It’s never been more important for businesses to strengthen their IT security. Amid a growing, more sophisticated threat and increasing EU legislation that will dispense large fines to those failing to smarten up and protect their data, time is now of the essence.
Since the advent of the internet, the law has struggled to keep pace with subsequent advances. As technology has progressed at speed with increasing numbers of everyday objects being connected in the Internet of Things (IoT) and threats growing exponentially in tandem, regulators and lawmakers have been slow to recognise the data protection implications.
Now, with the European Union announcing that the widely-awaited General Data Protection Regulation (GDPR) will come to fruition shortly, it’s time to act.
The law will establish fines of up to five per cent of global turnover - or up to €100 million - and will introduce mandatory data breach disclosure, meaning that businesses will be asked to report data breaches within a 72-hour window.
Security breaches can happen to any size of business, and it’s not enough to react to them when they occur; planning for the worst, putting budget aside, and proactively strengthening security whilst actively seeking out weak spots, is now essential.
If the unthinkable happens, and a security breach does occur, then the answer is to focus efforts on detecting it as quickly as possible and then acting to minimise the harm.
This was a key failure in the high profile Sony breach that occurred recently. While the tech and entertainment giant had deterrents in place once access had been gained, it failed to stop its defences being further breached, apparently for months on end. The determined and patient attackers exfiltrated gigabytes of documents, embarrassing emails, and even entire movies in what would prove a public relations nightmare for the company. In 2014, Experian found a staggering 43 per cent of US businesses that it surveyed had suffered a data breach – and that most instances had a root cause in employee negligence. The threat is very real then, and it often eminates from within.
IT and IT security professionals must review the impending GDPR legislation now, and close the tech deficit gap in time to meet its requirements, in turn discovering and exploring the areas of their network that are putting them at risk so they can prioritise and fix them. With the influx of employees using their own devices and increased numbers of users accessing corporate networks creating new security headaches, they must also manage what goes in and out of their network.
There’s a fine balance to be struck between employees working from home and potentially exposing the organisation to more external risk. Where highly sensitive data is at stake, organisations must put robust policies in place. This rings particularly true for organisations which have regulatory compliance which they must be adhere to such as the NHS, Local Government and Financial Services wherebysubstancial financial penalties can be levied against them for breaching this as well as damaging their reputation and confidence.
Businesses must protect their critical assets with key defences including endpoint encryption, device control, Data Loss Prevention (DLP), Network Access Control (NAC), Host Intrusion Prevention (HIPs), next-gen firewall, and anti-malware.
Endpoint visibility provides incredibly advanced information on employee activity, identifying anything that’s out of the ordinary. It notices when patterns of activity change, and is even capable of accurately predicting when a member of staff is preparing to leave the business. This can be invaluable in detecting the behaviours that can lead to a potential breach.
The good news is that security is doing more with less, consolidating, and reducing the number of suppliers which is, in turn, reducing costs. This is a positive step, as the more infrastructure that’s in place and staff required to manage it, the more inherent risk there is of being compromised.
Frankly, if you can’t recover your critical data at any given time, then you may no longer have a business. Furthermore, if you can’t get your business back up and running quickly, then you also have a major problem on your hands.
The true cost of security isn’t how much investment is required to protect your network, but in how much reputational damage and financial legacy your organisation will suffer if it becomes the victim of a breach.
With that in mind, choosing a strong partner to help mitigate business risk could be the smartest security investment of all.
About the author
Stuart Hooson is Sales & Sales Operations Manager at IT managed services business Pinnacle Technology Group. Previous to Pinnacle he held positions at RMS and Redstone.