security Archives - Page 2 of 4 - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

security

Why your organisation needs the password police

 960 640 Stuart O'Brien
By:
0
0

By Steven Hope, CEO of Authlogics

We live in a world full of policy, etiquette, regulation, and law, that provides a written and sometimes unwritten framework for codes of conduct that are deemed acceptable or unacceptable in our society.

However, having rules in place does not guarantee compliance. It is for this reason that we have police forces, armies, industry watchdogs, regulators, peer pressure, and more to help ensure the rules are followed, and in the main, as a society, we are very good at obeying orders. Consider how most of us adhered to strict lockdown rules during the pandemic, and despite queues stretching for many miles, people took their place in line and waited to pay their respects to Her Majesty Queen Elizabeth during her lying-in-state.

However, there are instances where we may be more willing to bend the rules, especially if we perceive a victimless crime.  Passwords are a good example. A lot of organisations have a password policy, but many employees do not adhere to the rules, with passwords not being changed as frequently as required, the necessary format not being followed, the same passwords being used for multiple accounts, and the sharing of login credentials.

Yet, for those who diligently do the right thing, there can still be a problem if the policy itself is not fit for purpose. Earlier in the Summer, it was reported that Shopify required a password to be of at least five characters. However, research of breached passwords revealed that 99.7% of the passwords met Shopify’s requirements.

This case is far from surprising, given that many password policies in use today can be as much as 25 years old, despite guidance from bodies such as NIST. The world has moved on and the threat landscape has changed.  Phishing attacks were not around when many of these policies were created, but today they pose one of the single largest cybersecurity risks.

Part of the problem is what has long been a ‘strong’ and ‘secure’ password is no longer the case.  A combination of upper and lowercase and special characters only makes passwords harder to remember and not stronger. No matter how complex a password is, if a bad guy has the password, they have access. With this in mind, the foundation of any password policy must be to ensure that breached passwords are not in use with an organisation. The use of multi-factor authentication (a username, password, and another credential such as a pattern, PIN, or biometric for example) also has an important role to play, however, the first step is to have a password management solution in place that automatically detects breached passwords and ensures that it is immediately changed with a new password that conforms to the latest NIST recommendations.

Think of it as password policing rather than policy, a method for both prevention and enforcement. Passwords are far from the ideal authentication solution and the policies that have long governed them have done little to improve the situation. Organisations are beginning their journeys towards passwordless alternatives, but it will take time for this to be the norm. Until then it is vital that we create an environment in which they can be used with the highest level of assurance.

Only 8% of global tech workers have significant cloud-related skills

 960 640 Stuart O'Brien
By:
0
0

75% of tech leaders say they’re building all new products and features in the cloud moving forward, but only 8% of technologists have significant cloud-related skills and experience. Additionally, 64% say that they are new to cloud learning and are looking to build basic cloud fluency.

That’s according to Pluralsight’s 2022 State of Cloud Report, which compiles survey results from more than 1,000 technologists and leaders in the United States, Europe, Australia, and India on the most current trends and challenges in cloud strategy and learning.

According to McKinsey, cloud adoption is crucial to an organisation’s success, with more than 1 trillion dollars in potential earnings in the cloud up for grabs across Fortune 500 companies by 2030. Yet, cloud skills gaps exist for many technologists today. Pluralsight’s 2022 State of Upskilling Report, released earlier this year, found that 39% of respondents ranked cloud computing as a top personal skills gap.

“As organisations begin making heavier investments into the cloud, they must dedicate resources and time to ensure their technologists are up to the task of cloud transformation,” said Drew Firment, VP of Enterprise Strategies at Pluralsight. “Findings from our State of Cloud Report show that most technologists only have a basic familiarity with cloud technologies. Tech leaders need a cloud strategy that provides confidence and predictability in their ability to build cloud maturity at scale and that starts with ensuring they can upskill their teams on cloud technologies.”

The State of Organisational Cloud Maturity

Pluralsight’s State of Cloud Report gathered data on organisational cloud maturity and cloud strategy. Nearly half (48%) of organisations rate themselves as having high levels of cloud maturity, while only 7% of organisations have made no investments into the cloud. The study also revealed that technology companies are more likely than any other sector to rate themselves as having a high level of cloud maturity.

