When it comes to preventing cyber attacks, no one technology can prevent a determined attacker from breaking into an enterprise network. However, a combination of preventative tools, best practices and employee training has helped one energy company bolster its security defenses over the past several years.
Engie Insight, which is based in Spokane, Wash., helps large businesses and Fortune 500 companies manage their energy use. The company recently rebranded its name from Ecova to better aligned with its French parent company.
However, beyond energy use and name changes, Engie has worked to meet the challenges that come with modern security practices, namely data protection and improved alertness. The company recently achieved Service Organization Control (SOC)2 Type 1 for data security and availability trust principles in its utility business efficiency platform, which shows a significant commitment to data security.
To learn about how enterprises can improve their own data protection and make better use of employee security training, Security Now spoke with Paul Carugati, Engie's director of information security.
In the company's experience, the most comprehensive way to defend against modern cyber attacks is to layer multiple preventative and detective controls to ensure maximum protection and response capabilities at all times, according to Carugati.
"This is known as 'Defense in Depth' and is a best practice for enterprise information security programs," Carugati said.
One of the most intriguing aspects of data protection for an organization after having been a victim of a cyber attack is to know how other companies protect and secure their data.
In order to ensure its client and sensitive data remain unsullied the information security program is aligned with industry standards such as the NIST Critical Infrastructure Protection and ISO 27001-2013 framework, which focus on a combination of people, process, technology and risk management controls to minimize incident and response, containment and recovery.
Society thinks of health prevention as a wise step, something that keeps us away from being victims of illness and virus attacks and, for Carugati, it's no different in the enterprise. "The more prevention the less risk [there is] to let unattended vulnerabilities damage and steal our data," he said.
For Carugati, technology such as next-generation firewalls, intrusion prevention, data leakage detection and anti-virus are all valuable, foundational security controls for prevention, or early detection.
"But true prevention lies with the understanding of critical information assets and the knowledge of associated enterprise risks which drive right-sized controls around the data that is most crucial to the organization," Carugati said. "A purpose-fit information security program must be well-rounded and driven by the data of concern."
Together with prevention and the understanding of critical risks the enterprise might be exposed to, is security education. And humans, if not educated in how to prevent security threats, represent the most serious internal risk a company can have.
"Above all else," Carugati added, "people are the most critical component to any information security program. People are the new threat landscape and as such, are the primary targets in modern cyber attacks. Users are the attack vector, but also the first line of defense."
Proper security education, coupled with frequent assessment and testing, is an organization's greatest preventative control to thwart an impending cyberattack.
"Enterprises should never underestimate the power of their people to report the early warnings signs that could lead to a major data breach," Carugati said.
— Susan Fourtané is a science and technology journalist and content writer, whose work has appeared in global publications and Youris.com, the European Research and Innovation Media Centre. She is based in Europe. Follow her on Twitter @SusanFourtane.