A couple of months ago we saw the General Data Protection Regulation (GDPR) officially approved by the European Parliament. This new legislation, which comes into force on 25 May 2018, is set to place a much greater emphasis on data security and transparency, forcing companies to reveal when they have been attacked. The legislation will also impose tougher penalties on those organizations that find themselves in breach of it.
Although probably surprising to some, thinking about your organization’s data security infrastructure in terms of medieval warfare will actually help you to consider all of the potential threats posed to it, and most importantly, give you the insight you need to create a robust security infrastructure.
To truly protect your hypothetical ‘digital estate’ from external threats, you’ll need to do a full audit of the security infrastructure you currently have in place; the monitoring you have for the early detection of threats; the proactive steps your business can take to deter attackers in the first place and the tools you have at your disposal to react and neutralize threats. Taken simply, your audit should fall into four simple categories: build, watch, proact and react.
Build
Identify what, and where, your highest value digital assets are held. For example, this could be customer’s personal data or highly confidential information about your organization, such as your intellectual property. You’ll also need to identify the current protection you have in place and any areas that may need additional protection. Having knowledge of how your organization is connected externally is essential, along with a clear idea or map of any ‘backdoors’ into your system that could be exploited by hackers.
Like the estates of old, you should aim to create a ‘keep’ which houses your business’ most precious data. In addition, you should build security into your data infrastructure that not only acts as a deterrent to potential threats, but creates small rooms and staircases which disrupt and contain cyber-attacks if they penetrate your external defenses. In olden times, it was assumed attackers would get in and preparation was put in place to help regain the ground, in today’s modern world businesses must do the same.
Watch
If you were preparing to defend your realm in medieval times, you’d need to know who you’re defending it against. What’s more, you’d need to have a number of sentries on guard, inside and outside of your estate, to raise an alert if there were marauding hoards on the horizon looking to attack.
This is certainly advisable when it comes to your organization’s data infrastructure and cybersecurity. You need to ensure that you’re using the most up-to-date software and applications to monitor and alert you instantly to any potential threats. Using the latest monitoring systems will also allow you to detect where your biggest threats are coming from and how they operate. What’s more, you’ll need to adjust your defensive position constantly to ensure hackers are kept at bay.
Proact
As the old adage goes, “prevention is better than cure”. This is certainly true when applied to the security of your data. To be as proactive as possible, organizations need to look at how they currently deter attackers, what training they provide for their workforce to minimize threats, and how patterns and common behaviors in their data security processes can be avoided.
One way of minimizing security threats could be something as simple as limiting access to some of your organization’s most important data – only giving access to those who need it to carry out their day-to-day tasks. In addition, deploying a company-wide cyber hygiene policy for your workforce could also minimize security breaches. For example, a policy could ask employees to observe certain rules around aspects of online data handling and office IT equipment.
Most importantly, companies need to make their daily monitoring and audits as unsystematic as possible – this making it impossible for potential attackers to get a handle on when the best time to launch an attack is. If you were deploying sentries to patrol your estate’s perimeter wall every day at the same time, enemy forces would quickly learn where and when to hit you the hardest.
React
Although many businesses will have already deployed effective security against cyber-attacks, it’s almost inevitable that many of them at some point will experience a breach. As a result, organizations need to look at how they will react when one comes along, and also how they will deal with transgressors.
The one thing many organizations need to bear in mind is that they must be prepared to react. In fact, the reaction to an attack needs to be firm and most importantly rapid in its response. It’s also important to ensure that you have the right weapons in your arsenal, such as encryption techniques, to fend off attackers and minimize any data being compromised.
You should also ensure that a thorough cause and effect analysis of attacks takes place after they occur – thus enabling you to build additional security or reinforce where your network needs it the most.
With security continuing to dominate the headlines, and the companies that are breached facing the backlash of the media, organizations need to be extremely confident everything is in place to protect against any form of cyber-attack. Taking a look back in time could prove useful in auditing, rationalizing and taking the steps you need to defend your most precious digital assets and resources.