There are many different ways that organisations can drive towards cloud maturity. In the survey, 45% of organisations say they design cloud strategies for speed and business value. Additionally, 39% of organizations are working to optimise for cloud-native with containers and serverless, and 38% of organizations enable hybrid architectures with distributed cloud.

Security is a top challenge to levelling up cloud maturity, regardless of the organization’s current level of maturity with 45% of organisations saying that security and compliance concerns are the number one cloud maturity challenge.

Key Trends in Cloud Learning

As the data from this report suggests, most technologists are new to their cloud learning journeys. Twenty percent of technologists report having skills gaps in fundamental cloud fluency.

For technologists, the top personal cloud skills gaps are:

  • Cloud security (40%)
  • Networking (37%)
  • Data (31%)

Additionally, there are a variety of barriers that technologists encounter when trying to upskill in the cloud. These barriers include:

  • Budget constraints (43%)
  • Being too busy/lacking time for upskilling (38%)
  • Employers emphasise hiring rather than upskilling (32%)

This data shows that employers’ willingness to dedicate resources for cloud upskilling greatly affects the cloud-readiness of their organization.

Despite these sometimes limited upskilling resources, technologists are still finding ways to engage with cloud learning. Sixty-eight percent of technologists dedicate time at least once per week to technology upskilling. For those upskilling in the cloud, 62% find hands-on or practical exercises, such as cloud labs and sandboxes, to be the most effective way to learn cloud skills. Forty-eight percent of technologists use online tech skills development platforms to learn cloud skills.

Disconnect Between Cloud Technologists and Business Leaders

Findings of this report reveal a disconnect between organisational and individual cloud maturity. Business leaders reported high confidence in their organisations’ cloud strategies while individual contributors report feeling new to cloud technologies.

Despite employee skills gaps, growing cloud skills internally was not one of the top strategies business leaders used for reaching organizational cloud maturity. Only 37% of organisations use internal cloud upskilling as a key strategy for cloud maturity. However, cloud skills gaps rank as the second largest cloud maturity challenge, with 43% of organizations agreeing that cloud skills gaps in their organizations affect cloud maturity. Challenges arise when trying to balance organizational and individual needs for learning, as individuals desire personal enrichment and career advancement from training (46%), while leaders value outcomes that identify vulnerabilities (30%) and cost optimisation (28%).

In order to achieve cloud goals like higher levels of cloud maturity, increased cloud security, and cost optimization, organisations need to be creators of cloud talent. Cloud technology is fairly ubiquitous, with 46% of leaders overseeing one or more technical teams that work directly with cloud technology. Upskilling cloud proficiency should be a top priority, as most technologists are still new to cloud technology and are looking to improve their fluency.

Pluralsight’s State of Cloud report can be found here.

49% of UK organisations experience high-business-impact outages at least weekly

 960 640 Stuart O'Brien
By:
0
0

With cloud adoption, cloud-native application architectures, and cybersecurity threats on the rise, the biggest driver for observability in the UK was an increased focus on security, governance, risk and compliance.

That’s according to New Relic’s second annual study on the state of observability, which surveyed 1,600+ practitioners and IT decision-makers across 14 regions.

Nearly three-quarters of respondents said C-suite executives in their organisation are advocates of observability, and more than three-quarters of respondents (78%) saw observability as a key enabler for achieving core business goals, which implies that observability has become a board-level imperative.

he report also reveals the technologies they believe will drive further need for observability and the benefits of adopting an observability practice. For example, of those who had mature observability practices, 100% indicated that observability improves revenue retention by deepening their understanding of customer behaviors compared to the 34% whose practices were less mature.

