2019 saw businesses and organisations experienced a record-breaking year of cyberattacks as they increased in frequency, intensity and severity. One study recorded a 195 percent jump in ransomware attacks in the UK in the first six months alone. Small businesses, city governments, schools and healthcare organisations were hit especially hard as cybercriminals took advantage of IT departments with fewer resources and budgets.
At every turn, organisations were confronted with ransomware, malware, email phishing and social engineering attacks. It resulted in record data breach levels. Insurance company Hiscox found 61 per cent of businesses quizzed in its annual cyber-readiness survey admitted a breach. And that’s just one among many reports putting breaches at a historic high.
These breaches are costly. IBM Security estimates that a data breach costs UK organisations an average of £2.99million per incident, a rise of 10 per cent on the previous year.
But cybercriminals aren’t going to let up any time soon. If businesses are going to shift the dial on data breaches, they need to admit the severity of the continuous threat to data. In the new regulatory environment, businesses are held to account for the data they hold. That means, whether they go it alone or enlist the help of their cloud service provider, understanding data security is no longer a luxury, it’s a necessity.
Never trust, always verify
As organisations take data protection more seriously, investments in security and developing more advanced, focused strategies are finally starting to match the scale of the threat. That means there are new and more effective options available to businesses. At the same time, companies realise that security isn’t just deploying technology and hoping for the best; it is about instilling a strategic security philosophy across all parts of the business.
“Zero Trust” is one such strategy. It incorporates technology, services, people and processes into a cohesive approach with multiple layers of defence.
Forrester Research developed the Zero Trust security model a decade ago. It can be summed up as “never trust, always verify.” In other words, whether a connection to a system or data is attempted from inside or outside the organisation’s network, no access is granted without verification. Zero Trust is necessary because traditional network security can no longer keep data safe from today’s advanced threats. Cybercriminals find it all too easy to breach the outer walls. Once inside, they are free to move around the network looking for valuable data to steal.
Implementing “Zero Trust”
Zero Trust might sound like a negative term, but when your data is at risk, this is precisely the conservative approach you need.
Let’s start with this analogy: If you enter your house through the front door, you expect to have access to all the rooms inside. In a Zero Trust world, you would not necessarily have access to all rooms automatically. In fact, you may not be able to go beyond your hallway without further permission.
Achieving Zero Trust security is a layered activity that starts with physical security as the first line of defence. Physical data centres, whether on-premises or in the cloud, are the crown jewels of customer data and should be treated as such when guarding against cyber theft.
Every data centre should receive equal priority and attention with consistent security standards across all physical assets. It includes active monitoring, controlled access to all facilities via an approved access list, and secure environmental elements such as power, cooling and fire suppression.
Every security measure should be applied logically across every layer of technical configurations and software to create a secure and stable foundation. Logical security approaches should be used at the network, storage and hypervisor layers; and you or your cloud service provider should offer as much security as possible throughout each layer.
Trust for suppliers and staff is key
Check with your CSP to ensure they can properly manage your logical security – trust is an essential factor in your supplier relationships, too. It also means making sure you have trained and experienced people protecting your data who understand how to work within the established controls to secure the various systems.
Verify these people are trustworthy. It is perfectly acceptable to request employee background checks and require that they undertake security and compliance training to keep skills up to the necessary level. Audit your physical security performance regularly with frequent access reviews, annual penetration testing against your infrastructure, as well as regular patching schedules for all systems.
You can also confirm those resources through third-party validations. Even the most secure organisations can benefit from an additional review. You or your CSP should consider adhering to some of the following frameworks and standards: HIPAA, HITRUST, SSAE16, ITIL, GDPR, CSA STAR, CJIS and more.
Looking forward
Cybercrime will escalate in the months and years ahead. Even low-skilled cybercriminals have the means to get into your networks, disrupt your operations and steal your customer data. If they can’t get through the front door, they may still find a side door open through one of your supplier organisations.
You have to accept the likelihood that attackers will find their way into your network one way or another. It means the smart approach is to ensure you minimise the potential for damage and theft once they do. That’s where Zero Trust pays off.
Adopting a Zero Trust strategy and choosing suppliers that support it can eliminate vulnerabilities that aren’t addressed by technology implementations. It can also add an extra degree of control in the severe cyber-risk environment we face.
iland is a global cloud service provider of secure and compliant hosting for infrastructure (IaaS), disaster recovery (DRaaS), and backup as a service (BaaS). It is recognised by industry analysts as a leader in disaster recovery. The award-winning iland Secure Cloud Console natively combines deep layered security, predictive analytics and compliance to deliver unmatched visibility and ease of management for all of iland’s cloud services. Headquartered in Houston, Texas and London, UK, iland delivers cloud services from its data centres throughout the Americas, Europe, Australia and Asia.