For many businesses, cyber security best practices have rushed to the top of the must-have list. Cloud security risks are increasing, and security budgets are rising to meet them. As of the first quarter of 2018, UK businesses were spending anywhere between £41,000 and £150,000 on cyber security.
And it’s easy to see why.
Even as corporate online security budgets rise, attacks continue to increase both in number and in severity.
With figures like this, it’s easy to understand why businesses are looking to implement solid cloud and cyber security best practices to protect themselves. It’s also easy to see why IT department heads are searching far and wide for reliable cloud security guides.
It’s all down to complexity. As a digital-first work culture increases the number of data access points and extends your network’s security perimeter, it becomes harder and harder to ensure security across your business’ cloud network.
Complex demands require complex solutions, which can lead companies to make snap decisions which funnel their security budgets in the wrong direction.
Limited resources in the wrong places. That’s a recipe for disaster.
This, then, is the solution. Your simple-to-understand cloud security guide to an ever-more complex cyber security landscape. An outline of the technologies you need to adopt, the quick wins which can deliver safer, more secure internal processes and the compelling evidence to secure executive buy-in.
The complete best practice guide to kick-starting your business’ cloud security.
It begins with your key considerations.
Jump straight to section:
- What to consider when getting started with cloud security
- What is cyber security “paralysis” and how can you avoid it?
- Assess your business security setup
- Review your company’s internal cyber security capabilities
- Securing your points of least resistance
- Getting security buy-in from the C-Suite
- Internal threat mitigation and education
- Next generation firewall technology
- What’s the difference between managed and unmanaged security
1. What to consider when getting started with cloud security
Before we discuss the key considerations you need to take into account before adopting your new security strategy, it’s important to make sure that you understand the scale of the issue your business faces. Once you understand the problem, you can determine the relevant security principles you need to implement.
Cyber Security – The Facts
- 43% – the number of businesses which experienced a cyber security breach or attack in the past 12 months
- £3,100 – the mean cost of each security breach, rising to £22,300 for larger businesses
- 27% – the percentage of businesses with a formal cyber security policy or strategy
- 1 in 5 – the proportion of businesses which provide staff with internal or external security training
The problem is real. But as we’ve touched on already, investing in and implementing new cloud security systems and processes can be a complex, challenging and expensive procedure.
By taking the right information into consideration, you’ll find it easier to kick-start your new and improved cloud security best practice processes. That involves understanding the main pitfall which businesses face when implementing any new process – confusion – which in this case takes the form of “cyber security paralysis.”
Once this potential obstacle has been overcome, we’ll explain how you can assess your existing setup and internal capabilities, secure your points of least resistance, and explain how to secure buy-in at every level of your organisation. Finally, we’ll explain how you can secure your business against tomorrow’s threats using next-generation firewall technology and discuss the benefits of managed cloud security.
As an IT manager, CIO or IT director, it’s likely to fall to you to lead this process, but security must stretch beyond just the IT department.
TIP: Identify whose role it is to tackle cyber security. It needs to be a collaborative process that reaches from the top of the business to every operational department, but it is a process which must be led.
As the person responsible for leading this process, you’re most at risk of cyber-paralysis. So before we move onto assessing your existing strategies and capabilities, it’s time to learn how to prevent this confusion from derailing your cloud security upgrade before it begins.
2. What is cyber security “paralysis” and how can you avoid it?
Many organisations find themselves in a state of constant “cyber-paralysis.” The security environment is fast moving and ever changing and a lack of understanding can lead to inaction – as can old-fashioned laziness and confusion.
We all know that no business is safe from a cyber attack. We all know that new versions of malware are constantly entering the arena and that we need to keep abreast of the latest developments and updates.
We know all this and we’ve got all the best intentions in the world, but still we end up doing nothing.
Because our good intentions don’t translate into positive actions:
- You Say: “What we have now is clearly working!”
- You Mean: “We don’t want to rock the boat.”
- You Do: “Nothing, meaning your security measures are standing still as threats develop and change.”
- You Say: “I know what I’m doing. I don’t need any help”
- You Mean: “My network’s never been breached. It’ll never be breached.”
