The always-on, always-connected systems that underpin modern businesses bring enormous benefits in terms of flexibility and ease of access. But at the same time, this connectivity makes your IT systems and data more vulnerable to attack.
And with the all-too-regular stories in the media about data breaches – and GDPR just around the corner – now is the time organisations should be carrying out security healthchecks of their IT systems and applications. After all, you don’t want to lose revenue, compromise profits or follow in the footsteps of British Gas, TalkTalk, Wonga and many others by making headlines for the wrong reasons.
Cybersecurity is a wide and complex field, with so many moving parts and potential attack surfaces to defend. It can be difficult to know where to begin, which is why we’ve put together this guide as the starting point for your IT healthcheck.
1. Is your website or application served over HTTPS?
It’s becoming standard practice for all websites to be encrypted. This means using an SSL certificate to create a secure connection between your web server and the user’s browser. This has long been standard practice for sites that collect personal information or require people to enter passwords. But even if you’re not doing this, serving your site securely helps build trust. It demonstrates that your organisation takes security seriously, and that the content on the site is genuinely from you.
Using HTTPS can also boost your Google search ranking, and while it still requires some know-how to configure, the overall setup process is much more straightforward than it used to be. So if your site or application doesn’t use HTTPS, look at retro-fitting it.
2. Do your websites or applications require additional layers of access control?
If someone stole usernames and passwords and gained access to one of your systems, what impact could it have? What would the individual have access to, and what could the implications be for your organisation or your customers?
As many a phishing scam has proven, usernames and passwords can be obtained relatively easily, so if your systems contain anything sensitive, you should be looking at additional security measures.
Many of us are already familiar with two-factor authentication, where you receive a text or email with a verification code needed to complete the login process or a transaction. You could also consider extra security questions if someone is logging in from an unusual location or unfamiliar device. Biometrics is another option – could you take advantage of the fingerprint sensor in your user’s smartphone, tablet or computer, or even facial recognition?
Again, these additional layers of access-control security can often be retrofitted to existing systems.
3. Your perimeter may be secured, but what about inside?
It’s a common misconception that as long as the outer perimeter of your system or IT estate is secured, what’s inside is safe. The problem is, if someone gets through that perimeter, they’ll have free reign to do as they please, potentially stealing data or causing any number of other problems.
That’s why you should look at security like an onion, with multiple layers of protection guarding your key information. And one of those layers should be the encryption of sensitive data when you store it – ‘at rest’, as it’s known. When your data is encrypted at rest, even if someone steals it, they can’t do anything with it unless they can break the encryption.
Most data encryption uses a software ‘key’ to enable access. But if what you’re looking after is particularly sensitive, such as financial or healthcare data, it’s worth considering a hardware security module for additional levels of assurance.
Encrypting your data at rest does come at a cost: your system can take longer to build and will be more expensive. Moreover, constantly encrypting and decrypting the data as you use it will impact performance to some degree, depending on the complexity of the encryption. This is why it’s important to choose what you encrypt and the level of encryption you use: categorise your data based on sensitivity, and apply appropriate security to each layer.
4. Is legacy support making you less secure?
If your website or IT systems remain accessible to people using older browsers or operating systems (OSes), you won’t necessarily be able to take advantage of state-of-the-art security features. Consequently, legacy support can leave you more vulnerable to attack.
If you have a system that hasn’t been refreshed in a little while, now’s a good time to assess it. Does it still need to offer legacy access? If not, removing it could enable you to implement more robust security approaches supported by newer browsers and OSes.
If legacy access is still required, look at ways of re-architecting your system to shrink and ringfence the areas that older browsers access. This will enable you to protect other parts by taking advantage of more modern security.
5. Are your cloud systems correctly locked down?
Cloud data centres are generally very secure when it comes to physical access. But it’s incredibly important you configure these public platforms correctly – arguably even more so than private, on-premises ones. This will help ensure your cloud-based data doesn’t inadvertently slip into the wrong hands, as happened recently to FedEx when one of its cloud data stores was found to be misconfigured and hence publicly accessible.
Have you made sure everything is set up as it should be? Do your teams fully understand the impact that changing a setting in one area could have on other parts of your cloud estate? Have you got safeguards in place to review the impact of cloud configuration changes, and ensure you don’t unwittingly expose data?
The starting point for your cybersecurity healthcheck
These five areas illustrate just how broad a field cybersecurity is, and it’s a topic we could write whole volumes on. What’s more, no two organisations’ situations or requirements will ever be exactly the same.
But if you start by addressing these five points, you’ll help block key attack routes, and get your business thinking about where else it may need to make improvements, to protect your customers, profits and reputation. Don’t leave it until it’s too late.
