And it’s easy to see why.
UK businesses experienced an average of 633 individual attempts to breach their corporate firewalls every single day of 2017, a figure that’s risen consistently throughout 2018.
Even as corporate online security budgets rise, attacks continue to increase both in number and in severity.
With figures like this, it’s easy to understand why businesses are looking to implement solid cloud and cyber security best practices to protect themselves. It’s also easy to see why IT department heads are searching far and wide for reliable cloud security guides.
It’s all down to complexity. As a digital-first work culture increases the number of data access points and extends your network’s security perimeter, it becomes harder and harder to ensure security across your business’ cloud network.
Complex demands require complex solutions, which can lead companies to make snap decisions which funnel their security budgets in the wrong direction.
Limited resources in the wrong places. That’s a recipe for disaster.
This, then, is the solution. Your simple-to-understand cloud security guide to an ever-more complex cyber security landscape. An outline of the technologies you need to adopt, the quick wins which can deliver safer, more secure internal processes and the compelling evidence to secure executive buy-in.
The complete best practice guide to kick-starting your business’ cloud security.
It begins with your key considerations.
Before we discuss the key considerations you need to take into account before adopting your new security strategy, it’s important to make sure that you understand the scale of the issue your business faces. Once you understand the problem, you can determine the relevant security principles you need to implement.
[Source: Cyber Security Breaches Survey 2018]
The problem is real. But as we’ve touched on already, investing in and implementing new cloud security systems and processes can be a complex, challenging and expensive procedure.
By taking the right information into consideration, you’ll find it easier to kick-start your new and improved cloud security best practice processes. That involves understanding the main pitfall which businesses face when implementing any new process – confusion – which in this case takes the form of “cyber security paralysis.”
Once this potential obstacle has been overcome, we’ll explain how you can assess your existing setup and internal capabilities, secure your points of least resistance, and explain how to secure buy-in at every level of your organisation. Finally, we’ll explain how you can secure your business against tomorrow’s threats using next-generation firewall technology and discuss the benefits of managed cloud security.
As an IT manager, CIO or IT director, it’s likely to fall to you to lead this process, but security must stretch beyond just the IT department.
As the person responsible for leading this process, you’re most at risk of cyber-paralysis. So before we move onto assessing your existing strategies and capabilities, it’s time to learn how to prevent this confusion from derailing your cloud security upgrade before it begins.
Many organisations find themselves in a state of constant “cyber-paralysis.” The security environment is fast moving and ever changing and a lack of understanding can lead to inaction – as can old-fashioned laziness and confusion.
We all know that no business is safe from a cyber attack. We all know that new versions of malware are constantly entering the arena and that we need to keep abreast of the latest developments and updates.
We know all this and we’ve got all the best intentions in the world, but still we end up doing nothing.
Why?
Because our good intentions don’t translate into positive actions:
If this sounds familiar, you’re in good company at least. Ticketmaster fell victim to a hack between February and June 2018, however when digital bank Monzo warned them on 12th April about signs of fraudulent activity, according to Monzo’s Head of Financial Crime, Natasha Vernier, they “couldn’t get any traction” out of the company. It took until 23rd June for Ticketmaster to find the malware and secure the breach. Was this evidence of cyber paralysis? Whatever the reason, the knock-on effect of this incident has been a loss of trust which could harm the company’s reputation for years to come.
The best way to avoid paralysis is to take the correct actions. The good news is that by taking the time to read a full, in-depth guide to kick-starting your cloud security, you’ve already taken a positive step. But it’s not enough to just read guides.
You need to take action. Careful, guided action, but action nonetheless.
And that begins with a full and frank assessment of your business’ existing security set-up.
With any new process implementation, it’s crucial to know exactly what you’re working with. That means looking at the systems, processes and personnel you currently have in place, and assessing whether they’re fit for purpose when it comes to tackling known threats.
The initial assessment can take the form of a checklist, a simple yes/no assessment of whether there are processes in place to ensure cloud security for your business’ various data access points – user accounts, email accounts, cloud storage servers and the like:
Making a full list of where and how your company’s data can be accessed, and whether these locations are covered by your security processes will quickly reveal any glaring omissions in your current security processes.
