What to Do When Your Network Perimeter has Evaporated and GDPR is Coming

Karl McDermott
By:
On: 6 Jul 2017
Share this post

Karl McDermott Three

A network security perimeter is no longer a guarantee of data security. There is simply too much data being accessed, worked on and shared outside the protective confines of the network.

However the data security of your business is still possible to achieve, as long as you are aware of your three key vulnerabilities and how to address them.

Those vulnerabilities are the technology you use, the processes you work to, and the people involved with both. That doesn’t leave much in terms of data security that’s worry-free, except your business premises. After all, why would anyone bother physically breaking-in when they can smash and grab your valuable data from the comfort of their computer screen?

Many of the data security issues challenging businesses today arise from the fact that fewer employees now spend their time in the same way as the phishers, hackers and spammers: sitting in front of a screen at a desk. Instead they are out on the road, or working from home, or at a customer’s premises, or in a coffee shop, using one of any number of mobile devices available to them. This means that, just like the perimeter itself, earlier investments in security to protect your business’s network perimeter now need to be enhanced. Now the challenge for every business is to enable mobile communications that are not only seamless but also flawlessly secure – from anywhere and on any device.

Vulnerability No. 1 – Technology

One way to minimise the risk posed by your mobile employees is to use a sandbox. This technology separates business apps from personal apps on devices. Business apps and company data can remain within the sandbox, where it can be worked on and shared via secure business networks. The separation from non-business apps offers some protection, for example if an employee wanted to share company data to Dropbox, or to attach it to an email from their personal Gmail account, they simply won’t be able to. Similarly, they won’t be able to import data from outside the sandbox – where it could have been corrupted or infected – to inside the sandbox.

Employees will however need to communicate and share data both internally within the business and externally with customers and business partners, and these communications will need to be secure. Customers will also want to communicate securely with your business: whether to make enquiries, place orders or make payments. How can you ensure that the communications are only accessible by the people they are intended for? As more applications now reside in the cloud rather than within the corporate network, there’s also the challenge of maintaining security as employees or customers connect to them.

In the past the answer has been to establish a Virtual Private Network (VPN), providing security equivalent to the organisation’s private network even when outside it. This is a tried and tested solution, but also a time-consuming and cumbersome one, as a new VPN has to be established for every instance of communication.

Now there’s an equally secure but much more convenient solution in the form of the micro-VPN, which has the same function but is established automatically and instantaneously with every communication.

Vulnerability No. 2 – Processes

You can tackle data security issues with technology but without proper processes the risk is still there.

One such critical process is to regularly backup all data offsite. This will enable your business to continue to function in the event of a ransomware attack, which would otherwise make your business’s own data inaccessible until you pay a ransom.

Regular and frequent software updates are also essential to keep your data secure. One reason the NHS suffered so badly in the WannaCry attack was the widespread use of software that hadn’t been updated. Out-of-date software tends to have numerous known vulnerabilities that attackers can exploit. Research has shown that instigating regular updates is more likely to ensure people adhere to the schedule, makes the updates smaller and quicker, and means a smaller window of opportunity for attack.

Vulnerability No. 3 – People

Unfortunately, even if you take all the above steps to secure your data, there still remains the data security risk that’s the most vulnerable and unpredictable of all: people.

Phishing attacks exploit this vulnerability by tempting people to click on a link without first checking its source. More sophisticated attacks spoof regular emails. They may use an email address which looks legitimate. The email may even be disguised as coming from another department or colleague within the business. Employees must be trained to be alert to such possibilities at all times, and to never click a link in an email that is not from a trusted source. Advise them to, at best, ignore the email completely or forward it to the IT team to check. At worst, copy and paste the link into a browser rather than clicking on it.

While sharing business data needs to be strictly regulated and should only take place when correct processes have been followed, sharing information on security breaches needs to be encouraged and become the norm.

The ‘connectedness’ of businesses means that the security weaknesses of a partner business can make you just as vulnerable as they are. For example, a major US retail chain had the credit card details of 70,000,000 customers stolen. Yet it wasn’t via a direct attack on the company’s own financial records, via its electronic cash registers, or even initially through its own network. It was through a vulnerability in the network of the heating and ventilation company monitoring the retailer’s air conditioning.

The General Data Protection Regulation (GDPR) comes into effect in less than a year. Even so, 42% of Irish businesses (recently surveyed by Ward Solutions in association with TechPro magazine) still have no plans in place to deal with data breaches.

If you’re a business owner or IT Director, the risks and potential fines will send a cold shiver down your spine, whatever the state of your air-con.

Embrace mobility without compromising security – call our Business Advice team on 1800 200 017, or request a call back.