- You Do: “Nothing, even though it’s highly possible that your seemingly untouchable data has been breached already.”
- You Say: “I’m taking the time to weigh up our options.”
- You Mean: “I have no idea where to begin.”
- You Do: “Nothing, meaning security remains lax, obsolete, or missing entirely.”
- You Say: “Let’s just start again”
- You Mean: “I’m lost, let’s rip everything out and start again.”
- You Do: “You remove what little protection you already have, harming your security further.”
If this sounds familiar, you’re in good company at least. Ticketmaster fell victim to a hack between February and June 2018, however when digital bank Monzo warned them on 12th April about signs of fraudulent activity, according to Monzo’s Head of Financial Crime, Natasha Vernier, they “couldn’t get any traction” out of the company. It took until 23rd June for Ticketmaster to find the malware and secure the breach. Was this evidence of cyber paralysis? Whatever the reason, the knock-on effect of this incident has been a loss of trust which could harm the company’s reputation for years to come.
The best way to avoid paralysis is to take the correct actions. The good news is that by taking the time to read a full, in-depth guide to kick-starting your cloud security, you’ve already taken a positive step. But it’s not enough to just read guides.
TIP: It’s better to layer new security features over your existing processes, providing deeper security instead of removing your existing protection and starting again.
You need to take action. Careful, guided action, but action nonetheless.
And that begins with a full and frank assessment of your business’ existing security set-up.
3. Assess your business security setup
With any new process implementation, it’s crucial to know exactly what you’re working with. That means looking at the systems, processes and personnel you currently have in place, and assessing whether they’re fit for purpose when it comes to tackling known threats.
The initial assessment can take the form of a checklist, a simple yes/no assessment of whether there are processes in place to ensure cloud security for your business’ various data access points – user accounts, email accounts, cloud storage servers and the like:
Potential Data Access Points
- User accounts
- Web applications
- Cloud storage accounts
- Cloud storage applications
- Email accounts
- Remote access functions
Making a full list of where and how your company’s data can be accessed, and whether these locations are covered by your security processes will quickly reveal any glaring omissions in your current security processes.
Once you’re aware of all the potential access points throughout your business, it’s time to ensure that there is a security system in place – whether that’s something as simple as enabling two-factor authentication for critical user accounts, or implementing a fully functional secure firewall.
It’s important that this initial assessment phase has full buy-in throughout your entire business. Hundreds of companies have invested in what they believed to be comprehensive cyber-security suites only to find that someone in a distant department was accessing data in a way they hadn’t considered, leading to a vulnerability which could be exploited by malware or phishing attacks.
Later in this guide, we’ll explain to you just how important it is to take internal threat mitigation and education seriously, but for now you simply need to find out how people are accessing and using the cloud-based data that you’re trying to protect. That includes finding out just how many people are accessing secure data using mobile devices.
100% – the percentage of organisations with at least 500 mobile devices that experienced a mobile attack in 2017
Asking is simple, costs nothing, and instantly prompts people to think more about cyber security. It’s a definite quick win for your new security process.
Once you’re aware of what you currently have in place, it’s time to review the capabilities of your existing security setup.
4. Review your company’s internal cyber security capabilities
Now that you’re aware of the vulnerable points within your organisation’s cloud and data infrastructure, and identified which security processes are responsible for safeguarding them, it’s time to review your capabilities.
Namely, do you have the capability to secure your data against key threats using your existing systems and processes?
To do that, you’ll need to understand the threats you face:
Phishing attacks are typically email-based attacks in which a false request for login details or a fake login screen is provided to a user. Data is then captured and the stolen user credentials used to access secure information.
Phishing attacks can be kept to a minimum using a robust firewall and the use of filters to remove unsolicited and suspect messages. However, you cannot rely entirely on technology – you need to ensure that your staff have received cyber security training which includes how to spot the tell-tale signs of a phishing email and what to do with it.
The classic Distributed Denial of Service (DDoS) attack, a statistic-based attack aims to overwhelm a host by creating a huge number of empty connections, causing the host system to crash entirely.
While it is difficult to use a statistics-based attack to steal information, they can cause costly downtime and should be prevented using intelligent traffic analysis to prevent spoof requests from entering your network.
