Innovation is the driving force behind modern business infrastructure, with cloud-based services and the Internet of Things making advanced technology affordable and accessible to companies of all sizes.
However, new tech means that there are also new threat vectors and security risks to manage and protect against. As a plethora of services and devices from vendors large and small have made adopting cloud technologies easier, it's vital that organisations consider potential security issues and the conversations they need to be having with vendors.
Paul Waller of the National Cyber Security Centre (NCSC) says that the organisation is seeing a lot of private and public sector organisations across the UK – as well as individuals – moving to cloud services, for reasons of both convenience and efficiency. However, he warns, although you can outsource a lot of the hard work of maintaining and developing systems, "what you can't outsource is the risks that you own and the responsibilities you have to your business and your customers."
Regardless of whether your business runs on on-premises hardware or in the cloud, he says, "it's important to be able to keep track of and understand where all of your assets are deployed and how they're managed."
BT is at the forefront of networking and IT infrastructure defence in the UK. The company's deputy CISO and cyber and physical security operations director, Steve Benton, explains that basic business security and threat management is straightforward:
"You start with the systems themselves and make sure that there is adequate patching, configuration management and locking down of those systems," he says. "Then you look at who has access to those systems, to ensure that you fully understand that, and that you've operated the principle of least privilege." This means ensuring that staff and their accounts have enough access privileged to do their job and nothing more, and that you've not left any powerful accounts open or default passwords.
Finally, he says, you have to look at how your data is itself handled: where it's stored, how it's secured both in motion and at rest, what you need to do to protect the information you're storing and what procedures you have in place to effectively deal with security breaches.
Fortunately, there's plenty of guidance to help businesses and individuals keep safe online and choose responsible vendors who'll do the same with their cloud services. The NCSC provides wide-ranging and trustworthy advice for everyone from families to cybersecurity professionals.
BT's role as a major ISP and its advanced monitoring systems mean that it has vast amounts of data on the evolving threat landscape. Steve Benton says that the company is seeing ever more sophistication and complexity in terms of scams exploiting employees in order to gain access to their organisations.
Compromised business emails are also on the rise, making it essential to ensure that staff use secure and unique passwords to avoid credential-stuffing attacks. Email remains the key threat vector, where "60 to 70 per cent of the bad stuff happens," Benton says. "You can route it back to an email coming into the organisation, either with a malicious download or that just fools somebody into clicking on a link."
BT has seen a 38 per cent increase in such scams over the last quarter, many of them connecting out to sites that distribute malware. BT blocks 110 million connections to malware sites each month.
While human behaviour can be an easily-manipulated security hole, other threats take advantage of vulnerabilities in software or operating systems. The recently-announced BlueKeep vulnerability in the Remote Desktop Protocol (RDP) was so high risk that Microsoft released patches for no-longer-supported operating systems dating as far back as Windows XP.
The NCSC's Paul Waller emphasises that here, as in all cases where vulnerabilities are disclosed, "the basic advice remains the same. It's patch your systems. It's basic hygiene." Traditional vendors are generally prompt about rolling out patches, and their application can often be automated.
Meanwhile, standards such as the government's code of practice for secure IoT design encourages manufacturers to avoid shipping hardware with universal default passwords, implement vulnerability disclosure policies, issue regular security patches and store credentials securely.
And if something does go wrong, and you suffer a security breach, BT's Steve Benton says that it's vital to be clear in your communication with customers and the general public so they can take appropriate security measures if affected; to avoid saying anything you don't know to be true, and to ensure that you comply with regulators' rules, such as reporting deadlines for the Information Commissioner's Office in the UK.
"Everyone is fearful about having a serious data incident," he explains, "but organisations that have handled it well and managed it well often get higher levels of customer confidence in the aftermath – and sometimes do better as a business afterwards, because they handled the incident well."
--
For more, visit bt.com
This article was originally published by WIRED UK
