How to secure your front door: mitigating cybersecurity risks in the modern workplace
Terry Doherty, Founder and CEO at Doherty Associates discusses the latest cybersecurity trends and how European and global businesses can mitigate cybersecurity risks in the modern workplace, without compromising productivity.
Globally, cybercrime continues to wage a war, with an increasing focus on targeting businesses, of all sizes, and across all sectors. In the US, U.S. CEOs ranked cyber security as their primary external concern for 2019.
Cyber-attacks are growing ever more frequent and sophisticated in their delivery. A recent cyber security breaches survey reported that a third of UK businesses identified cyber breaches or attacks within the last 12 months. (GOV.UK Say it is 43% https://www.gov.uk/government/news/new-figures-show-large-numbers-of-businesses-and-charities-suffer-at-least-one-cyber-attack-in-the-past-year)
Globally businesses are responding by upping their game in the security stakes, in part, through necessity. The advent of GDPR forced UK companies to look more deeply at their data and be more compliant, but, as Satya Nadella (CEO, Microsoft) says “cybersecurity is like going to the gym. You can’t get better by watching others, you’ve got to get there every day.”
This is especially true as cyber criminals sense the appetite in the marketplace and change their behaviour and strategies accordingly.
The rise of spearphishing
There’s been a steady shift away from the generic ‘spray and pray’ approach, where standardised, generic phishing and spam emails are sent en masse, as common security tools can easily detect and eliminate these types of emails.
Attackers are now turning to more strategic ‘spearphishing’ techniques, which target individuals within an organisation with an authentic looking email from a trustworthy source, using sophisticated information that confuses the user to trust and either open documents infected with malware, click on links to malicious websites, or initiate some sort of financial fraud.
There has also been a rise in attackers purchasing lookalike domains (for example buying a lookalike company domain with a 0 instead of an O) and using them to carefully craft phishing campaigns or send emails from those domains to make it look even more legitimate. The devil is in the detail, and more often than not, it will be very easily overlooked – just one different letter or number can give the attackers the way in.
Vigilance is key, across the entire global organisation. Training staff to spot detail and to double and triple check emails, in particular around the respondents and company domain names, could save your business from financial and reputational damage.
Next generation malware
Malware has also advanced with the recent trend in ‘big game hunting’ – a term attributed to e crime groups that pro-actively identify, research and target large scale organisations to infect them with ransomware (such as the Norwegian aluminium supplier).
Entire networks are compromised leaving organisations no choice but to pay a huge ransom to decrypt its data and gain access to the network again - a very profitable business for attackers, and, more often than not, organisations are willing to pay.
While it’s true that businesses are more protected and often have the correct security infrastructure in place, there will always be gaps. And this is where the attackers will look and find the weak spots, designing malware that is always advancing and sneaking through defences.
So how do you secure your front door against these attacks, especially when it’s most likely located in the cloud, but still ensure employees have the freedom and flexibility to remain productive?
Your people hold keys to the kingdom
The front door of security used to be considered the firewall, the gateway between your internal trusted users and the internet, which in security is considered untrusted.
Now, the front door is everyone within the organisation that has a user name and password. With the rise and use of cloud services, everything is just a URL away, as the user logs on to gain easy entry to the organisations’ data via cloud storage and service facilities.
While these advancements are highly beneficial for increased business productivity, without the correct security manning your front door, potential hackers are just a username and password away from accessing vital information that can disable the entire organisation.
In cloud environments, the identity of the person is the key to the kingdom. Implementing strong ‘access controls’ – which regulates access to internal resources - is important for minimising risk but ensuring everyone has the information they need to do their job at speed. Continually question though how to lock and secure access in a better way? Consider who really needs entry and restrict to only the data and information they need to achieve their role within the organisation.
Traditionally, authentication was based on a single factor, such as a password, to prove the user’s identity. This is no longer enough. We must now add additional factors like biometric-based authentication such as fingerprint, face or iris. Additionally, supplementing the username and password model with a one-time or time-based code that only a specific user has access to, adds another layer of security.
But this does impact on the user, and their usability as most don’t want to be constantly entering codes. Companies like Microsoft have instead enabled conditional access – when an employee is inside the office, where the environment is deemed safer, access will be easier, with less security prompts, unless it is a high value resource. The approach has to be conditional and balanced with usability versus security. Consider the compromise and where things can be more accessible and less of a burden on the user, but still secure.