Where a statistics-based attack focuses on a brute-force approach to destroying a system’s functionality, signature-based attacks repeatedly send the same malformed packet to create a small, exploitable gap in a target’s security.
This can be solved with secure internet-facing firewalls which filter out suspect packets to thwart potential attacks.
If your existing internal security assets can handle these kinds of attack, then you can feel more comfortable about your business’ data security. However just because you have a security system which can prevent Phishing or DDoS attacks, it doesn’t mean that it is correctly installed across your key areas of vulnerability.
5. Securing your points of least resistance
As we reach the halfway point of this cyber security best practice guide, it’s worth recapping the steps you should already have taken to secure your cloud networks:
- Considered who is responsible for implementing a security review and improvement plan
- Taken steps to identify potential sources of cyber-paralysis within your organisation
- Taken a full inventory of your business’ data access points and security processes
- Checked whether your existing capabilities can meet the latest security threats
- Provided your staff with cyber security training
In the best-case scenario, you will have audited your existing processes, best practice guidelines and technology and discovered that you do have the ability to withstand many of the most common types of threat to your data security.
However having the ability isn’t always the same as using that ability. Now is the time to make sure that you’ve implemented the security processes you have available as discovered in step four to ensure that they’re covering the vulnerabilities in step three.
TIP: Mobile device security has a failure rate of up to 100%, if enough devices are in use. Limiting remote mobile access to secure data is a simple way of limiting your risk.
The key points of least resistance to secure for your business will be:
- Internet access and applications
- Cloud platforms and networks
- Email accounts and platforms
- Remote access applications
While internet security can be handled using a wide variety of site filters and scanners, and email security can be a matter of training as much as technology, it is crucial to invest in the correct tools to secure any cloud platforms and remote access applications.
Remote access in particular can be a significant vulnerability for many businesses, with 100% of companies which have over 500 mobile devices (smartphones and laptops) with a remote access capability reporting at least one data breach in the previous 12-month period.
Securing your company’s cloud assets and ensuring safe, secure remote access requires company-wide best practices, specialised tools and next generation firewalls, which we will discuss in point eight of this cloud security guide. But before you can implement a specialised solution, the chances are that you’ll require buy-in from other levels of your business.
It’s time to discuss getting buy-in from the C-Suite.
6. Getting security buy-in from the C-Suite
Only 30% of senior business leaders have an in-depth understanding of online security threats. A staggering 7% have “no understanding of online security whatsoever.”
The chances are that when it comes to security, you’ll need to take the lead. But that will require securing widespread approval from C-Level executives.
The statistics surrounding online security should be enough to prompt them into providing you with funding, as failures cybersecurity can be an extremely costly in terms of trust and a business’ bottom line:
Why Your C-Suite Needs to Take Security Seriously
- 43% – the percentage of businesses attacked in the last 12 months
- £22,300 – the cost of each successful attack on a large business
- 1,579 – the number of publicly disclosed breaches in 2017
It’s a toss of a coin as to whether your business will be attacked. And if your organisation is a victim of one of the thousands of breaches that happen, it could cost you tens of thousands of pounds.
Those are figures which should make any C-level executive take notice. And once they’re invested, it’s up to you to keep them informed with monthly meetings, a quarterly presentation, or even a regular newsletter.
Because when it comes to internal buy-in, once the C-Suite is on-board, you need to focus your efforts lower down the chain.
7. Internal threat mitigation and education
It’s not gaps in a firewall that keep IT decision makers awake. It’s gaps in the knowledge of users. 56% of IT professionals rank targeted phishing attacks as the biggest threat they face, while 42% rank unsecured privileged accounts as one of their key weaknesses.
Even if an email filter or firewall removes 99.9% of phishing emails from circulation, a tiny percentage will still be opened. And the only way to stop them becoming a breach is by educating staff members throughout your organisation.
TIP: Make it simple and easy for people to report a potential breach, whether it’s a suspicious email, or an unexplained login.
This education shouldn’t only focus on cloud security best practices. You will also need to teach users what to do if they spot a malicious email, suspicious content, or other potential data breach.
