Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/13/2018
10:30 AM
Francis Dinha
Francis Dinha
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Data Security Landscape Is Shifting: Is Your Company Prepared?

New ways to steal your data (and profits) keep cropping up. These best practices can help keep your organization safer.

The world around online data is changing, and with it the landscape of business is facing an irreversible shift. Not only in terms of regulations — with the European Union's General Data Privacy Regulation enacted — but in the way businesses actually use and have access to data. An increasing number of businesses are moving their data to the cloud, which brings a different set of security issues.

Through the cloud, hackers can shut down your business for weeks — or longer. They can steal not only your data but your resources. Companies often don't take this threat seriously enough. The cloud feels invisible, so we make the incorrect assumption that it's inaccessible. I've seen many powerful companies neglect simple steps — like properly training their staff, having a backup in place, or limiting employees' access — which can make the difference between powerful profits and destruction due to cybercrime.

Thankfully, there are steps you can take to protect your company, and they aren't that complicated. Implement these five best practices to keep your data (and profits) out of the hands of hackers.

1. Make sure your IT staff is highly trained and available. Make sure your IT staff is highly trained and available. Too many companies relegate their IT crew to a dusty office in the back, with no supervision and little training. They're treated as outsiders, usually because they have a different skill set and a different goal than the rest of the team — they're there to support the company, rather than expand the company like sales or product development. Because of this, IT faces the same kind of problems people in other supportive departments, like HR, face: they're taken for granted, denied the resources they need, and sometimes even unfairly blamed when something related to their department goes wrong.

But these supportive departments are vital to your company's functioning, and you neglect them at your peril. The IT world is constantly shifting, so the training for your employees needs to be updated constantly if you want them to succeed. Provide them with the right resources and ever-updated training, and you'll find yourself with an IT team ready and able to support your employees and protect your data. Proper training means your IT staff will see the incoming problems before they arrive — and, for the problems that do come, your IT team will be well equipped to handle them.

2. Educate your regular staff and develop a company-wide policy. Once your IT staffers are highly trained, you can rely on them to develop a company-wide security policy that you can implement and enforce. Many details will depend on your company and industry, but there are a few basic practices that every company should employ.

  • Create a process everyone knows how to follow, including a two-factor authentication system, strong passwords, and access to a private network.
  • Don't let your employees use their personal phones for company work. But if you do, have the right certificates installed on their devices.
  • Put up all walls to protect employees from hacking, and make them a standard part of your company policy — one that your employees understand, are trained in, and can implement. Having the best security tech in the world will mean nothing if your staff isn't taking it seriously.

3. Everything is on a need-to-know basis. Your employees do not need access to everything — they only need access to what's relevant to them. Policy comes into play here again: Make sure each level of access is protected by two-factor authentication and strong passwords, and work with your IT team to see that everyone has the access they need — but no more.

4. Back everything up. Yes, this step may seem basic, but I've seen plenty of otherwise savvy executives avoid it. They don't want to deal with the work of creating a backup to all their data, all their code, all their important financial info — it feels like a hassle, but it's absolutely essential. You're at risk of losing an incredible amount of work if you don't have a backup to turn to in case of an emergency. What's more, make sure you back it up somewhere private. Don't simply rely on Google Drive! On top of all this, charge your IT team with having their own backups and regularly taking snapshots of their work. There are plenty of tools available to make this simple; just make sure your IT staff really is using them. Then, of course, make sure all those backups are private and insulated extensively from attack.

5. Prepare for the worst. No matter how much you prepare, there will always be risk involved with any kind of online data storage. Inherent risk means you must be inherently prepared. Have a disaster recovery plan in place, ready to go if a hacker destroys your data. Recovery from this kind of attack is all about speed — the longer your company is down, the greater the damage will be long-term. No insurance or reparations can make up for the potential business your company loses when it's out of commission — which means a speedy recovery, more than anything else, determines whether a company will be able to bounce back. Use the backup you developed to rebuild and relaunch your programs; make it automated if possible. Set a plan in place so that, when the worst happens, you can turn it around quickly, efficiently, and effectively.

If hackers have your company as a target, they'll either want to attack you and bring your network down or they're simply after financial gains. Many hackers will try to gain access to your Amazon cloud account, steal the key, and launch a prolific amount of CPU usage, just to mine it for digital currency. Every day they develop more strategies, and every day they find new incentives. But whatever the goal, a cyberattack can mean the loss of profits, or worse, a permanent shutdown of your entire company. As our data and business landscape shifts and changes with developing technology (and corresponding government policies), make sure you and your team are prepared to ride any wave that comes your way.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Francis Dinha is the CEO and co-founder of OpenVPN, a security-focused open source VPN protocol. With more than 50 million downloads, OpenVPN has been in the open source networking space since its founding in 2004. Its Private Tunnel service provides "last mile" security to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AdelaidaP
50%
50%
AdelaidaP,
User Rank: Apprentice
8/16/2018 | 3:58:21 AM
just
I think you can't be 100% prepared for all.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...