With most non-essential shops on the high street being shut throughout much of the UK due to pandemic in 2020, millions of people wielded their credit cards in online stores; I can’t help but think that the scammers and fraudsters had a field day as a result.
Of course, digitisation and online transactions are nothing new but 2020 pressed the turbo button and with it, the secure outer perimeter that has long-protected the vendor, the bank and the purchaser’s security can be challenged, with many more opportunities for the integrity of information, identity and transactions to be compromised. This is one key reason that the value of the worldwide information security market has exploded in recent years.
Meanwhile the World Economic Forum has cyber attacks as the number 2 risk concerning business leaders in advanced economies, just trailing behind economic crisis. And of course, in 2020 with the Covid-19 pandemic in full swing, both of these threats have became very real at the same moment.
The anatomy of a breach
By now, we’re all very familiar with what happens to an enterprise when it experiences a major security breach.
The majority of the critical functions of the organisation are likely to be impacted. Operations may be temporarily disabled or severely reduced whilst the enterprise responds to and attempts to recover from the breach. With disclosure, the enterprise will face a reputational impact to its brand that might continue for many years and result in the loss of many customers. The enterprise will face a revenue impact from reduced operations and is likely to receive some sort of fine or penalty and increasing amounts of future scrutiny from the regulators. Sadly, the impact on smaller businesses may be most keenly felt; they are unlikely to have pockets deep enough or resources extensive enough to withstand such a crisis.
It’s little surprise then that enterprise customers are spending considerably more money attempting to identify, detect and protect themselves from breaches than they are dealing with the aftermath. Approaching two thirds of companies who responded to a recent Cisco CISO research study said that their strategy was to voluntarily disclose a breach if it happens. This gives them the opportunity to proactively manage the process, safeguard customer trust and to limit the financial penalties linked to those breaches.
The battle to protect personal identity
But what about end-customers in all of this? As consumers it seems we’re becoming increasingly resigned to the likelihood of being a victim of a personal fraud or an information breach where our data is compromised whilst held by a brand or service provider that you transact with. Breach disclosures are becoming a fact of life and though we may have ‘security fatigue’ when hearing about them they should be a reminder to reduce our own personal exposure.
Securing personal identity is the new consumer battleground but it’s a tricky tightrope to walk for enterprises and organisations that hold your data. On the one hand consumers demand the convenience of making fast, digital transactions. On the other hand, they want their identity and PII protected. Additional security measures, like multi-factor authentication, can be annoying to the consumer who may have become used to the convenience of contactless transactions and ApplePay. Additional security measures that might be there for our own security don’t improve the user experience and this is one reason why relatively few organisations in the banking and retail sector in the UK are using multi-factor right now. So if customer behaviour still presents a security challenge, how else should organisations be looking to improve their security posture?
Focus areas for Enterprise security
Though security remains a high priority for the executive leadership of UK businesses we’re seeing some interesting trends. The number of known and reported breaches are on the increase, and yet if Cisco’s CISO survey is anything to go by, C-suite consideration of security as a high priority is at its lowest level for four years. Like the consumer ‘security fatigue’ I mentioned earlier, perhaps enterprises have become desensitised to it because it comprises so many problems that are impossible to solve. I believe that enterprises should stop viewing enterprise security as an individual problem – it’s too big, multi-faceted and moves too quickly. So where should they focus?
- Savvy enterprises are shifting the onus for security to their strategic service providers rather than deploying and managing large security infrastructures themselves whilst at the same time shifting security to where it needs to be – baked into the applications with the ability to move with the data. This is the only way to effectively balance the need for security without compromising the customer experience.
- Investments in proactive prevention remain the focus for most of our clients’ security posture and this has increased given present concerns brought about by the global pandemic. Enterprises face a range of perpetual issues with talent and tooling so it’s only a matter of time before sub-optimal implementation causes a breach. Again, working with specialist providers can offload some of the burden
- Responding to phishing attempts, accessing insecure sites and failing to follow security protocols remains an ever-present threat. All Enterprises need a formal and active security employee education programme continuously running and constantly updated to reinforce the behavioural element of security in daily work
- The growth of digitisation has brought about the need to secure and protect data held both in public and private clouds.
Zero Trust – security by design and by operation
For all of these factors, it is my view that a zero-trust framework should be adopted. A zero-trust approach dictates that organisations should not automatically trust anything or anyone irrespective of their location to access their systems until their identity has been verified. It’s a fundamental change of approach and is one of the critical features of a software-defined environment, which enables the enforcement of network-wide policies even in a multi-vendor, multi-cloud, multi-application environment.
Ensuring systems are secure by design and by operation are critical to earning trust as an enterprise, and to enable positive user and customer experiences by providing secure services as far as human error will allow. This approach allows you to tackle the ‘security fatigue’ that I mentioned earlier by automating multiple factors and processes and defining an individual’s access based on their identity credentials, which are centrally defined. Manual intervention simply won’t cut it. Without automation identifying, investigating, addressing and resolving issues as they occur, the increasing volume of breaches and security issues will become impossible to handle with manpower alone.
Moving forward, I would expect security to increase in its criticality to the enterprise. Rather than being an uncomfortable headache or something that slows down progress, I believe that it will become an increasingly powerful piece of the digital experience. Whether this results in more legislation in future, only time will tell but it’s clear that ‘100% secure’ is neither a possibility nor a likelihood. We should still expect breaches – but identifying and tackling them with speed and efficiency via automation will allow enterprises to operate and consumers to transact with more confidence in our increasingly digital world.
For more information about how to go about architecting a zero-trust security framework, drop me an email at neil@highpoint.com.
Written by Neil Dearman, Head of Technology, HighPoint