According to the research, organizations today monitor their technology stacks with a patchwork of tools. At the same time, respondents indicated they longed for simplicity, integration, seamlessness, and more efficient ways to complete high-value projects. Moreover, as organizations race to embrace technologies like blockchain, edge computing, and 5G to deliver optimal customer experiences, observability supports more manageable deployment to help drive innovation, uptime, and reliability. The 2022 Observability Forecast found:

  • Only 27% had achieved full-stack observability by the report’s definition – the ability to see everything in the tech stack that could affect the customer experience. Just 5% had a mature observability practice by the report’s definition.
  • A third (33%) of respondents said they still primarily detect outages manually or from complaints, and most (82%) used four or more tools to monitor the health of their systems.
  • More than half (52%) of respondents said they experience high-business-impact outages once per week or more, and 29% said they take more than an hour to resolve those outages.
  • Just 7% said their telemetry data is entirely unified (in one place), and only 13% said the visualization or dashboarding of that data is entirely unified.
  • Almost half (47%) said they prefer a single, consolidated observability platform.
  • Respondents predicted their organizations will most need observability for artificial intelligence (AI), the Internet of Things (IoT), and business applications in the next three years.

“Today, many organizations make do with a patchwork of tools that require extensive manual effort to provide fragmented views of their technology stacks,” said Peter Pezaris, SVP, Strategy and User Experience at New Relic. “Now that full-stack observability has become mission critical to modern businesses, the Observability Forecast shows that teams are striving to achieve such a view so that they can build, deploy, and run great software that powers optimal digital experiences.”

Investing in a phishing prevention toolkit 

 960 640 Stuart O'Brien
By:
0
0

Phishing remains one of the biggest security threats to all businesses – regardless of size and industry. This was reflected in the Cyber Security Breaches Survey 2021, as phishing was identified as the most common type of security attack (82%) last year. 

The accelerated shift to hybrid work environments, triggered by the COVID-19 pandemic, has played a fundamental role in increased phishing activity. Shifting to remote working opened the door even wider to phishing, malware and other cyber threats – with attackers targeting users away from the office. 

Phishing is a threat that cannot be avoided, but it can be controlled. In June 2022, VIPRE produced a whitepaper which highlights that there are solutions that businesses can put in place to help stop valuable data from reaching the wrong hands.

Lee Schor, Chief Revenue Officer of VIPRE outlines the crucial technology tools and training needed to reduce the threat of phishing attacks and ultimately, for organisations to create a phishing prevention toolkit…

The Evolution of the Phishing Landscape

Phishing is the practice of sending a deceptive message to trick the user into revealing sensitive information, or to deploy malicious software, such as ransomware, onto an organisation’s IT network. Once sensitive information has been captured, the consequences can be severely damaging to a business – from financial repercussions, to loss of customers and damaged reputation.

In the modern threat landscape, cyber-attack methods are becoming increasingly sophisticated, and specifically, phishers are now using advanced social engineering to lure users into giving away confidential company data. For example, in 2021, Microsoft Office 365 users were targeted with a sophisticated phishing email to trick users into giving away their credentials via a compromised SharePoint website.

Over time, phishing has also become increasingly harder to detect, as it is highly targeted and constantly evolving to take advantage of both users and organisations – ever more so with the increase in hybrid working. VIPRE’s whitepaper outlines that there are now more phishing tactics than ever before, from vishing (voice), angler phishing (social media) to smishing (SMS phishing). Therefore, it is crucial that businesses prioritise how they can protect themselves and their users from falling victim to an attack. To get started, it is crucial that organisations invest in the right solutions to create a layered prevention toolkit, but what should this consist of?

Protecting IT Systems with Software Solutions 

Technology solutions can support businesses by acting as a layer of securityprotection to help identify, stop and block potential phishing threats from entering the network. But, with the evolution of phishing tactics, it is crucial that organisations deploy the right digital tools across the business to cover every potential attack entry point.

Email is the leading attack vector used by cybercriminals to deliver phishing, ransomware and malware attacks. The first step in preventing phishing via email, is to ensure that businesses have the right protection in place at the time of receiving and handling emails; such as email attachment sandboxing; anti-phishing protection; data loss prevention tools (DLP) and outbound email protection.

