You’d be forgiven for wondering where to start when it comes to IT security in this brave new world of the cloud, mobility and the internet of things.
Sadly neither barbed wire nor your very own Jedi Knight are likely to be of any great help.
The Met Police’s Operation Bumblebee, targeting burglary in London, offers advice on prevention covering everything from sheds and outbuildings to security alarms, property marking to bogus callers. And, of course, the wide variety of doors, windows and locks that are available.
Let’s face it, there’s little point in setting the burglar alarm but leaving a key under a plant pot at the front door.
In many respects, there are certainly parallels to be drawn with keeping your technology environment secure; especially the fact that you can’t afford to overlook any part of the system.
The first challenge is to identify and define everything that needs to be protected.
Gone are the days when IT security was focused on protecting the perimeter of your system.
There was a time, before laptops, tablets and BYOD, when all of your technology and, more significantly, all of your data – other than your backup tapes – was confined to the office.
Even when connected to the outside world – it’s difficult to conceive how we ever lived without email – getting into the system would have required the equivalent of shinning up a drainpipe and squeezing through a ventilation outlet in the dead of night.
The knight in shining armour was AV. Unfortunately, there are still those who believe that’s the case. Surely you wouldn’t try to fight a lightsaber with a claymore.
It’s not just the mechanics of the threat that have changed – and we’ll come back to that later. The nature of the threat has changed too.
In the early days it was all about the archetypal hacker, sitting in his bedroom spending hours trying to cause as much mayhem and disruption as possible. All just for the sport.
The cost to the victim was the time required to return to business as usual. Whilst that could be significant, the main motivation for the attack was thankfully not often criminal gain.
There’s no doubt that hacking has moved on and make no mistake that it’s no longer the domain of the techie nerd.
It’s now big business.
In fact, a burgeoning industry has emerged to support the hackers with a range of tools, data sources and dashboards available on a subscription basis (after all even criminals need to think about cashflow!)
So, most worryingly, being technology-minded, the perpetrators are using state-of-the-art business intelligence to inform their nefarious practices. Which arguably puts them a number of steps ahead of the majority of their potential victims.
The level of sophistication is justified because the stakes have been raised and the rewards are substantial.
Disruption of the victim’s commercial activities continues to take the form of DoS or DDoS attacks – that’s distributed denial of service where networks of hacked computers are recruited to target a specific service and cause chaos.
But the most valuable prize is data. And that’s well worth remembering.
In fact, data should almost undoubtedly be the starting point when you’re thinking about IT security in context of the modern technology environment – or rather the modern technology ecosystem.
The term data is unhelpfully vague. So let’s be more specific. It could be intellectual property, user account passwords, sensitive email correspondence, bank account information, EPOS records, payment information or credit card details.
Some data has an inherent value. Other data provides a gateway to greater riches, or maybe even the crown jewels.
Where is the data held? Who has access to it? Does it need to be shared with a number of users? And how is it transferred between devices?
Back in the good old days of the early James Bond films those precious microfilms were secured in one of Q’s impregnable attaché cases, entrusted to our hero and set to self-destruct should they fall into the hands of the enemy, rendering them worthless.
Sounds like a plan!
Or perhaps just implement file encryption?
In very basic terms, there are two ways to protect your data and they should work side-by-side.
Ideally, the data wouldn’t get into the wrong hands in the first place and that’s about preventing access to the devices and systems on which it’s held. That can be easier said than done when you take into account that could include servers, PCs, laptops, mobile devices, USB or memory cards, ‘the cloud’, and so on…..
Having mentioned it, it’s worth pointing out that most of the security concerns regarding the cloud are typically unjustified. Datacentres should operate the highest levels of security – far greater than a locked server room in the corner of the office – and the challenges lie around the way users interact with information and documents held in the datacentre.
The likelihood is that you’ll need a combination of endpoint protection, MDM (mobile device management), UTM (unified threat management), group policies, multi-factor authentication, DLP (data loss prevention)……
The great thing is that these are tools that have been developed by incredibly clever people who are even smarter than the criminals. In fact, some of them probably started life as hackers – hopefully part of the new breed of ‘white-hackers’ – which has its advantages when it comes to knowing how to break into systems.
The problem is that your average user is typically not quite so smart. Not necessarily stupid but perhaps not as thoughtful as they should be. And we all lead busy lives!
That brings us back to how the mechanics of the threat have changed.
It also links back with ‘Operation Bumblebee’ and the parallel here with the world of burglary is the ‘bogus caller’.
In the world of IT security, it’s known as social engineering and it’s come a long way since the days of the overseas millionaire who has sadly passed away but has remembered you in their will.
The concept of ‘sharing’ has been driven by the ever-increasing popularity of social media and ‘collaboration’ can certainly help businesses to work more effectively and more efficiently. However, it’s not always good to share, or certainly not indiscriminately, and when you do it’s crucial to use the right tools – such as SharePoint and OneDrive.
And the fact that a significant proportion of us have, at one time or another, clicked on a link that we shouldn’t have is clear evidence that the weakest link in any IT system is the people who use it.
Mobility and flexible working are opening up new opportunities. But at the same time, they are opening up weaknesses and vulnerabilities in your network.
In all probability, sensitive data is being accessed on a wide range of devices and potentially shared with a simple, single click and at the same time the boundaries between work and social are becoming increasingly blurred.
At this point, you’d be forgiven for thinking that, in the words of Fraser from Dad’s Army, ‘We’re all doomed!’
The missing piece of the IT security jigsaw – too often overlooked or not considered – is encryption.
If your data falls into the wrong hands, it’s effectively rendered worthless and encryption can be applied to everything from individual files to USB sticks, mobile devices and the cloud.
Like everything in the world of IT security, the sophistication of encryption continues to evolve along with files that recognise ‘trusted’ devices and multi-factor authentication using temporary codes.
It focuses on the core of what you’re looking to protect and in that respect it’s a complete reversal of the traditional approach of protecting the perimeter of your system.
So, whilst it shouldn’t be viewed on its own as the ‘magic bullet’ maybe encryption is where you start when it comes to IT security in this brave new world of the cloud, mobility and the internet of things.