For those of us who work in IT, the feelings we have when technology evolves are often somewhat contradicting.
On the one hand it’s incredibly exciting to see the impact new tools and approaches have on your business. On the other hand, we’re the ones who have to make sure all this stuff stays secure!
An increasing number of applications being stored off-premise in the cloud, often with third-party providers – 71% of organisations already spend half their total IT budget on external suppliers, according to a recent CIO survey.
With that and the enormous amount of company and customer data sitting in all those different areas, the job of protecting our organisations gets more challenging every day.
In fact, with one in five UK firms being hacked last year, it’s safe to say cloud security is the number-one cause of insomnia among IT decision-makers.
But that burden needn’t lie solely on the shoulders of technical staff. There are a number of steps you can take to help ensure everyone in your organisation can contribute to a safer Hybrid IT environment.
1) Have a strict password policy
Last year, password management firm Keeper Security released a list of the most common passwords in 2016.
The top 10 included such cringe-inducing delights as ‘password’ and ‘qwerty’, but perhaps most shocking of all was that ‘123456’ made up almost a fifth (17%) of the 10 million passwords analysed.
We wouldn’t dream of leaving our offices unlocked at night, so why make life so easy for online criminals? Having a clear password policy based on those that you’ve had in a traditional environment for years can help though.
Password length, complexity and frequency of change are all still critical factors for any secure system, regardless of its cloud/traditional status. Common sense best practice applies: don’t write it down; don’t use your birthday, dog’s name or place of birth; and certainly don’t share your password with others.
On a basic level that means insisting on certain criteria for password (must include a mix of letters and numbers and a special character, for example), but it also means regularly updating passwords in case any do get compromised.
2) Enforce the policies using automation
With employees using so many different applications now it can be challenging to manage and memorise all those different passwords (not to mention a productivity-killing pain in the proverbial for the staff involved).
One way around this is through password synchronisation – using password management software, for instance, to let users log into multiple systems using only one code.
We see automation as the best way of enforcing policies. Cloud access security brokerage (or CASB to use a Gartner term) is the right place to go looking for the right product to secure your access to a cloud environment.
Some of these tools have useful features such as:
- Geographical assessments. Spotting when someone accesses your applications/system/data from an unusual location. This is even down to the point of having intelligence built-in to see that you accessed it at 11am in the US East Coast and then again at 3pm in Paris. This is practically impossible given the distance and speed needed to travel: unless you’ve re-commissioned Concorde!
- Encryption Enforcement. Intercepting unencrypted data uploads to services like drop box and either blocking it, or automatically encrypting the data en-route.
- An IDaaS (Identity as a service) solution can also be used federate access and act as an identity broker for on-premise and cloud services.
Automation also provides us with the peace of mind to recover from vulnerabilities which are caused by human error. Imagine that accidentally leave an access key or token our password out in the public domain, this is a security nightmare but human errors do happen.
With automated security services, you can proactively scan, identify and then lock down any exposures.
3) Educate employees
Education, education, education – I really can’t stress this enough.
It’s easy as a technical person to assume everyone understands basic cybersecurity best practice.
Taking things for granted should never be an option in IT security, however, and ensuring all employees – from the front line right up to the boardroom – are fully aware of any potential security risks can help avoid any unnecessary mistakes.
Setting strict policies and sharing these openly with employees is a core principle. This should always be supported by training and awareness for employees: not just on the policies themselves, but on the possible consequences of not having these rules in place.
Nothing brings something to light than an example of a competitor, or a well-known organisation or individual who had a painful experience when not following secure Hybrid IT practices.
Try not to set the laborious mandatory training which plagues individuals in organisations just to tick a box. Make it interactive, make it interesting, and try routes which are more than just “death by Powerpoint” and a set of questions.
Consider ‘gamifying’ your training, or having routes to link through social media. Perhaps you have special interest groups you can engage to get the conversation started.
Another effective method is to help people put business data on the same level as their personal data. If they wouldn’t click a suspicious link on their personal email account, they shouldn’t be doing that at work either. Give people that perspective on workplace security and the impact can be powerful.
And education isn’t only a preventative measure – it can also empower employees to help limit the damage caused if a security breach does happen.
If workers already know what to do, the time between an attack being discovered and people taking the required action – logging out of the network, for instance, or updating all passwords – is reduced.
Finally, gaining exec buy-in is critical, as is making security a standard part of the agenda for whenever an exec briefing occurs. People will naturally listen to leaders!
4) Seek partners, not suppliers
As I mentioned above, the number of external suppliers all of us have to rely on as IT decision-makers has exploded in the past few years.
While we’ve seen benefits such as increased agility and reduced costs as a result, it’s fair to say our degree of control over every single thing happening in and around our organisation’s IT ecosystem has changed.
Put simply: much of the potential surface area for attack now sits outside company walls.
And so the relationship you have with suppliers has changed. No longer is it simply a transactional give-and-take situation – the security of your business relies, in part, on them.
With that in mind, it stands to reason that you need to develop deeper relationships with those suppliers so they effectively become an extension of your team – ones that allow you to assess their security capabilities in a qualitative way.
Having that level of trust means you can communicate and collaborate with them as strategic partners. It means you can use their market expertise to help fill any gaps in your own security knowledge.
As with education, however, this is not just about preventing a hack altogether.
Attacks are likely to happen as some point, no matter what you do. If and when they do occur, the relationships you have with affected suppliers is critical.
In short: when ‘stuff’ hits the fan, you need to be able to rely on people you can trust.
Those are just a few ways you can improve Hybrid IT security without heavy investment in technology or technical skills, but this list is by no means an exhaustive security strategy in itself.
Taking these steps as a minimum, however, means any cloud security technology you do deploy is supported by the necessary processes and culture.
On that note, I’d be really interested to know if and how you’ve embedded any of the above in your own organisation. Please do let me know in the comments below.