Innovative technologies such as machine learning can be used to scan emails for possible phishing scams by comparing links to known phishing data. If phishing is suspected, the malicious links are removed from the email message to mitigate any chance of the user clicking on them. Additionally, DLP tools help to stop sensitive information from leaving the organisation at the time an employee sends an email by offering a crucial double-check. For example, DLP tools can be used to prevent emails from being sent to the wrong person, as when a user clicks ‘send’ they are asked to confirm the email address(es) for the recipient(s) they are sending it to.

The initial step of having email security in place helps to neutralise malicious links before they enter the user’s inbox. But with the emergence of zero-day threats, having website security, such as URL sandboxing, has become a necessity. This is because phishing emails will often redirect a recipient to a website to enter personal information. Therefore, when a user clicks on a URL in an email, the destination web page and its content can be automatically sandboxed – where the user will be shown a detailed block page with a sanitised live preview of the page they are trying to access – shielding the business from any potentially malicious payloads.

Empowering Users with Education and Training

Digital tools can help to identify and stop potential phishing emails – but these technologies are not the complete solution. Employees need to also be regularly made aware of existing threats, wherever they are working and on whatever device they are using – which is especially important in the hybrid working environment.

No phishing prevention plan is effective without users understanding the threat landscape. Human intervention is sometimes the only way of spotting or stopping a phishing attempt. Therefore, it is crucial that businesses implement a security and phishing awareness training programme which educates users

on the different types of phishing and potential threats. Such education should be continuous and conducted on a regular basis throughout the year – not just a one-off tick box session. This is because cyber threats constantly evolve – so if the training is out of date – so is the business’s security protection.

It is vital that this training includes phishing simulations and penetration testing so that employees can face real-life scenarios. This type of education will help identify areas of weakness where organisations need to provide support to employees through additional training, for example, and will help businesses to continuously assess the success of a phishing awareness programme.

Conclusion

Investing in a phishing toolbox is essential to fully protect your organisation against ever-changing attacks and zero-day threats delivered via SMS, phone, and email.  By implementing the right technology, combined with user education and securityawareness training to give all-around protection, businesses can carefully manage and avoid phishing threats. As the growth of the cyber security threat landscape shows no signs of slowing down, organisations can be reassured that they have the necessary protective layers in place to combat the modern threat landscape by using the right tools and training.

Network protection in the hybrid era  

 960 640 Guest Post
By:
0
0

By Gary Cox, Director of Technology Western Europe at Infoblox  

Since emerging from the worst effects of the pandemic, a mix of in-office and remote work has become common practice for many organisations. Initially seen as a temporary way of easing employees back into the workplace after almost two years working from home, it appears that hybrid work is here to stay for the foreseeable future. As of May 2022, almost a quarter of UK employees worked in a hybrid fashion.

However, in an effort to accommodate the needs of their new hybrid workforce, business leaders have inadvertently increased their organisations’ security and compliance risks. This distributed way of working has dramatically increased the attack surface. It’s perhaps little surprise, then, that according to Infoblox’s 2022 UK State of Security Report, the majority of UK businesses experienced up to five security incidents in a year. The advent of the hybrid era means it’s never been more important for businesses to protect their network – or harder to achieve.

Expanded attack surface

Lockdown forced many organisations to leave their physical offices for good, while others adopted hybrid work where most of their employers worked remotely for at least part of the week. Whatever their preference, companies needed to move their applications and data into the cloud and protect them beyond traditional security solutions like firewalls and VPNs.

But employees logging in over their home WiFi networks, and using personal devices for work purposes – or work devices for personal affairs – meant the attack surface was enormous. As a result, businesses experienced a large number of attacks, many of which resulted in downtime, which can cost organisations considerable financial and reputational damage. Indeed, 43 percent of respondents cited breach damages of $1 million.

Hybrid work was found to provide bad actors with a much wider range of entry points into a company’s network, too. Insecure WiFi, for instance, was reported as being the biggest reason for data breaches, followed by insider access through current or former employees or contractors, and employee-owned endpoints, such as mobile devices and laptops.

Trust nothing

Most people today are aware of the perennial threat of cyberattack, but most can do little to protect themselves beyond just changing the password on their home WiFi router. Organisations must therefore take responsibility for security. This requires them to adopt a zero trust approach, which works on the assumption that attackers have already breached the network.