Once you’re aware of all the potential access points throughout your business, it’s time to ensure that there is a security system in place – whether that’s something as simple as enabling two-factor authentication for critical user accounts, or implementing a fully functional secure firewall.
It’s important that this initial assessment phase has full buy-in throughout your entire business. Hundreds of companies have invested in what they believed to be comprehensive cyber-security suites only to find that someone in a distant department was accessing data in a way they hadn’t considered, leading to a vulnerability which could be exploited by malware or phishing attacks.
Later in this guide, we’ll explain to you just how important it is to take internal threat mitigation and education seriously, but for now you simply need to find out how people are accessing and using the cloud-based data that you’re trying to protect. That includes finding out just how many people are accessing secure data using mobile devices.
100% - the percentage of organisations with at least 500 mobile devices that experienced a mobile attack in 2017
[Source: Checkpoint Mobile Impact Report]
Asking is simple, costs nothing, and instantly prompts people to think more about cyber security. It’s a definite quick win for your new security process.
Once you’re aware of what you currently have in place, it’s time to review the capabilities of your existing security setup.
Now that you’re aware of the vulnerable points within your organisation’s cloud and data infrastructure, and identified which security processes are responsible for safeguarding them, it’s time to review your capabilities.
Namely, do you have the capability to secure your data against key threats using your existing systems and processes?
To do that, you’ll need to understand the threats you face:
Phishing attacks are typically email-based attacks in which a false request for login details or a fake login screen is provided to a user. Data is then captured and the stolen user credentials used to access secure information.
Phishing attacks can be kept to a minimum using a robust firewall and the use of filters to remove unsolicited and suspect messages. However, you cannot rely entirely on technology - you need to ensure that your staff have received cyber security training which includes how to spot the tell-tale signs of a phishing email and what to do with it.
The classic Distributed Denial of Service (DDoS) attack, a statistic-based attack aims to overwhelm a host by creating a huge number of empty connections, causing the host system to crash entirely.
While it is difficult to use a statistics-based attack to steal information, they can cause costly downtime and should be prevented using intelligent traffic analysis to prevent spoof requests from entering your network.
Where a statistics-based attack focuses on a brute-force approach to destroying a system’s functionality, signature-based attacks repeatedly send the same malformed packet to create a small, exploitable gap in a target’s security.
This can be solved with secure internet-facing firewalls which filter out suspect packets to thwart potential attacks.
If your existing internal security assets can handle these kinds of attack, then you can feel more comfortable about your business’ data security. However just because you have a security system which can prevent Phishing or DDoS attacks, it doesn’t mean that it is correctly installed across your key areas of vulnerability.
As we reach the halfway point of this cyber security best practice guide, it’s worth recapping the steps you should already have taken to secure your cloud networks.
In the best-case scenario, you will have audited your existing processes, best practice guidelines and technology and discovered that you do have the ability to withstand many of the most common types of threat to your data security.
However having the ability isn’t always the same as using that ability. Now is the time to make sure that you’ve implemented the security processes you have available as discovered in step four to ensure that they’re covering the vulnerabilities in step three.
The key points of least resistance to secure for your business will be:
While internet security can be handled using a wide variety of site filters and scanners, and email security can be a matter of training as much as technology, it is crucial to invest in the correct tools to secure any cloud platforms and remote access applications.
Remote access in particular can be a significant vulnerability for many businesses, with 100% of companies which have over 500 mobile devices (smartphones and laptops) with a remote access capability reporting at least one data breach in the previous 12-month period.
[Source: Checkpoint Mobile Impact Report]
Securing your company’s cloud assets and ensuring safe, secure remote access requires company-wide best practices, specialised tools and next generation firewalls, which we will discuss in point eight of this cloud security guide. But before you can implement a specialised solution, the chances are that you’ll require buy-in from other levels of your business.
It’s time to discuss getting buy-in from the C-Suite.
Only 30% of senior business leaders have an in-depth understanding of online security threats. A staggering 7% have “no understanding of online security whatsoever.”
The chances are that when it comes to security, you’ll need to take the lead. But that will require securing widespread approval from C-Level executives.
