Secure by Design is one of the pillars of an Adaptive Technology Model. To see it as just a function of your IT team, or through the lens of technology alone, could needlessly expose your organisation to risk.
Mimecast is IT Lab’s trusted security partner. Dan Sloshberg, its Director of Product Marketing, believes the most successful security strategies are owned by everyone in a business:
“The Secure by Design principle helps people think about security in the broadest sense. For example, the security posture of their vendors, how vulnerable their legacy and on-premise systems are to attack, and the risks their users present.”
We asked Sloshberg three questions:
When evaluating vendors, there are a number of things you should look at. First and foremost is where does security sit in that vendor’s priority list? They may have built an impressive product, but haven’t followed secure by design principles.
There could be shortcomings in security, or it’s done in a way that isn't intuitive for the user. The vendor you choose should help you achieve the level of protection you need, whether it’s for regulatory purposes or your own risk management profile.
A good vendor will help you along that path, not get in your way. And why not lean on a vendor who can demonstrate they take security seriously, rather than trying to piece it all together yourself?
Vendors aren't created equally, that’s certain. By looking at simple things such as their certifications, you can quickly tell how seriously they take security and data protection, and whether they can be trusted with your data.
Sloshberg's advice is a practical checklist covering:
While technology is innovating and changing at speed, the bad guys are innovating just as fast, if not faster. You need a vendor with the flexibility to respond to that change, especially when it comes to the threat landscape.
No single vendor can innovate rapidly enough to keep up with evolving cyber-crime tactics. By relying on their technology alone, they're self-limiting. What you want is a vendor that has their own robust tools, but can augment and plug-in the latest best-of-breed detection tools, engines and other capabilities to stay ahead.
Drawing from the collective innovation of an entire industry is better than what one company can do alone.
The transition from on-premise and legacy systems demands a measured approach. As with The Benefits of Hybrid Cloud Services, the road to a full app driven environment is best taken in small steps.
While organisations are relying on their older systems, how can they protect them and their data from cyber-attacks?
Sloshberg: “Retrofitting security, as opposed to the inherent ‘Secure by Design’ of a new system build, can be tricky. The best security should be invisible, and done in a way that isn’t clunky or an obstacle to people doing their jobs.
“My foremost piece of advice would be don't tackle your older estate system by system. Look at how you can wrap a security layer around your legacy and on-premise systems to bring them into a unified framework. Consider single sign-on and multi-factor authentication.”
Sloshberg advises:
Technology isn't a panacea for every threat; look at your business processes too. For example, how you set up a new vendor, how you validate them to ensure payments are not going to a fraudulent account.
Also your physical security – do your staff have the confidence to challenge unaccompanied visitors? There must be sensible checks and balances.
One staggering statistic is that 90% of cyber-attacks use email as the way in. Arguably, email is the most vulnerable system organisations run. As social engineering and phishing attacks grow in sophistication, even the shrewdest of users can be duped into clicking on a malicious link or opening a suspicious attachment.
Sloshberg: “Mimecast deliver the latest advanced security to help companies protect themselves. Our targeted threat protection products go way beyond what people commonly term ‘email security’ which is just anti-virus and anti-spam. While these remain necessary, they only do part of the job these days.”
“Many security vendors offer solutions to protect against inbound email, but most don’t look at internal email. It’s one thing to make sure that nothing bad comes into the business, but ensuring malware isn't spread from inside the business is crucial too. Take the scenario of a compromised insider with an infected file on a USB drive, who might try to share it via email.”
Sloshberg agrees that cyber-security awareness training is important: “Users can be blamed for inadvertently causing havoc, but organisations need to consider the support and education they provide. Cyber-security training should be ongoing, not simply addressed at employee induction then forgotten.
“Just like IT Lab’s model, employees should be encouraged to be adaptable and open to change too. There will always be those who’ve done things a certain way. It’s a question of educating them and reflecting on your organisation’s leadership and culture.”
Sloshberg concludes: “Security on its own is no longer enough. Regardless of the tools you have, and what processes and training you put in place, the likelihood is you'll be breached at some point.
“Organisations need to think more in terms of cyber resilience and prepare for the inevitability of a successful attack. What if critical and sensitive data is deleted or corrupted, can they get it back? If their systems are impacted, do they have a way of making sure employees can continue to work effectively?
“At Mimecast, we bring leading advanced security, data protection and recovery and business continuity for email into one platform. We can help IT Lab’s customers drive towards Secure by Design, not just from the protection angle, but the resilience piece too.”
Click here to explore our Adaptive Technology Model Hub and discover other rich resources.