A multi-layered zero trust framework means all parties must undergo authentication checks at every point, as data flows in and out of an organisation’s network. Doing so will enable the organisation to protect everything that’s connected to that network, as well as limiting the damage in the event that an attacker breaches its defences.

Improved security posture

Organisations everywhere, regardless of industry, should consider how to leverage their existing technology to improve their security posture. For example, solutions that take advantage of DDI – a combination of DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), and IPAM (IP Address Management) services, which are already used for device connectivity – to  gain visibility into network activities down to the device level.

In addition to this, DNS security is essential for a zero trust approach. Given that more than 90 percent of threats that enter or leave a network will touch DNS, it is ideal for detecting potential threats. DNS security can help IT teams spot threats that other security tools miss, accelerate threat hunting, and reduce the burden on stretched perimeter defences. It helps them get more value out of third-party security solutions, through real-time, two-way sharing of security event information and through automation, which lowers the costs associated with manual effort and human error.

The COVID crisis has changed the way we work – potentially forever. As long as people continue to work remotely – even only once a week – the use of home WiFi networks will continue to increase the threat of compromise. It’s essential, then, that organisations have sufficiently robust security strategies in place to meet the demands of the hybrid era. A zero trust approach, supported by DDI metadata and DNS security, will help businesses adjust.

UK university students at risk from email scams, says report

 960 640 Stuart O'Brien
By:
0
0

Research has found that none of the UK’s top 10 universities actively block fraudulent emails from reaching recipients.

Proofpoint has released data identifying that 97% of the top universities in the United Kingdom, the United States and Australia are lagging on basic cybersecurity measures, subjecting students, staff and stakeholders to higher risk of email-based impersonation attacks.

The research found that 97% of the top ten universities[1] across each country are not taking appropriate measures to proactively block attackers from spoofing their email domains, increasing the risk of email fraud. This figure rose to 100% amongst the top 10 UK universities, with none actively blocking fraudulent emails from reaching recipients.

These findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top ten universities in each country. DMARC[2] is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject,[3] with reject being the most secure for preventing suspicious emails from reaching the inbox.

With a record 320,000 UK sixth-formers applying for higher education places this summer, students will be eagerly awaiting email correspondence regarding their applications when A Level results are announced on the 18th of August. The uncertainty and unfamiliarity with the process, as well as the increase in email communication provides a perfect storm for cybercriminals to trick students with fraudulent phishing emails.

“Higher education institutions are highly attractive targets for cybercriminals as they hold masses of sensitive personal and financial data. The COVID-19 pandemic caused a rapid shift to remote learning which led to heightened cybersecurity challenges for educationinstitutions opening them up to significant risks from malicious email-based cyber-attacks, such as phishing,” says Adenike Cosgrove, Cybersecurity Strategist at Proofpoint. “Email remains the most common vector for security compromises across all industries. In recent years, the frequency, sophistication, and cost of cyber attacks against universities have increased. It is the combination of these factors that make it especially concerning that none of UK top ten universities is fully DMARC compliant.”

Key findings from the research include:

  • None of the UK’s top 10 universities have implemented the recommended and strictest level of protection (reject), which actively blocks fraudulent emails from reaching their intended targets, meaning all are leaving students open to email fraud.
  • Whilst 80% have taken the initial steps by publishing a DMARC record, the majority (75%) only have a monitoring policy in place for spoofed emails. This policy freely allows potentially malicious spoofed emails into the recipient’s inbox.
  • 2 out of the 10 top UK universities (20%) do not publish any level of DMARC record.

The World Economic Forum reports that 95% of cybersecurity issues are traced to human error, yet according to Proofpoint’s recent Voice of the CISO report, Chief Information Security Officers (CISOs) in the education sector underestimate these threats, with only 47% believing users to be their organisation’s most significant risk. Concerningly, education sector CISOs also felt the least backed by their organisation, compared to all other industries.

With the shift to remote (and more recently, hybrid) learning, Proofpoint experts anticipate that the threat to universities will continue to increase. The lack of protection against email fraud is commonplace across the education sector, exposing countless parties to impostor emails, also referred to as business email compromise (BEC).

