Jon Fielding, Managing Director EMEA Apricorn, discusses the need to focus on information and data protection whilst tackling the critical ‘human factor’ in breach prevention, backup and recovery strategies
It’s all well and good having rigorous data protection policies and standards in place, as many organisations indeed do. However, we continue to see that if employees are not aware of these policies or apply them in practice, they may as well not exist.
We rarely go for long without hearing of an information security breach or cyber-attack to which a public sector body or local council has fallen prey despite significant ongoing efforts and resource deployment to prevent them.
Aberdeenshire Council had 243 data breaches between 2020 and 2022
A case in point appears to be Aberdeenshire Council, which revealed in response to a Freedom of Information (FOI) request that some 243 breaches occurred between January 2020 and March 2022 – with that figure representing an upward trend.
Whilst public and private sectors increasingly value best practices around information security: gaps in approach continue to result in exposure and risk. One area where improvements can often be made is in education and training.
After all, it’s commonly the ‘human factor’ that is the weakest link in the cyber security plan; it won’t matter how large your cyber security technology investment is if it is not paired with appropriate behaviours and understanding throughout the organisation.
At Apricorn, we have concluded that a solid requirement for comprehensive cybersecurity training should be written into every employee’s contract, with regular knowledge updates mandated and delivered, for all workers both internal and external to the company. This must be an integral, ongoing part of staff professional development.
From the onboarding stage onwards, employees must be kept up to date with evolving cyber threats as well as corporate cyber security, information and data handling policies, bolstered with regular refresher courses and bite-sized learning approaches added in.
Training shouldn’t cover only the ‘what’ and ‘how’ of keeping data safe and data protection. A comprehensive education approach must also include the ‘why’ element – the specific risks to the organisation and its customers or service users if policies are not adhered to along with potential ramifications.
Corporate stakeholders and workers alike should be accountable for information security
All must understand that cyber security cannot simply be delegated as ‘someone else’s problem’ – least of all the IT teams, regardless of seniority, department or specific role.
Implementing training that builds upwards from this greater level of context will create the engagement required, alongside an understanding that the company must be accountable for the totality of its actions around the handling of information and data protection.
We often hear that ‘accidental’ mistakes contribute to breaches and failings in cyber security and information security. To err is human, certainly – but we should not forget that an effective mitigation strategy to defend the company against near-inevitable human error is essential.
More must realise too that change is possible – Apricorn’s latest research shows that more than 60% of IT leaders still expect their remote workers to expose them to the risk of a data breach, regardless of the training they’ve received.
Education should be combined with the automation and enforcement of security policies
To help bridge this gap, education should be combined with the automation and enforcement of security policies through technology wherever possible.
Robust, regularly reviewed and tested policy and practice, with appropriate technology choices and implementation, supported by education and comprehensive backup and recovery strategy, will deliver optimum protection where, even in the event of a pernicious cyber-attack such as ransomware or successful spear phishing of executives, a swift and efficient recovery can reduce the chance of costly downtime.
Data recovery successes rely on quality backup strategy execution
Scheduling automatic backups of all data on a regular basis is also important – perhaps every day, depending on how often the data is altered or changed and how critical specific data sets are to the organisation’s mission.
In an Apricorn survey from April 2022, 99% of surveyed IT decision-makers stated they have backup strategies in place, but as many as 26% admitted they were unable to fully restore all data and documents when recovering from a backup.
Only 27% acknowledged having automated backup to both a central and personal repository. We have found that three in five companies do not back up their data or devices in advance of working remotely, while only one in five follow backup best practices such as the 3-2-1 storage strategy and backing up in real-time.
If a 3, 2, 1 backup policy is employed, information should always be recoverable and restorable in the case of cyber-attack, breach or employee error. Have at least 3 copies of data, held on at least 2 different media, with at least 1 copy held offsite – a message that has not yet been heeded by everyone, it seems.
Also, the recovery process must be regularly tested to ensure full data restoration can be achieved in the event of a breach or mistake.
Additionally, the encryption of data as standard across the organisation should be mandatory, both when it’s in transit and at rest, and automated wherever possible. Currently, almost half (47%) of organisations now require the encryption of all data, whether it’s at rest or in transit – a share that’s growing, but still falling short of the level of protection possible.
We should add that the stakes appear to be rising for those organisations that don’t give the approach sufficient attention: 16% of the IT leaders we surveyed admitted that a lack of encryption had been the main cause of a data breach within their company, up from 12% in 2021.
When data is encrypted, it’s fully protected, so if for instance, an unauthorised individual gains entry to an IT system, the information will remain unreadable.
In particular, selected storage locations should include an offline solution, such as high-capacity hardware-encrypted USBs that automatically encrypt all data written to them, again taking the human risk out of the equation even for distributed teams. Copies of critical files can be kept secure and disconnected from the network to create an air gap between information and threat.
In addition, built-in hardware encryption with onboard authentication affords stronger protection than software-based encryption, which can leave devices exposed to counter resets, software hacking, screen capture and keylogging. Encryption keys can be kept safe within a hardware crypto module.
With greater attention to the above points, cyber security defences can become fully embedded into ways of working, with full benefits accruing to the organisation.
Written by Jon Fielding, Managing Director EMEA Apricorn