Only by explaining your company’s policies and weaknesses will you be able to show workers how to plug the remaining gaps.
Internal reporting – the figures
- 77% of businesses don’t have a formal cybersecurity incident response plan
- 26% have an ad-hoc or informal process
- 27% of businesses with a formal plan do not apply it consistently
- 191 – the number of days it takes for the average organisation to identify a data breach
8. Next-generation firewall technology
By now you should be well on the way to formulating a plan for analysing your existing resources, implementing processes to make the most of them, and securing buy-in from throughout your organisation. But the fact remains that in a fast-moving environment, you need a constantly evolving defence.
7 out of 10 organisations say that their security risk increased significantly last year.
Next-generation firewall technology is well established in the market and is designed specifically to combat these changing threats.
Next-generation firewalls vs. traditional firewalls. What’s the difference?
It’s no longer enough to ensure that your internal network is protected from malicious activity. You also need to make sure that your cloud network resources are safe and secured too. This protection also needs to allow safe, secure access to internal assets from external or mobile locations, without decreasing performance of existing resources.
For many businesses, a firewall is only one part of their cloud or cyber security. A single part of an all-encompassing security solution which provides unified threat management:
- A secure, reliable firewall encompassing your in-house and cloud network assets
- Antivirus, anti-spyware, anti-spam, intrusion detection, content filtering and leak prevention
- Remote routing, network address translation, VPN support
- Multiple security layers, including internal and internet-facing firewalls
- Protection for internet applications and email applications
In short, a next-generation firewall doesn’t just plug the gaps in your existing cloud security system. It provides multiple layers of protection from a single control portal, reducing the workload on already stretched IT departments.
What to look for in a next-generation firewall service – a guide:
Simply deciding to upgrade to a next-generation system is not enough. You need to ensure that your network’s security requirements are met as your business changes. While individual considerations will be down to your particular circumstances, there are several things any IT manager should look for:
- Levels of control: What can be delegated to a supplier instead of staff? Do certain computers need greater levels of application access? Can your firewall be tailored to changing business requirements?
- Power: Does the firewall device or service have enough processing power to handle your network’s usual number of connections? Can it be scaled as your company grows?
- Topology: Do you need to add and administer sub-networks with varying levels of protection or isolation? Will certain networks be publicly accessible? Will some need added security while using new external wireless access points?
- Filtering: Do your cyber security best practices require that certain content is filtered? Does the firewall allow for blacklisting via domain or keywords? Can it import a regularly-updated external blacklist?
- Expertise: Can you configure and administer the firewall yourself? Can enough members of your team? Or will you require external support.
That question of expertise gives us one final thing to consider. Who should be responsible for the day-to-day management of your next generation firewall and your cloud security system?
9. What’s the difference between managed and unmanaged security?
Many businesses choose to outsource the responsibility for their security to professional experts. Maybe your business will be one of them.
You’re certainly not alone in seeking help – 59% of businesses have sought external security advice in the last 12 months, and that figure is set to rise as IT departments face competing demands on their time.
But is managed security right for your business? Consider these functions:
- Managed Security: Yes
- Unmanaged Security: Yes
Round the clock monitoring?
- Managed Security: Yes
- Unmanaged Security: Dependent on your workload
24/7 Independent support?
- Managed Security: Yes
- Unmanaged Security: Dependent on your workload
Rapid resolutions to issues?
- Managed Security: Yes
- Unmanaged Security: Dependent on your workload
- Managed Security: Yes
- Unmanaged Security: No
A managed security software service provides you with the peace of mind that comes with having 24/7 support from security experts, without adding to your department’s workload or requiring you to upskill your staff members.
While an on-premises cyber security system requires constant updates and add-ons, choosing a managed service ensures that an external expert is responsible for assessing and applying potential updates, configuring rules and setting security controls, all while ensuring that your cloud security and malware protection is constantly kept up to date.
It adds extra levels of protection for your business without swelling an already stretched training budget, or requiring round the clock availability from your in-house support staff.
Perhaps then, the fastest, safest way to kick-start your cloud security and adopt the right cyber security best practices after reading this guide is to realise you can’t do it all alone.
Help is at hand. Learn more about Touch Secure.