When BYOD originally took off, security concerns drove companies to take measures to counteract the risks of allowing remote access to company data from employee devices. Many believed they had shut the door to cybercrime. In reality, data breaches have continued to soar, writes Mike Simmonds, managing director, Axial Systems.
According to research from PwC, showcased in a recent infographic from Swivel Secure, the number of small firms experiencing a data breach jumped by 14 per cent last year – and although in 2014, the average cost of such a breach was £90k, it rose to £190k in 2015. The number of large companies suffering a breach rose 9pc over the same period, with average costs per breach increasing from £800k in 2014 to a phenomenal £2.3 million last year. In total, a staggering 90pc of large businesses admitted to a data breach, with more than two-thirds having been attacked by an unauthorised outsider in the last year.
Scoping the Challenge
The possibility of being fined is another significant concern. The new General Data Protection Regulations (GDPR) puts stringent new data protection requirements in place and will impact any companies holding any data at all about any EU citizen. The most severe penalty available for non-compliance with GDPR is a fine up to 20 million euros, or in the case of an undertaking, up to 4pc of the total worldwide annual turnover of the preceding financial year, whichever is higher.
For businesses that fall victim to these cyber-criminals, the reputational damage suffered can also be severe. Serious fines attract media coverage and may deter prospective customers signing up. The inability of the business to recover what has been lost by the breach can further compromise credibility. After all, while some cyber-criminals steal data, others corrupt it and make it worthless. Ransomware, for example, may simply encrypt all of the business’s data with a key that the organisation cannot access. The business has no recourse to any third party in its bid to retrieve the information, further undermining its credibility with prospects and customers. So why are we seeing more breaches and what steps can businesses take to protect themselves and bring cybercrime under tighter control?
Part of the reason for the rise is probably down to greater reporting. The pending introduction of GDPR means that if you do suffer a breach, you have to reveal it to the authorities. The regulation was approved by the European Parliament in April 2016 and all organisations that process personally identifiable information (PII) must comply with it by May 2018. So, businesses need to get their reporting mechanisms in place as soon as possible.
This higher level of reporting though should not disguise the fact that the increase in data breaches is real and many factors are fuelling it. Data growth is continuing to rise exponentially – and so too is the volume of data potentially available to hackers online. In line with this, cyber-criminals are becoming increasingly sophisticated. Many have organised into professional groups, with a highly-skilled workforce operating across far-flung networks. Breaches are becoming more targeted also at least in part because it is as cheap and easy to launch targeted attacks today as it is to adopt a blanket bomb approach.
At the same time, many businesses are migrating their data to the cloud for storage (one in three now use cloud data storage, according to the survey), changing the nature of access again and bringing with it a whole raft of new security concerns. Businesses now need to think about more than just their own security and ensure that their level is at least mirrored by that of their cloud service provider. They must be confident, for example, that any data transitioned to the care of that provider is encrypted the moment it lands rather than post-landing. Most companies do not realise that if they are using cloud services, they are themselves still liable for the security/integrity of any data forwarded to those services. With the coming of GDPR and the associated fines, this is hugely important. Simply saying it’s the fault of the service provider for any data loss just won’t pass muster in this context.
At Axial, we advise customers to encrypt data themselves as it leaves their building. This ensures there are two layers of encryption – so that if one is compromised, one remains encrypted, whether the data is in motion between the office location and cloud service or whether it is at rest at each location.
Role of authentication
Whatever the nature of the data it is looking to protect, the business must exercise ‘due diligence’ at all times and that means much more than just taking a cursory glance at the data. In this context, following due diligence entails the business undertaking a thorough review of its data protection processes and what steps it can take to make them even more secure. The data from the Swivel Secure infographic, which draws on 2015 research from PwC indicates that organisations still have much to do in this respect. 32% of those surveyed had not had any form of security risk assessment. More than a quarter (26%) do not evaluate how effective their security expenditure is, while just 60% said they were confident that they had adequate security skills to manage their risk for next year.
While ease of access is of course important, businesses also have to be focused on ensuring that employees never compromise security in exchange for it. There is a need for education here. Take the manager that needs to deliver a presentation the next day and wants to store it in an accessible place. There is a natural inclination to save the slides in multiple locations – on the company laptop, on a file sharing application and on a memory stick, perhaps, with the rationale that if one location fails, the others can serve as a back-up.
Such an approach creates its own problems, however – and users need to be made aware of the issues and concerns. If the laptop is left on a train, it could be easy prey for anyone with the skill and inclination to break into it. The file sharing application could potentially be compromised also, while USB sticks are frequently lost. Simply by taking the data outside of the corporate infrastructure, you are bypassing all the security infrastructure and potentially putting sensitive information at risk.
It’s a clear demonstration of how so many businesses can make themselves vulnerable by effectively sleepwalking into data breaches. So what’s the solution? Technology should always be part of it. Anti-virus and anti-malware software needs to be implemented and kept up to date. Data leakage protection can also be put in place, providing electronic tracking of files, or putting systems in place that stop users arbitrarily dropping data out to cloud services. Critically though, adaptive authentication, in which risk-based multi-factor authentication is used to ensure the protection of users accessing websites, portals, browsers or applications, also has an increasingly key role to play.
Being able to manage user authentication based on such parameters as who, when, where and what is essential, of course. Adaptive authentication solutions such as Swivel’s AuthControl provide the ability to manage how users authenticate to the network or individual applications based on multiple parameters and a risk score. For example, a business may decide that access to HR/Finance records carries a high risk whereas mail does not. In that case, name/password may be sufficient for mail access but two-factor user authentication and a digital (machine) certificate are required to access the finance application – even for the same user.
Furthermore, adaptive authentication provides a great user experience in hybrid environments where a combination of on-premises, remote access and cloud services are delivered by the business.
So adaptive authentication is key but it has to be delivered as part of an overall strategy. Technology is critically important but ultimately countering data breaches effectively is also about education. Businesses need to hammer home the message that employees need to take a responsible approach to managing and protecting their data. They must be aware of the potential security threats and do all they can to mitigate them – from keeping care of devices they use at work to making sure their passwords are consistently strong. The battle against the cyber-criminals will continue but if businesses are to fight back and reverse the ongoing trends, they need their employees to be onside and focused on keeping data safe.
