To commemorate this year’s Cybersecurity Awareness Month, which commences in October, UK Tech News spoke with a variety of industry experts to get their thoughts and advice on the topic of cybersecurity risks and best practices:
Tim Bandos, Vice President of Cyber Security, Digital Guardian:
“Long gone are the days when all but the biggest data breaches would make the headlines of non-IT press. That’s because we’ve become increasingly desensitised to security stories. Today, it takes something huge to turn heads. Whether it’s 300,000 files and directories stolen by a former Tesla employee or the 600 million Facebook passwords ‘hidden’ in plain text, only these most egregious lapses in data security seem to set alarm bells ringing.
“Data protection solutions can help prevent data loss, but maintaining a successful security program is largely dependent on employee awareness and their ability to comply. By teaching employees how to make decisions about the use and protection of data, they’re in a better position to make better judgments on their own around data in the future.”
Michael Scheffler, AVP EMEA, Bitglass:
“Public opinion on the cloud has come a long way in recent years, with most security professionals now accepting that it’s no less secure than the traditional, in-house way of doing things. Allowing data to move beyond the traditional network perimeter can cause concern for many executives – if not properly secured, it can leave an enterprise vulnerable to data leakage, malware, unauthorised data access, and regulatory non-compliance.
“As adoption of cloud-based applications and services continues to grow throughout the business world, organisations need specialised security technology that is capable of protecting sensitive data wherever it is stored or accessed. The enterprise needs end-to-end security across all devices, locations, and users, as well as complete visibility throughout IT infrastructure. Fortunately, recent years have given rise to a variety of new security technologies that are designed to tackle the cloud’s unique challenges.”
Todd Kelly, Chief Security Officer, Cradlepoint:
“Securing Internet of Things (IoT) devices and data for business use cases is one of the hottest topics during Cyber Security Awareness Month this year. At its core, IoT represents a huge expansion of the network edge, with each deployment potentially covering wired broadband, public and private LTE, WiFi, and LoRA WAN connectivity. In the not too distant future, we’ll see IoT deployments take advantage of 5G connectivity as well. The good thing is the industry and governments have started efforts to better define the inherent security controls and best practices that will help, over time, improve the overall security of IoT deployments. But that will take some time to gain mass adoption in the market.
“IoT devices and routers are a major source of attacks for cybercriminals and nation state attackers. According to Symantec, in 2018, 75% of botnets were router focused. IoT security can be daunting for many businesses, and there are a number of important areas that everyone who has deployed or is considering deploying IoT applications should consider. Devices typically do not have layered security features or secure software development and patching models integrated with their solutions. On top of that, many IoT devices cannot be accessed, managed, or monitored like conventional IT devices. Depending on the use case and vendor, there can be numerous OS, management and API-level interfaces and capabilities to manage.
“With the expanding diversity of business IoT use cases along with their associated IoT devices, architectures, vendors, management platforms and disparate security capabilities, customers should look to invest in enterprise IoT platforms to simplify the number of tools, devices and architectures needed to meet the business benefits for IoT use cases in the enterprise while reducing cyber risk.
“Using existing network-based security solutions may not be sufficient. Instead, organisations should look at using expert cloud-based management platforms and software-defined perimeter technologies, which effectively address the security risks inherent in IoT deployments and provide network-wide policies and visibility. IoT security will remain one of the most important enterprise security issues for many years to come. But while businesses should always be mindful of potential threats, by addressing these early and with the right technology, they can be confident in their IoT deployments now and into the future.”
John Ford, CISO, ConnectWise:
“The simplest thing SMBs can do to protect themselves from cyber-threats is to enable multifactor authentication. Essentially, that means having more than just a password. Most people use it all the time and never even think about it. “For instance, when logging into your bank account from something other than your primary computer, and the bank sends a text message to your phone with a code. You enter the code and you’re in. That’s all multifactor authentication is. In cybersecurity, we call it “something you have and something you know.
“While there are all kinds of complex products and technologies companies use to protect themselves – many of them excellent – the fact is, most ransomware attacks can be prevented by this easy-to-deploy process. Yet, multifactor authentication has only recently become widely adopted, despite having been around close to 20 years.”
Eltjo Hofstee, Managing Director, Leaseweb UK:
“NCSAM is a time to pause and take stock of security practices, revising or enhancing to ensure as robust a security posture as possible. As a cloud hosting provider to over 200 UK customers, Leaseweb constantly reviews its security checklist against the UK government’s 14 Cloud Security Principles to uphold compliance and best practice across all aspects related to security in the cloud. From data in transit protection, supply chain, operational, and personnel security to the provision of a governance framework, secure user management and service administration, Leasweb’s security plan and measures provide reassurance for customers of adherence to the highest standards in secure cloud service delivery.”
Sascha Giese, Head Geek, SolarWinds:
“With every passing year, the public sector is becoming increasingly aware of the onslaught of cyberattacks it faces, with an increase in the number of organisations reporting over 1,000 cyberattacks in 2018 compared to 2017, as revealed this year through a SolarWinds FOI request. Public sector IT professionals are working every day to ensure the data their department holds is kept secure. While tools and technology are of course the most solid defence against security threats, public sector IT pros should also consider the following three steps to achieving a stronger security posture: leadership setting the right example; regular and effective training for all teams; and ensuring security policies are revised frequently to keep up with the latest threats.
“U.K. government IT professionals are trusted with data by citizens, and so to give them confidence this information is being kept safe, organisations in this sector must adhere to strict security policies. And, to keep on top of security, having initiatives supported by everyone—not just the IT team—are the crucial part of the puzzle.”
Steve Nice, Chief Security Technologist, Node4:
“In this day and age, a cyber-attack is unfortunately more of an inevitability than just a mere threat. So, businesses need to accept the fact that mitigation technology is a necessity. This Cyber Security Month, it’s important for organisations to recognise how to strengthen their security to prevent potentially devastating attacks from harming them. It’s the responsibility of the IT team to ensure that the business’ security is up to speed, and so a Vulnerability Testing programme can help the team understand where the weaknesses are and support these areas. This means that valuable time – and money – can be saved from being spent on unnecessary security infrastructures before knowing where the holes in the defence really lie.
“However, it’s not just the technology that needs to be supported. Regardless of how many layers of protection IT teams implement, the weakest link is the people involved. Managing this is essential in any cyber security strategy, so it’s vital to ensure that all employees are fully up-to-date with the latest security protocols and processes in the company. This is a key part of cyber security, and even more so because the human element is the hardest to control and measure effectively.”