Mobile application management is the future of BYOD
Bring Your Own Devices (BYOD) policies globally are also on the rise in modern workplaces but with this comes security challenges.
Technology is available that ensures that the corporate assets remain secure should anything happen to the device, while still allowing user management and control of the device. Programs like Office intune allows the business to secure the mobile application management (MAM) as opposed to the entire device. The sensitive corporate data is controlled and protected. If the user loses their phone temporarily for example, just the corporate data will be removed leaving the user’s personal data intact. MAM rather than Device management is the future of BYOD and should be more widely adopted. It offers a compromise between the user and the business, improving the employee experience, and ensures that security doesn’t affect productivity.
Security by default
To ensure security best practice is consistent, security must be baked into every part of the chain. Security by default is about taking a holistic approach; integrating all the elements available ( physical and technical) to safeguard the organisation and provide continuous protection.
Take a human approach when educating employees on policy and threats and bring real world consumer examples into the mix. Encourage them to look at things from a personal perspective to help them better comprehend the dangers; they have already adopted multifactor authentication practice in the home for example to protect their information, so it’s natural that this behaviour should be also mirrored in the workplace.
Communicating in a human way will help your employees better understand the real and present danger of cybercrime and to be more vigilant, mitigating risk to the global organisation while maintaining business continuity.
GfK and VMware: Innovating together on hybrid cloud
GfK has been the global leader in data and analytics for more than 85 years, supplying its clients with optimised decision inputs.
In its capacity as a strategic and technical partner, VMware has been walking GfK along its digital transformation path for over a decade.
“We are a demanding and singularly dynamic customer, which is why a close partnership with VMware is integral to the success of everyone involved,” said Joerg Hesselink, Global Head of Infrastructure, GfK IT Services.
Four years ago, the Nuremberg-based researcher expanded its on-premises infrastructure by introducing VMware vRealize Automation. In doing so, it laid a solid foundation, resulting in a self-service hybrid-cloud environment.
By expanding on the basis of VMware Cloud on AWS and VMware Cloud Foundation with vRealize Cloud Management, GfK has given itself a secure infrastructure and reliable operations by efficiently operating processes, policies, people and tools in both private and public cloud environments.
One important step for GfK involved migrating from multiple cloud providers to just a single one. The team chose VMware.
“VMware is the market leader for on-premises virtualisation and hybrid-cloud solutions, so it was only logical to tackle the next project for the future together,” says Hesselink.
Migration to the VMware-based environment was integrated into existing hardware simply and smoothly in April 2020. Going forward, GfK’s new hybrid cloud model will establish a harmonised core system complete with VMware Cloud on AWS, VMware Cloud Foundation with vRealize Cloud Management and a volume rising from an initial 500 VMs to a total of 4,000 VMs.
“We are modernising, protecting and scaling our applications with the world’s leading hybrid cloud solution: VMware Cloud on AWS, following VMware on Google Cloud Platform,” adds Hesselink.
The hybrid cloud-based infrastructure also empowers GfK to respond to new and future projects with astonishing agility: Resources can now be shifted quickly and easily from the private to the public cloud – without modifying the nature of interaction with the environment.
The gfknewron project is a good example – the company’s latest AI-powered product is based exclusively on public cloud technology. The consistency guaranteed by VMware Cloud on AWS eases the burden on both regular staff and the IT team. Better still, since the teams are already familiar with the VMware environment, the learning curve for upskilling is short.
One very important factor for the GfK was that VMware Cloud on AWS constituted an investment in future-proof technology that will stay relevant.
“The new cloud-based infrastructure comprising VMware Cloud on AWS and VMware Cloud Foundation forges a successful link between on-premises and cloud-based solutions,” says Hesselink. “That in turn enables GfK to efficiently develop its own modern applications and solutions.
“In market research, everything is data-driven. So, we need the best technological basis to efficiently process large volumes of data and consistently distill them into logical insights that genuinely benefit the client.
“We transform data and information into actionable knowledge that serves as a sustainable driver of business growth. VMware Cloud on AWS is an investment in a platform that helps us be well prepared for whatever the future may hold.”