BECs are a form of social engineering designed to trick victims into thinking they have received a legitimate email from an organisation or institution. Cybercriminals use this technique to extract personal information from students and staff by using luring techniques and disguising emails as messages from the university IT department, administration, or a campus group, often directing users to fake landing pages to harvest credentials.

“Email authentication protocols like DMARC are the best way to shore up email fraud defences and protect students, staff, and alumni from malicious attacks. As holders of vast amounts of sensitive and critical data, we advise universities across the UK to ensure that they have the strictest level of DMARC protocol in place to protect those within their networks.

“People are a critical line of defence against email fraud but their actions remain one of the biggest vulnerabilities for organisations. DMARC remains the only technology capable of not only defending against but eliminating domain spoofing or the risk of being impersonated. When fully compliant with DMARC, a malicious email can’t reach your inbox, removing the risk of human interference,” concluded Cosgrove.

Best practice for students, staff and other stakeholders:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating education bodies.
  • Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
  • Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.

This analysis was conducted in May 2022 using data from QS Top Universities.

Growing demand for future-proof mobile solutions for access control

 960 640 Stuart O'Brien
By:
0
0

With convenience being a major theme, 42% of respondents worldwide indicate plans to upgrade to mobile-ready systems.

That’s according to the latest State of Access Control report produced by IFSEC Global in partnership with HID Global, which surveyed just over 1,000 respondents from across North America (56%), EMEA (29%) and Asia Pacific (15%) to detail trends in the procurement, installation, specification and operation of physical access control solutions.

The report describes the current state of the market, the technology being used, and trends that security and IT professionals are witnessing and foreseeing in the years to come, including:

Convenience: Ease of use is the most crucial reason to upgrade to a new access control system, according to 60% of the respondents. This means that in addition to securing premises, a new system must provide a smooth and straightforward process for both users (employees, residents or visitors) and administrators (security, facilities and IT teams).

Mobile Access and Touchless Capabilities: It’s no surprise then, that demand for mobile access is showing an uptick, with 42% of respondents planning to upgrade to mobile-ready systems. While security system administrators benefit from increased operational efficiency, employees and visitors may find mobile access more convenient and secure since they are more likely to have their mobile devices at hand than their access cards. The pandemic also played a role in the demand for touchless physical access control. About 32% of respondents cited they would upgrade systems to introduce touchless solutions in response to the pandemic, with contactless biometrics also being considered among them.

System Interoperability: Future-proof support is also a growing concern as users are pushing for long-term convenience while achieving cost savings. In fact, almost half of the respondents (49%) selected the ability to support new tech in the future as one of the top three features in a new access control solution, and 33% included integration with existing security platforms as being important. As a result, consultants and integrators are moving away from proprietary models and embracing open standards-based technology, where software upgrades can be securely managed through the cloud. One in five respondents added that interoperability and open standards will be one of the top trends set to shape the industry in the near future.

Sustainability: Organizations across all regions are making a clear effort to understand how new purchases and upgrades in access control technology can have an impact on sustainable practices, with about 28% of respondents having consulted their sustainability departments about their buying decisions. Access control readers that have Environmental Product Declarations and intelligent power management, for example, support green building ratings such as LEED. Additionally, deploying mobile access and virtual credentials removes the need for plastic cards and so spares the carbon footprint associated with their lifecycle. When integrated with a building management platform, it is possible to maintain for continuous adjustment of building resources based on occupancy.

The full report provides a more in-depth analysis and data points on what is driving the physical access control industry now and into the future. Read it here.

Sail the digital transformation seas more securely with Zero Trust Access 

 960 640 Guest Post
By:
0
1

By Tim Boivin, PortSys (pictured) 

Security has long been the boat anchor that drags down innovation – a deadweight that prevents digital transformation efforts from sailing to success.  

With the pandemic, digital transformation efforts accelerated far beyond the horizon of what was thought possible. Those changing tides also gave cyber pirates the opportunity to hack away – torpedoing infrastructure to launch ransomware, phishing, and data exfiltration attacks. 

