CONNECTING THE DEFENCE COMMUNITY WITH INSIGHT, INTELLIGENCE & OPPORTUNITIES

Officially Supported By: dco_logo_land_webonly_k dcb_logo_land_webonly_k
Official Media Partners for: dPRTE_logo_land_webonly_k

This year’s data spillage at the US Marine Corps Forces Reserve, which laid bare personal details of 21,000 marines, sailors and citizens, and the leak at India’s defence ministry that exposed sensitive data on a number of soldiers, are a stark reminder that even organisations in the most security conscious of sectors is vulnerable to data loss.

As more operational processes are digitised, and emerging technologies are introduced to improve business efficiency, the threat potential increases. New cloud- and IoT-driven architectures can be exploited by hackers, for example, while mobile working practices make it more likely that employees will expose information to loss or theft.

Data without boundaries

Research from Apricorn shows that 29% of organisations have suffered a data breach or loss as a direct result of mobile working. Employees collaborate and share information daily across mobile and cloud platforms, potentially making it vulnerable to access by unauthorised users. They are also physically removing information from the organisation on smartphones, removable hard drives and USB storage devices, which are easily lost or stolen.

In the office, connected devices can increase the ransomware threat, while providing hackers with an entry point to the network from which they can move laterally until they find something of value.

Another avenue of risk lies in defence supply chains, which are increasingly complex and globally dispersed. It is unlikely that any contracting organisation will have a detailed picture of its suppliers’ digital environments and cybersecurity frameworks – and this increases the risk of falling foul of regulations.

Seize control

Digital data must be protected at all times, but most security strategies and policies are no longer fit for purpose. There’s no clear perimeter to patrol and defend in this new business environment, and traditional security models and tools such as firewalls, VPNs and gateways cannot be relied on to prevent data loss or stop cyberattacks. Digital transformation delivers the agility and speed-to-market required to remain competitive. This means that limiting access to ‘risky’ technologies and applications is not the answer to safeguarding data.

The solution lies in a multi-layered security approach that is both people-centric and data-centric, and which encompasses policy and technology. There are four key actions that will enable organisations to understand where their liabilities are, and take decisive steps to address them.

Audit all company data. This will provide visibility of exactly what data the business holds and processes, and highlight where information may be unprotected and/or at risk.

Every organisation should document:

  • Exactly what data is held and collected, and for what purpose.
  • Where it is held, and where it flows.
  • How it is processed, stored, retrieved and deleted through its lifecycle.
  • Who is authorised to access it, and why.
  • What security controls are applied to it.

 

This is a good opportunity to improve data hygiene by deleting any data that is not required to run operations, and to limit access to information only to those who need it.

The organisation should also check that the way digital data is handled and controlled complies fully with key regulatory frameworks such as ITAR. GDPR extends the definition of personal identifiable information (PII) to genetic data and biometric data, as well as IP addresses and cookies where these relate directly to individuals – making it essential that these categories are appropriately protected.

 

Review security policies, procedures and processes. This will highlight any gaps which need addressing. Existing policies should then be updated, and new ones developed as necessary, to control how digital data is captured, accessed, processed, managed and disposed of. These must be clearly defined, written down, and shared across the organisation and with partners and contractors.

Specific policies and processes should be created and enforced to protect data when it is outside of central systems, including policies that relate to removable media, mobile devices and flexible working. One in 10 companies admits its security strategy does not currently cover storage devices such as USBs.

Processes that enforce the regular backing up of systems and data, meanwhile, will help to mitigate the impact of a ransomware attack.

The business must also put in place processes that prime it to respond to requests EU citizens may make under the new rights bestowed on them by the GDPR – such as demanding their data in a portable format, or that all their data is deleted.

 

Encrypt data at all stages of its lifecycle. Strong encryption forms the last line of defence. This approach should include the mandating of a FIPS certified, hardware encrypted mobile storage device, and the enforcement of its use through policies such as whitelisting and locking down USB ports so they can accept only approved devices.

Build a culture of accountability. People remain the weakest link when it comes to data security: 44 per cent of IT decision makers in the UK expect employees will lose data and expose their organisation to the risk of a data breach.

To mitigate the human risk, organisations should run training programmes that educate all users in the threats and compliance requirements specific to the business, their role in protecting data, and the procedures they must follow. These can be extended to partners’ and contractors’ teams to ensure the entire supply chain follows the same best practice.

Digital business is creating a complex and evolving security environment, and defence organisations’ security strategies must keep pace with the speed of their digital transformation programmes. This means carrying out data audits at regular intervals, and reviewing policies to check that they remain fit for purpose. Security systems must be up to date – particularly encryption and authentication technologies, tested regularly, and adjusted to defend against evolving cyber threats. Achieving a security posture appropriate for digital business is anything but a one-off exercise.

Jon Fielding, Managing Director EMEA for Apricorn

If you would like to join our community and read more articles like this then please click here.

Apricorn data breach Jon Fielding US Marine Corps Forces Reserve

Post written by: Promark Media Ltd


LATEST STAKEHOLDER

Become a Stakeholder today and benefit from an exclusive marketing package which will allow you to:

  • Engage with active defence buyers and key supply chain partners
  • Create your own branded micro-site which within Defence Online which is managed by you
  • Have a dedicated Digital Account Manager to help enhance your Stakeholder page
  • Promote your news, products, press releases, eBooks and Videos as a Defence Online partner which feeds through to our homepage and social media channels
  • Have your company promoted on our partner website Defence Contracts Online (DCO)
  • All news promoted in mynewsdesk, a major hub for all of our news articles which enables news to be picked up from trade magazines, national newspapers and many other publications which offers extra exposure at no additional cost!

Contact us today or call us on 0845 557 1315 to take advantage of this exclusive marketing package

RELATED ARTICLES

May 23, 2018

Land - ‘Extreme’ USB supports effective C2 in a jungle environment

“Jungle is neutral. It attacks everything, and attacks it very effectively. Having kit that works as well in that environment as

August 31, 2017

Homeland - How tech trends are impacting military networks

New technology trends bring with them excitement, but also complexity and confusion for agencies who already have enough on their