Data Security – Prevention or Mitigation?

When it comes to data security the weakest links are often right under our noses as a new report from The Bunker highlights but the issues are much wider and deeper than that according to the channel players we spoke to.

Data security has risen up the list of concerns businesses are now facing – mostly driven by compliance factors such as the GDPR and as the security market continues to flourish resellers are faced with an ever-expanding set of options that could be slotted in to two broad camps, prevention and mitigation.

From a data security perspective, the last 12 months has been dominated by the Cambridge Analytica-Facebook incident and concerns around the security and uses of personal data heightened by the introduction of the GDPR.

This has acted as a wakeup call for businesses that security should be the number one priority for organisations.

Geoff Forsyth, the CTO of PCI Pal, says that consumers have always felt protective of their data, but with new legislation redefining the data landscape, they have grown more confident and firmer in demanding their data be treated with respect, that its uses are kept visible and clear, and that it is used only as they agreed.

Is it now a case of ‘when’ not ‘if’ when it comes to security breaches?

Ian Kilpatrick, Strategic Advisor for Cybersecurity at Nuvias, says that today everyone has to plan on that basis.

“A long time ago, people thought I’m part of a big shoal of fish, when it comes to suffering a security breach, and it’s never going to happen to me. Then we moved to being breached becoming much more likely. The reality now is that it’s very likely. Even if you’re a comparatively small business, it’s just too easy and cheap for criminals to dial up attacks on the dark web. You don’t even need any skills. There’s a whole infrastructure for attacking.

If you think you’re not being attacked, the chances are that you just haven’t noticed a breach – even large companies are still taking in the region of 150+ days before they are finding attacks. So for a small company, how many days is it going to take to detect a breach? They probably aren’t going to know until they suffer the consequences of the breach, such as money being stolen.”

Matthew Bruun, Regional VP at Forcepoint believes that breaches are pretty much inevitable.

“In the last seven years one trillion dollars has been spent on cyber security (Source: CyberArk Global Advanced Threat Landscape Report 2018), but every CISO we speak to feels no safer for doing so. More aware of risk perhaps, but no safer. When we spend the next trillion, do we expect a different result? It’s the definition of madness to keep doing the same thing, but expect a different outcome. That’s why a human-centric approach is different. We make humans – and not events – the units of analysis, meaning security professionals can use events as a data input to understand what each individual is trying to do by their behaviour.

Based on that understanding and intent, you can then apply different policies depending on the riskiness of that behaviour. Additionally, you can get aggressive with automation to stop threats without breaking the environment.”

Ian Kilpatrick, Strategic Advisor for Cybersecurity at Nuvias

Ryan Weeks, Chief Information Security Officer at Datto says that unfortunately, it is very easy to perform certain types of cyber-attacks that lead to ransomware infections.

“The main risks of security breaches are loss of data – potentially client data or personal data, loss of productivity, loss of revenue, loss of reputation and now, following the implementation of GDPR, hefty fines. This means that every business, no matter its size, needs to have a strategy in place to prepare for, deal with, and eliminate material risks that could lead to security breaches. Our recent global ransomware report showcased this, with all operating systems shown as at risk, including iOS on your iPhone! The same report also found that in comparison to other solutions, the most effective for avoiding downtime caused by ransomware is business continuity and disaster recovery. Roughly 90 percent of the MSPs that we spoke with reported victimised clients with BCDR fully recovered from a security breach in 24 hours or less.”

Dave Moss, Security Practice Lead, Comstor says it’s more likely a case of ‘how often’, ‘how do I find out’ and ‘how can I remediate’?

“A breach has probably occurred in most organisations because current security postures are generally not sufficiently robust or evolved. For instance, when we’re running a NGFW proof-of-concept or pen test, it’s very common for red lights to go off before the engineer has left the building. A breach is not always immediately apparent or sinister – if you’re a potential launchpad for a denial of service attack, how would you know who and what was lurking on the network? As it’s commonly months before anything gets noticed, if, at all, threat intelligence services like Talos, which monitors more traffic than Google and Microsoft, that alert in less than a day are of immense value.”

Colin Tankard, Managing Director at Digital Pathways says every organisation should expect to be breached, the only question will be the severity of the breach and, how quickly it will take to recover.
“For example, to clean all infected servers and PCs of malware and restore business operations to normal with, hopefully, no loss of data.”

Vincent Disneur, Head of Sales and Marketing for Union Street Technologies, says that as with everything, there’s an element of Murphy’s law involved in all things related to data security, but he does not believe security breaches should be seen as inevitable.

“By implementing robust security frameworks that are based on assured repeatable process, there is much a company can do to mitigate its risk.