The statistics surrounding online security should be enough to prompt them into providing you with funding, as failures cybersecurity can be an extremely costly in terms of trust and a business’ bottom line:
43% - the percentage of businesses attacked in the last 12 months
£22,300 – the cost of each successful attack on a large business
1,579 – the number of publicly disclosed breaches in 2017
[Source: Cyber Security Breaches Survey 2018]
It’s a toss of a coin as to whether your business will be attacked. And if your organisation is a victim of one of the thousands of breaches that happen, it could cost you tens of thousands of pounds.
Those are figures which should make any C-level executive take notice. And once they’re invested, it’s up to you to keep them informed with monthly meetings, a quarterly presentation, or even a regular newsletter.
Because when it comes to internal buy-in, once the C-Suite is on-board, you need to focus your efforts lower down the chain.
It’s not gaps in a firewall that keep IT decision makers awake. It’s gaps in the knowledge of users. 56% of IT professionals rank targeted phishing attacks as the biggest threat they face, while 42% rank unsecured privileged accounts as one of their key weaknesses.
Even if an email filter or firewall removes 99.9% of phishing emails from circulation, a tiny percentage will still be opened. And the only way to stop them becoming a breach is by educating staff members throughout your organisation.
This education shouldn’t only focus on cloud security best practices. You will also need to teach users what to do if they spot a malicious email, suspicious content, or other potential data breach.
Only by explaining your company’s policies and weaknesses will you be able to show workers how to plug the remaining gaps.
77% of businesses don’t have a formal cybersecurity incident response plan
26% have an ad-hoc or informal process
27% of businesses with a formal plan do not apply it consistently
191 – the number of days it takes for the average organisation to identify a data breach
[Source: 2017 Cost of Data Breach Study - Ponemon Institute]
By now you should be well on the way to formulating a plan for analysing your existing resources, implementing processes to make the most of them, and securing buy-in from throughout your organisation. But the fact remains that in a fast-moving environment, you need a constantly evolving defence.
7 out of 10 organisations say that their security risk increased significantly last year.
Next-generation firewall technology is well established in the market and is designed specifically to combat these changing threats.
Next-generation firewalls vs. traditional firewalls. What’s the difference?
It’s no longer enough to ensure that your internal network is protected from malicious activity. You also need to make sure that your cloud network resources are safe and secured too. This protection also needs to allow safe, secure access to internal assets from external or mobile locations, without decreasing performance of existing resources.
For many businesses, a firewall is only one part of their cloud or cyber security. A single part of an all-encompassing security solution which provides unified threat management:
In short, a next-generation firewall doesn’t just plug the gaps in your existing cloud security system. It provides multiple layers of protection from a single control portal, reducing the workload on already stretched IT departments.
Simply deciding to upgrade to a next-generation system is not enough. You need to ensure that your network’s security requirements are met as your business changes. While individual considerations will be down to your particular circumstances, there are several things any IT manager should look for:
Levels of control: What can be delegated to a supplier instead of staff? Do certain computers need greater levels of application access? Can your firewall be tailored to changing business requirements?
That question of expertise gives us one final thing to consider. Who should be responsible for the day-to-day management of your next generation firewall and your cloud security system?
Many businesses choose to outsource the responsibility for their security to professional experts. Maybe your business will be one of them.
You’re certainly not alone in seeking help – 59% of businesses have sought external security advice in the last 12 months, and that figure is set to rise as IT departments face competing demands on their time.
[Source: Cyber Security Breaches Survey 2018]
But is managed security right for your business? Consider these functions:
A managed security software service provides you with the peace of mind that comes with having 24/7 support from security experts, without adding to your department’s workload or requiring you to upskill your staff members.
While an on-premises cyber security system requires constant updates and add-ons, choosing a managed service ensures that an external expert is responsible for assessing and applying potential updates, configuring rules and setting security controls, all while ensuring that your cloud security and malware protection is constantly kept up to date.
It adds extra levels of protection for your business without swelling an already stretched training budget, or requiring round the clock availability from your in-house support staff.
Perhaps then, the fastest, safest way to kick-start your cloud security and adopt the right cyber security best practices after reading this guide is to realise you can’t do it all alone.
Help is at hand. Learn more about Touch Secure.