Unfortunately, too many IT security teams and lines of business still don’t sail in the same direction to find the calm seas that offer more secure digital transformation. As a result, the captains of business frequently consider security as merely sunk costs, instead of the transformative vessel it should be. 

Zero Trust Access (ZTA) sets a new course so your organization can discover greater market treasures. ZTA generates the strategic tailwinds you need for your digital transformation efforts to reach their ultimate destination – competitive advantage. It needs to be considered as a valuable strategic business asset – one that reduces cost, improves productivity, and ultimately drives revenue and profit. 

How? ZTA implements and scales quickly without disrupting your existing infrastructure. It allows users to more securely and seamlessly access local and cloud resources they need to do their jobs from anywhere, improving productivity.  

ZTA accomplishes all this while dramatically reducing threats against your infrastructure. Instead of saying “No!” to anyone who wants to work more productively but requires greater access to do so, the pilots in the IT boathouse say “Yes, but…” – relying on ZTA’s principles of “Never Trust, Always Verify.” That creates a safer journey as your users get closer to your customers, wherever they are. 

Ultimately, ZTA transforms that IT boat anchor that’s been dragging you down into a billowing business mainsail – so you can cruise to competitive advantage. 

Tim Boivin is the marketing director for PortSys, whose enterprise customers around the world use Total Access Control (TAC), its next-gen reverse proxy solution based on Zero Trust. 

Just Say Yes – Why CISOs must now embrace SD-WAN

 960 640 Stuart O'Brien
By:
0
0

Digital Transformation has become a business imperative, yet rather than pulling together to enable essential change, the friction between network and securityteams is increasing. The business needs to move away from data centres and traditional Wide Area Networks (WAN) to exploit the cost, flexibility and agility provided by the cloud and Software Defined WANs (SD-WAN).

Chief Information Security Officers (CISOs), especially those working in regulated industries, insist the risks associated with public infrastructure are too high. Stalemate.

Until now. Organisations are pressing ahead with Digital Transformation plans and excluding the CISO from the conversation. But at what cost? Who is assessing the implications for regulatory compliance? At what point will the Chief Risk Officer prohibit the use of the SD-WAN for sensitive data, leaving the business running legacy and new infrastructure side by side, fundamentally undermining the entire Digital Transformation project? A new attitude is urgently required, one based on collaboration, understanding and a recognition that a Zero Trust security posture can safeguard even the most sensitive data, while unlocking all the benefits associated with SD-WAN.

As Simon Hill, Head of Legal & Compliance, Certes Networks insists, it is time for CISOs to take a lead role in the Digital Transformation process – or risk being side-lined for good.

Accept Change

CISOs need to face up to the fact that Digital Transformation is happening – with or without them.  Organisations need to embrace the agility, flexibility and cost benefits offered by the cloud, by Software as a Service and, critically, the shift from expensive WAN technology to SD-WAN. For CISOs, while the migration to SD-WAN extends the attack surface, adding unacceptable data vulnerability, saying no is not an option any more. CISOs risk being left out of the Digital Transformation loop – and that is not only adding significant corporate risk but also compromising the expected benefits of this essential technology investment.

Network and IT teams are pressing ahead, insisting the risk is acceptable. How do they know? For any organisation, this is a dangerous compromise: critical risk decisions are being taken by individuals who have no understanding of the full implications. For those organisations operating in regulated industries, these decisions could result in an exposure to $10s millions, even $100s millions of penalties.

Failure to embed security within the initial Digital Transformation strategy is also compromising progress. What happens when the CISO or Chief Risk Officer discovers the business is in the process of migrating from the old WAN to a new SD-WAN environment? Suddenly the brakes are on, and the call is for sensitive data to be encrypted before it hits the network. Adding Internet Protocol Security (IPsec) tunnels will degrade performance – so the business is then stuck using the legacy WAN for data connectivity while still paying for the SD-WAN and failing to gain any of the agility or cost benefits.  More frustration. More friction between teams that should be working together to support business goals.

Drive Change

Security is a fundamental component of Digital Transformation – indeed of corporate operating strategy. Rather than avoiding change, CISOs have a responsibility not only to secure the organisation but proactively advocate change, with security as the key enabler of Digital Transformation.