Following independent audits of our information security management systems (ISMS), Union Street has been certified by the British Standards Institution (BSI) for the internationally recognised ISO/IEC 27001 standard in Information Security Management since 2016. Qualifying required us to make some big investments into our security and hardware infrastructure.

Based on this experience, I can say that maintaining information security is certainly challenging, but by no means impossible.”

What have we learned since GDPR regulations came in nearly a year ago?

According to Ian Kilpatrick at Nuvias, it might look like nothing much has happened regarding GDPR, but it has. It’s just taking a while for fines to come through.

“Those who are in breach are still being selected and processed. For example, the recent Google fine related to the situation on 26th May last year, just after GDPR was introduced. It’s taken this long for the fine to come through. It was a fine regarding a structural breach as opposed to a fundamental security breach, so we haven’t yet seen a penalty for a full security breach.

A recognition of what people need to do re GDPR hasn’t struck home yet. Many people thought they were on the right path to GDPR compliance, as it has been relatively quiet. But when the big penalties come through, they are going to want to re-evaluate their position.”

Richard Stevenson, CEO of Red Box says his company is seeing many businesses looking to turn compliance and regulation investment into opportunity.

“GDPR prompted businesses to take a step back and have a proper look at what systems and data management processes they had in place. In some cases, it meant bringing things up to date and investing in new technologies, for others it gave them the chance to really consider how they can use the data they are legitimately collecting to help run their businesses more effectively and better serve their clients.

Transcribed call data can help support organisations in meeting GDPR regulations with the ability to export records, including all metadata, to a CRM platform of choice creating a single customer view. The ability to link communication data captured from different sources to an individual is crucial should consent be withdrawn at any point. It also increases the number of calls audited to check that processes are being followed, for example, consent is being obtained. However transcribed conversations also provide a consolidated data set that can be leveraged to provide highly valuable business intelligence within analytics and AI tools.”

Fast Facts:

February 2019: It has been revealed that there have been 59,000 data breaches reported across Europe since GDPR was enforced last May. Out of these 59,000 reported breaches, 10,600 were from the UK. The report also revealed that only 91 fines have been issued so far.

Vincent Disneur, Head of Sales and Marketing for Union Street Technologies, says that GDPR has certainly woken the business community up to the importance of data security.

“In August 2018, the ICO released its annual report which showed a massive jump in voluntarily reported breaches from 2,565 in 2016-17 to 3,311 in 2017-18. This 29 percent increase can likely be attributed to a growing awareness of what constitutes a breach.

At Union Street we’ve certainly noticed a huge increase in the number of requests for information on our ISMS and, post GDPR, we’re frequently asked for information on how we process customer data. We’ve also noticed that communication providers (CPs) of all shapes and sizes now seem to have dedicated information security personnel, whereas before that was a rarity outside of the very largest CPs.

Ultimately, increased awareness can only be a good thing. Perhaps the most important lesson that the business community has learned through its efforts to comply with GDPR, is to view unnecessary sensitive data as a liability. Any potentially sensitive data that is held must be identified, continually reviewed and, if it’s not absolutely required, it should not be stored.”

What are the main sales opportunities and top channel tips for monetising data protection solutions?

“We are here to solve our customers’ security challenges, so often thrown up by digital transformation projects, or indeed by ensuring compliance with GDPR,” says Duncan Brown at Forcepoint.

“Channel teams can take customers and prospects through three simple steps to identify security risks, reach common ground amongst employees and accelerate their journey towards a more comprehensive data protection programme:

Identify where personal data resides and map data flows – Most organisations are not sure exactly where their data resides at any given point in time. As data moves beyond the walls of a perimeter, it tends to “hide” in sanctioned or unsanctioned devices and apps. Data loss prevention (DLP) technology can be used to gather information about data, including what the user is attributed to, the data type, where it lives, when it was accessed, and its permissions. Combining cloud access security broker (CASB) technology with DLP helps to identify personally identifiable information (PII) as it moves through the cloud.”

Mark Curtis-Wood, Head of Network Services, Nimans, says this is a hot topic therefore this creates a fantastic opportunity.

“However, measuring and communicating cyber risk can be difficult as the threat is constantly changing. Rather than focus on fear and uncertainty it requires a shift in thinking focusing on cyber security’s strategic importance to the health and prosperity of a company’s digital transformation strategy. The right cyber security investment can improve a company’s bottom line by minimising business impacts and uncovering related business capabilities.”

Ian Dutton, Security Pre-sales Manager at Westcon UK&I, points out that you can’t protect data without security.

