor’s priority list? They may have built an impressive product, but haven’t followed secure by design principles.

“There could be shortcomings in security, or it’s done in a way that is not intuitive or easy for the user. The vendor you choose should help you achieve the level of protection you need, whether it’s for regulatory purposes or your own risk management profile.

"A good vendor will help you along that path, not get in your way. And why not lean on a vendor that can demonstrate they take security seriously, rather than trying to piece it all together yourself?

"Vendors are not created equally, that’s certain. By looking at simple things such as their certifications, you can quickly tell how seriously they take security and data protection, and whether they can be trusted with your data.”

The security expert’s advice is a practical checklist covering:

  • What ISO accreditations do they have? ISO 27001 is a good baseline.
  • Consider what's relevant to you. For example, ISO 27018 focuses on the protection of personally identifiable information – think GDPR. Another could be ISO 22301, which covers business continuity.
  • Other certifications might include:
    • SOC 2 - for many security conscious organisations, this is a minimal requirement when considering a SaaS provider.
    • HIPPA – more applicable to the USA, specifically for the healthcare space
  • Where will your data be held? Is it being processed in region or in the US for example? And what's acceptable, given different data processing laws may apply?
  • What procedures and technologies do they have in place to mitigate the risk of a breach? Sloshberg: “Breaches will happen, the point is what steps are they taking to help customers alleviate the risks of breached data. For example, if critical information is encrypted at rest and in transit, it will be of no value to attackers.”
  • If your data was deleted by one of your own people, e.g. a careless or malicious insider, would your vendor give you the ability to recover it?

Sloshberg continues: “While technology is innovating and changing at speed, the bad guys are innovating just as fast, if not faster. You need a vendor that has the flexibility to respond to that change, especially when it comes to the threat landscape.

“No single vendor can innovate rapidly enough to keep up with evolving cyber-crime tactics. By relying on their technology alone, they're self-limiting. What you want is a vendor that has their own robust tools, but can augment and plug-in the latest best of breed detection tools, engines and other capabilities to stay ahead.

"Drawing from the collective innovation of an entire industry is better than what one company can do on their own.”

The Security of Legacy and On-Premise Systems

The transition from on-premise and legacy systems demands a considered, measured approach. As advocated in The Benefits of Hybrid Cloud Services, the road to a full app driven environment is best taken with small steps.

While organisations are relying on these older systems, how can they protect them, and the data that resides in them, from cyber-attacks?

Sloshberg: “Retrofitting security, as opposed to the inherent ‘Secure by Design’ of a new system build, can be tricky. The best security should be invisible, and done in a way that isn’t clunky or an obstacle to people doing their jobs.

“My foremost piece of advice would be do not tackle your older estate system by system. Look at how you can wrap a security layer around all your legacy and on-premise systems to bring them into a unified framework. Consider, for example, single sign-on and multi-factor authentication.”

Sloshberg adds:

  • Start by building a risk profile of your organisation; understanding where the biggest risks are will help to focus your efforts.
  • Rank them and decide what level of risk you are willing or able to take. Sloshberg: “The cost of a breach typically outweighs the cost of preventative measures, but some measures may be disproportionate to the risk itself. Ultimately, it’s down to the leadership of the organisation to determine the appropriate balance.”
  • Understand what regulations you need to adhere to – e.g. industry regulations, overall market regulations, and if your systems comply.
  • Consider appointing external expertise and look at measures to bolster your security, such as penetration testing, Cyber Essentials PLUS certification and employee education.

Sloshberg: “Technology is not a panacea for every threat; look at your business processes too. For example, how you set up a new vendor, how you validate them to ensure payments are not going to a fraudulent account. Also your physical security – do your staff have the confidence to challenge unaccompanied visitors? There must be sensible checks and balances.”

What's the Biggest Security Risk Posed by Users? 

chart email attach vector
 
Source: 2017 Verizon Data Breach Investigation Report

One staggering statistic is that 90% of cyber-attacks use email as the way in. Arguably, email is the most vulnerable system organisations run. As social engineering and phishing attacks grow in sophistication, even the shrewdest of users can be duped into clicking on a malicious link or opening a suspicious attachment.

Sloshberg: “Mimecast delivers the latest advanced security to help companies protect themselves. Our targeted threat protection products go way beyond what people commonly term ‘email security’ which is just anti-virus and anti-spam. While these remain necessary, they only do part of the job these days.”

“Many security vendors offer solutions to protect against inbound email, but most don’t look at internal email. It’s one thing to make sure that nothing bad comes into the business, but ensuring malware is not spread from inside the business is crucial too. Take the scenario of a compromised insider with an infected file on a USB drive, who might try to share it via email.”

Sloshberg agrees that cyber-security awareness training is important: “Users can be blamed for inadvertently causing havoc, but organisations need to consider the support and education they provide. Cyber-security training should be ongoing, not simply addressed at employee induction then forgotten.

“Just like IT Lab’s model, employees should be encouraged to be adaptable and open to change too. There will always be those who’ve done things a certain way. It’s a question of educating them and reflecting on your organisation’s leadership and culture.”

Facing the Future with Resilience  

Sloshberg concludes: “Security on its own is no longer enough. Regardless of the tools you have, and what processes and training you put in place, the likelihood is you will be breached at some point.

“Organisations need to think more in terms of cyber resilience and prepare for the inevitability of a successful attack. What if critical and sensitive data is deleted or corrupted, can they get it back? If their systems are impacted, do they have a way of making sure employees can continue to work effectively?

“At Mimecast, we bring leading advanced security, data protection and recovery and business continuity for email into one platform. We can help IT Lab’s customers drive towards Secure by Design, not just from the protection angle, but the resilience piece too.”

Click here to explore our Adaptive Technology Model Hub and discover other rich resources.

Written by Christine Ellis