What is really needed to cope with the mounting cyber-risks? asks Andy Robertson, pictured, Head of Fujitsu Cyber Security, UK and Ireland.
Across the UK, organisations have converted the five-day week in the office to totally or partly remote. To be precise, recent ONS data show that nearly one in seven working adults (14 per cent) worked from home exclusively. As such, an increasing number of employees are utilising their own devices and internet connections at home, creating a perfect environment for bad actors.
A door that cyber criminals had once been aware of, was now a gaping hole, and so many businesses were at risk. Now, with hybrid working here to stay, the next three years will see considerable demand for security solutions. In fact, in the last 12 months, the sector has demonstrated double-digit growth across a number of key measures. The sector’s revenue has grown to more than £10 billion for the first time and has added over 6,000 jobs.
The industry knows it needs to secure hybrid working, and cope with rising threats such as phishing and ransomware, but where should an organisation’s security budgets really be going – is it technology, training, or both?
Actors’ increasingly inventive methods
Cybercriminals are always developing unique tactics to find and exploit new weaknesses. Today, they have mastered the art of fusion and can mix different threats to create new kinds of hazards. Instead of launching assaults from a single PC, attackers are increasingly deploying bots or even using artificial intelligence to create variants of the same attack. It’s also common knowledge that ransomware is on the rise, not to mention the growth in double extortion ransomware and malicious bots.
Organisations have needed to vastly adapt their security processes to the new ways of working and living – and they have rightly done so. But even if current security defences are able to withstand attackers now, that doesn’t protect an organisation from human error, whether it is forced or natural and its employees that are the most common gatekeeper.
A zero-trust approach is the best approach
Enterprises must constantly verify that a user and their device is authorised to access sensitive data. They need a policy that takes into account both the risks of the user and the risks of the device, as well as compliance or other criteria to look at before giving access to a system, cloud, network, etc.
Controlling what and where users may connect demands that the business has a complete picture of all service accounts, including those with elevated privileges. Because threats and user characteristics are dynamic, a single validation is insufficient. To help reduce the burden of this, organisations should consider implementing a Zero Trust approach. Businesses must assume that there will be a breach. This isn’t about not trusting your employees, partners, suppliers, or customers – as people. It’s actually about knowing who they are, what they are doing, what technology they are using, and what level of authorisation they have for each thing they do, every time they do it, wherever they are doing it.
This means that data, systems, and equipment are treated equally and securely. It doesn’t matter where they are located, in your network or outside it. Nothing is trusted until you are absolutely certain it can be trusted.
The main Zero Trust principles include:
• Verify Explicitly – Authenticate and authorise every access attempt. Use all available signals.
• Least Privilege – Use Just-In-Time, Just-Enough-Access and Zero-Standing-Privileges principles to minimize access and risk.
• Assume Breach – Prevent lateral movement, minimise scope of breach damage, encrypt end to end, increase visibility and proactively react to threats.
Layered technological approach
Another technological focus that’s an absolute must today is Multi-factor Authentication (MFA), especially for the many who work from home or travel to various off-site locations. MFA is a key part of Zero-Trust, employees must be able to prove they are who they say they are. To get access, users are required to provide two or more forms of authentication. If a hacker or unauthorised user is able to guess or buy a password on the dark web, it is highly unlikely they will be able to gain access via a second authentication factor.
Yet, with a backdrop of increasing attacks, organisations should consider taking this a step further, adding another technological layer. Conditional Access (CA) is a powerful security technique whereby an organisation can configure and fine-tune access policies with contextual factors such as user, device, location, and real-time risk information to control what a specific user can access, and how and when they have access.
By using Conditional Access, organisations can make their authentication system more robust. They may, for example, compare the current login request against past logins to determine if the new log in request is authentic. If a person logs in from San Francisco and then logs in from Paris an hour later, the conditional logic may establish that this is physically impossible and flag the login as suspicious. Depending on the Conditional Access rule, the attempt can either be blocked or the user is prompted for a further authentication challenge before any access is granted. However, in today’s digital world, a company’s infrastructure is only as good as its staff.
IT can’t do it all alone
Implementing an efficient IT monitoring system is tough, particularly for businesses that operate in hybrid or off-site. With the rapid rise in cybercrime over the past years, there has clearly been an increase in investment in cybersecurity. So, as businesses become more reliant on the digital hemisphere, cybercriminals will, as we all know too well, increase the volume and complexity of attacks.
Effective technology will handle a number of essential aspects, through the use of a zero-trust approach, MFA and CA. Yet, the best way for any organisation to protect its assets is to take both advanced and proactive steps. This isn’t just the job of IT teams, though.
Everyone is in for a secure future
In our new world of hybrid work, it’s important for companies to invest in a strategy where all employees receive regular training that is specific to the threats they face in their jobs. That also means that cybersecurity teams must get closer to the business sectors to grasp their unique difficulties. As part of the company’s overall IT, security training should be seen as a necessity. For instance, businesses should offer courses and awareness measures. This will cost a lot less than if the security fence fell due to a lack of training.
Essentially, when staff are aware of the threats, it will have a major impact on an organisation’s security stance and foster a feeling of communal responsibility whereby every employee participates in the security process.