“Partners focused on reducing overall complexity, and cost, of operation of a customer’s security posture will be of greater value. So, whilst dedicated DLP solutions exist, they must be seen in context of an overall security strategy. This presents a huge opportunity for partners that invest their time and skills in this area, and customers that acknowledge their vulnerability will welcome the input.”

Ian Dutton, Security Pre-sales Manager at Westcon UK&I

Prevention or mitigation? Are both approaches needed to tackle this problem? Are we seeing other types of solutions in the market?

Essentially they are both needed says Ian Kilpatrick at Nuvias.

“While theoretically prevention should be the solution, the reality is that some of the attack vectors will penetrate security. Depending on the type of organisation you are, nation states will be directly targeting you. Prevention will absolutely not do the job of protecting you.

We are seeing more mitigation at the high end, where companies are looking to identify an attack, stop it, depress it and analyse it. At the lower end of the market, the prevention route is the bigger route because organisations don’t have the resources to do more. But there is strong growth in managed services. MSPs are providing solutions that give users a better route to prevention, alongside better analysis for mitigation.”

Prevention and mitigation are two sides of the same coin according to Matthew Bruun at Forcepoint at Forcepoint.

“It is important for organisations to obtain a complete picture of all data used in the organisation and any associated potential risks. For example, Shadow IT can often exceed 35 percent of a business’s total cloud usage and this includes active services, such as home-grown web applications, and also dormant (inactive current employees), orphaned (ex-employees), and external (contractors) accounts. Even sanctioned cloud usage can be misreported or get lost in the transition and course of day-to-day operations. Mitigating against the threats posed by a data breach means preparing properly, and in depth.

What is true for all organisations however is that the cloud dissolves traditional perimeters and increases business velocity by removing the friction caused by legacy systems while also creating the need for ever-tighter security. As organisations roll out “cloud first” policies, proper discovery, governance, and protection are three boxes that must be diligently checked if businesses are to expose security blind spots and protect personnel and data.”

Ryan Weeks at Datto says it is important to understand that there is no silver bullet to protect against cybercrime.

“Organisations must ensure that if the worst does happen, they can recover. They need to ensure they have a robust and tested incident response plan in addition to a well-functioning business continuity and disaster recovery solution.”

A pragmatic Iain Sinnott, Head of Sales at VanillaIP says that prevention and post issue management are naturally both required, you don’t leave a gate open just because you are good at rounding up lost sheep.

“VanillaIP has always approached business challenges with this dual focus and Credit Lock is perhaps a great example. Each extension on our system has protection through authentication; call capacity management restricts any hacker’s commercial potential and outgoing call plans are applied to restrict potential access to ‘pirate’ territories (unless those destinations are required by the client for business as usual activity). But behind that, as a fail-safe, we have a commercial trigger driven, fully automated ‘off-switch’ on each extension to make sure that if we are beaten, then cost is low.


An Inside Job

A new report from The Bunker, the UK managed services and data centre provider, has highlighted that senior executives are still often the weakest link in the corporate cybersecurity chain and that cybercriminals target this vulnerability to commit serious data breaches.

According to the report, many senior executives ignore the threat from hackers and cybercriminals and often feel that security policies in their respective organisations do not apply to their unique position. However, in reality, their often privileged access to company information make their personal accounts extremely valuable to exploit and heightens the need for extra care. In addition to highlighting the common mistakes made by senior executives, the white paper lists the top security areas that should be prioritised to ensure cybersecurity resilience.



MSP Viewpoint

Asked whether it is now a case of ‘when’ not ‘if’ when it comes to security breaches, Jason Humphreys, Senior VP Managed Services at Farnborough-based MSSP, Foresite, which sells exclusively via the channel, says this has arguably been the case for some time.

“Whereas before though many companies were largely unaware their IP or finances were being siphoned from their business, the sophistication of our protection today, along with the more widespread adoption of security products and services, gives us much better incites as to what is happening across our business and endpoints. That said, there are still many companies that are not even doing the basics right, and for those that are, the bad guys are smart, and are continually evolving their threat vectors.”


Ed Says…

I tend to agree with a prediction from PCI PAL for 2019: Cyber-attacks will evolve rapidly and unpredictably in the next year, but three core principles remain the same: vulnerabilities will be found in new systems that will be attacked sometimes even before being discovered, old systems with known vulnerabilities will continue to provide a glut of opportunities for attackers, and human error will be a reliable target for any malefactor. Perhaps it is time to embrace an MSP based solution that could, as suggested here, provide solutions that give users a better route to prevention, alongside better analysis for mitigation?

The following two tabs change content below.

David Dungay

Editor - Comms Business Magazine