Digital Transformation does not by default create an inherently insecure environment – but it will require organisations to, somewhat belatedly, embrace a Zero Trust model.  It has been clear for many years that there is no correlation between ownership and trust. Just because a company owns infrastructure and assets does not automatically infer total trust over data security. Similarly, infrastructure outside the business is not inherently untrustworthy. The key is to build trust into a secure overlay to protect data that will allow a business to operate across any infrastructure whether it is owned or public.

A High Assurance SD-WAN overlay, for example, uses crypto-segmentation to protect and ensure the integrity of sensitive data. With this Zero Trust approach, High Assurance SD-WAN means whether the network is public or private, trusted or untrusted, is irrelevant: the data security team simply needs to define the policy and, with ownership of the cryptography keys, can be confident that data is protected at all times wherever it goes.

Working Together

Adopting a Zero Trust security posture changes the outlook for CISOs – and provides a foundation for vital collaboration with the networking and IT teams. With confidence that the data is secure regardless of network location, everyone involved in Digital Transformation can achieve their goals: IT and network teams can embrace the flexibility and agility of the cloud, SaaS and SD-WAN, while the securityteam still has control of the security posture.

This can only be achieved if the business embraces a different mindset. It is essential to think about security by design from the outset – and to break down the barriers between network, IT and security. The introduction of the Secure Access Service Edge (SASE) framework provides clear guidelines for the convergence of these teams to drive additional business value but the onus – and opportunity – lies with the CISO to ensure the entire organisation truly understands the Digital Transformation objectives.

This also demands an essential shift away from a regulatory compliance focused security posture – something that is inherently flawed due to the impossibility of creating regulations that keep up with the ever changing security threats – towards a truly business driven approach. Working together to plan the Digital Transformation process may take a little more time up front but it will result in a secure foundation that will remove any constraints to innovation and agility.

Conclusion

It is time for CISOs to change. There is no value in endlessly blocking essential new technology projects; and no upside in being excluded from vital plans as a result. By taking a proactive stance and driving Digital Transformation strategies, CISOs can redefine the role, become a key strategic player within the business and act as an enabler, rather than a constraint, to operational success.

It is time to find a way to say yes to secure Digital Transformation – without compromise.

Just one crack – That’s all a hacker needs…

 960 640 Guest Post
By:
0
1

By Michael Oldham, CEO of PortSys, Inc.

Just one crack. That’s all a hacker needs to find to cripple your organization. Here are three essential steps to take to stop that crack from blowing your infrastructure wide open for bad actors:

Multi-factor authentication (MFA) that includes device validation, certificate checks, Geo IP intelligence and other security policies makes it much harder for hackers to get inside your infrastructure by stealing, guessing or buying credentials.

Close ports across your legacy infrastructure that you opened for cloud, web services, Shadow IT and other applications. This will minimize your exposure to hackers through the internet. Every open port – such as VPN, RDP, MDM, Web Servers, cloud services or infrastructure – is another point of attack hackers gleefully exploit.

A single crack in just one port increases your exposure dramatically.  And your IT team already fights a losing battle trying to manage, maintain, patch and install updates for all those security solutions for those open ports. Closing ports to better secure your organization has a real, direct, significant, long-lasting business benefit.

Segmentation of resources limits the damage anyone can do inside your infrastructure in the event you are breached. Everyone is committed to keeping hackers out, but the truth is they still get in, or you may even be a victim of an insider attack.

Segmentation prevents bad actors from pivoting once they are inside to gain access to other parts of your infrastructure, where they can steal or lock up data. With segmentation, those compartmentalized resources aren’t accessible without proper authentication.

Another benefit of segmentation is that it doesn’t have to just be at the network level. Segmentation can be done at the resource level through intelligent policies that provide access to resources only under specific circumstances.

These three steps help prevent just one crack – or several – that puts your infrastructure at risk to ensure much greater security across your enterprise. And that’s good for any business.

Michael Oldham is CEO of PortSys, Inc., whose Total Access Control (TAC) Zero Trust solution is used by enterprise organizations around the world to secure their infrastructure.