Mind the Gap
The sheer number of IT departments that are not acknowledging the numerous security gaps for cyber-attackers to exploit is astonishing. The problem is that many of those within the industry believe they have their security posture under control but they haven’t looked at the wider picture. The number of threats is increasing every day and as new technologies and opportunities emerge, companies need new security infrastructure to cope with the modifications of the threat landscape. Currently, C-level executives struggle to keep up with the necessity to approve budget requirements to bring their enterprise security up to the next level of protection. If companies are not up to date with the latest trends, businesses are being left more vulnerable to data breached as a consequence.
Executives are well advised to check, whether they have the following points considered in their security shield.
1. More than 50% of all internet traffic is SSL encrypted today. This may sound secure, but has unfortunately an opposite effect as well. It is too easy to hide modern cyber-attacks in SSL-encrypted traffic as a lot of companies are not inspecting that traffic for various reasons. One may be performance issues of their existing security infrastructure, as SSL-scanning needs high bandwidth and powerful engines. Regulatory reasons may be another excuse, as companies have not yet worked out how they can scan the encrypted traffic compliant with their local regulations. As a consequence over 50% of all internet related traffic remains uninspected for modern malware – and attackers are aware of that situation.
2. Mobile devices are another issue – with users potentially accessing corrupted websites or applications on devices that are not controlled under the company’s security umbrella. As the mobile user is the weakest link in the security shield, there exists a real danger that an infected mobile device is logging on to the corporate network and allows the malware to spread further.
The device could be owned by the employer, and if it isn’t secured, sensitive customer and business data could also be easily retrievable. What is surprising is that despite mobile traffic accounting for more than half of all internet traffic, it isn’t yet thought of as an important part to secure. There are modern security technologies available, that are effectively able to monitor traffic on every device at every location the user is visiting. Organisations need to start thinking about implementing these technologies to close more gaps in their security shield.
3. Office 365, for all of its success stories as a cloud application, also needs to be considered by security executives. Companies struggle to cope with the increased MPLS network traffic and bandwidth requirements going along with O365, so they might be tempted to break out that traffic directly to the internet where it bounces between users, devices and clouds freely. To avoid devastating effects on an organisation, companies are well advised to think about modernising their security infrastructure to take into account that all locations and branch offices need fast and secure access to the cloud to enable a great user experience.
4. The incoming EU General Data Protection Regulations (GDPR) will require companies to secure Personal Identifiable information (PII) more than ever before, or risk huge fines as well as subsequent reputational damage in case of a data breach. What is important to note is that even UK companies will have to comply with GDPR after the Brexit if they process personal data of European Citizens.
Companies will need to get valid consent for using personal data, hire a data protection officer (DPO), notify the local data protection watchdog when they have been hit with a data breach and perhaps most crucially companies could be fined up to €20m or 4% of their annual turnover if they are breached. With so much to do, businesses need to do their homework to ensure they’re compliant by May 2018.
Companies are setting off on their path towards digital transformation. They do well, if they start considering security requirements going along with the needs of a modern world before they set off on that path. Zscaler will continue to watch the industry, adapt and will not be afraid to challenge the status quo in the interests of providing better security to mind existing gaps.