Charl Ueckermann, CEO of AVeS Cyber Security, says businesses can reduce the risk of their data being breached by building layers of security around their people, data and infrastructure.
“Cyber security is no longer the responsibility of the head of IT, it is now a business imperative with decisions made at C-suite level. It’s becoming increasingly important for business and IT to align in developing a strategy around IT security that offers guidance and rule sets for all users.”
Ueckermann was speaking at an event on Cloud Security held on 23 August at Kloofzicht in The Cradle.
As IT has evolved from on-site infrastructure to the cloud, it’s become increasingly vital to take a layered approach to security that will protect the data while permitting access to the right people at the right time.
“It’s estimated that by 2024, around 70% of data will be accessed via mobile devices, underlining how important it is to include mobile in any security strategy,” says Ueckermann.
Identity management
The first port of call when it comes to data security, according to Ueckermann, is identity and access management.
The 2017 Verizon Data Breach Investigation Report found that over 81% of data breaches resulted from stolen or compromised passwords. The sole aim of data breaches, says Ueckermann, is to monetise the breach by possibly selling the data or even holding it to ransom.
“There’s a misperception that if the cloud is secure, measures to control access aren’t necessary, as the data is in a ‘safe place’, so it must be safe. This isn’t necessarily true.
“The same level of vigilance is required to control access to data in the cloud than what is necessary with data hosted onsite. It is also essential to control and manage what different levels of employees can do with that data. Lack of access control, as well as the misuse of employee credentials, means data can be accessed by people who are not allowed to see it,” says Ueckermann.
He explains that to comply with industry or governmental regulations, companies should protect their data and carefully control who has access to it.
“Companies cannot rely on usernames and passwords alone to effectively control access to the cloud. Multi-factor authentication to access cloud services should be non-negotiable.
“Similarly, you ideally want at least three ways to authenticate your employees before they can access company resources in the cloud. Besides, there should be clearly defined containers to segregate who has access to what information once they have been authenticated. Employees should be granted access only to the information they require to do their work. Authorisation measures should also be in place to ensure that information cannot be downloaded by or shared with people who don’t have permission.
“Monitoring tools can also help to pick up on abnormal behaviours. For instance, Geolocation control would detect unusual behaviours such as a login by an employee in Pretoria and five minutes later, a login in Germany by someone using the same login details. Monitoring tools will also detect mass downloads, mass deletes and any other activities that are outside the norm,” Ueckermann recommends.
Employee education
He stresses that employee education should form part of any organisation’s cloud security strategy.
“People tend to trust too easily and not verify enough when it comes to IT security threats. They open emails, click on links, share information, download information and share their passwords without understanding the potential consequences. For a cloud security strategy to succeed, it is vital that employees understand the risks, how their actions can make data vulnerable, and what they can do to keep data safe.”
The last word comes from Charndré Mey, the infrastructure technical director at AVeS Cyber Security: “Data is the new oil and if you consider that each individual has in the region of 5 000 data points, the consequences of a breach are monumental. It’s so convenient to let your computer store your user names and passwords, we tend to become complacent in our online usage.”
Mey advises businesses to take the equivalent of the physical security measures that they implement and extend them to the virtual world. “Hacking and breaching data are in themselves an industry today, we as users need to be cognisant of how we protect access to our data. This is no longer the sole purvey of the IT department, you need to take responsibility for your own personal information. This starts with implementing better password practices and things like two-factor authentication to protect corporate data, albeit residing on personal devices.”
In this age of the fourth industrial revolution, which is all about data, security is more important than ever before, and the same basic principles apply regardless of the size of the business.
Share