Defending the enterprise in an increasingly complex environment

Technology has transformed the way organisations work and its evolution is now faster than ever before. The promise of IT transformation presents many opportunities for businesses, but the number of options IT departments face can be daunting. As technology continues to push boundaries, firms must take steps to reduce the possibility of dangerous cyber-attacks that the ever-increasing threat landscape presents.

Keeping up with rapid change
The enterprise IT landscape is almost unrecognisable from that of the early 2000s; back then, the most important network threat was, in most cases a personal USB thumb drive brought from a home environment. Now, BYOD, VoIP and the Internet of Things (IoT) must all be accommodated.

Standard defence mechanisms set in place by IT teams might have been effective until now, but as more technologies carve their way in the enterprise, the larger the attack surface grows. As firms become increasingly mobile, users are pushing corporate policy by bringing their own products and services inside the company. File-sharing applications originally designed for consumers, for instance, are one of the main causes of corporate data leakage, with over a third of firms reportedly experiencing a leak in 2014 as a result of employees sharing files via un-sanctioned services.

Rogue IT is a complex issue that relies on people, processes and technologies. Companies should increase control over their file-sharing policies, practices and technologies but should do so in ways that do not limit employee productivity or satisfaction. Ideally, organisations should provide staff with secure in-house hosting solutions that are user-friendly as well as cost effective.

Internet of Things: assessing the risk
The IoT poses a significant risk to company security. When employees connect their devices to the enterprise network, they expose it to unauthorised access and cyber-attacks; this happens because IoT devices tend to have insecure frameworks that can be easily compromised, as well as due to issues with password security, permissions, data encryption and the lack of firmware updates.

Like any other technology in its infancy, the IoT doesn’t come with a one-size-fits-all solution to guarantee the security of all connected devices. Companies manufacturing new connected products should consider security within the design process as opposed to implementing security features as an afterthought, analysing the potential risks and vulnerabilities that the product might pose to its users.

Implementing proper authentication is vital, as is limiting permissions to allow normal functioning in the case of a security breach. Interfaces should also be secured between devices and services; the communication between a mobile device and the cloud can become vulnerable to cross-site scripting (XSS) attacks, where malicious scripts are injected into otherwise trusted websites as well as cross-site request forgery (CSRF) attacks.

Identifying the weakest link
Cybersecurity is now a core enterprise concern – yet, surprisingly, a recent Marsh report found that 70% of UK firms do not assess the suppliers or customers they trade with for cyber risk. This is incredibly risky, as data leaks involving third party vendors with access to the customer credentials of large companies have exposed the latter to vast financial and reputational damage on numerous occasions. The Target data breach is one of the most famous examples from recent times.

Attackers usually target a company’s weak links. With most known breaches occurring due to a contractor or small business partner unintentionally backing up sensitive data to an unsecured computer server accessible from the internet, it is essential that companies implement robust vendor oversight to monitor how third parties are storing, handling and managing access to sensitive data.