In an EE Times Europe interview, Alan Grau, VP of IoT/Embedded Solutions at Sectigo, illustrated 5 steps for securing your business and minimizing the risk of a data break due to an insecure IoT device...
Visibility and detailed control are key elements when it comes to protecting company data. The explosion of big data, the cloud, the edge, and the ever-increasing cybercriminal threat have driven the industry to seek increasingly secure solutions.
Loss of sensitive data and information from your organization, disruption of business processes, and damage to your infrastructure are just some of the risks. Every organization’s business data and information are valuable assets for the business and must be analyzed, managed, and, above all, protected effectively. How do you properly build a data protection strategy and what challenges do you face? In an EE Times Europe interview, Alan Grau, VP of IoT/Embedded Solutions at Sectigo, illustrated 5 steps for securing your business and minimizing the risk of a data break due to an insecure IoT device.
Most protection options aim to limit control to enable the effective and secure use of data but make decisions about data protection unnecessarily complex.
Preventing cyberattacks, knowing what precautions to take at the time of an attack, and complying with cybersecurity regulations are some of the elements that, together, form a true strategy for the defence and protection of your information system.
There are multiple factors that determine what devices will be targeted by cybercriminals. Grau underlined the following:
Does the device have known vulnerabilities?
How difficult is it to exploit those vulnerabilities?
How valuable of a target is the device?
Can the device be used as a gateway to launch attacks against other devices within the network?
He added, “If a connected vehicle has an easy to exploit vulnerability that allows criminals to remotely discover the location of a vehicle and then to unlock and start the vehicle, it could be an easy target for car thieves. Criminals have also targeted devices that, alone, don’t seem to be valuable targets such as WiFi connected lightbulbs, but that provided the attackers an ingress point into a corporate network. That said, many attacks are automated or scripting attacks that probe any connected device for vulnerabilities. As such, when developing a device, engineers must focus on building in cybersecurity even if the device does not seem like a valuable target. If the device is connected, it will be attacked.”
5 steps for secure your business
Alan Grau highlighted 5 essential points for securing company data.
Step 1: Be aware that no digitally connected company is too small or too big to be targeted by cyber criminals. Every company has crown jewels of value to an attacker, whether that is intellectual property, customer lists, or logical access to larger partner enterprises as part of a supply chain.
Step 2: Make sure your staff, especially remote workers, understand the basics of digital hygiene – make them hardened to social engineering attempts such as phishing. This is true from executives down to every staff member who is digitally connected.
Digital hygiene is a catch-all term covering all aspects for digital security habits. Grau has underlined how the details vary based on the context, but include ensuring strong passwords are used when passwords are required, not reusing passwords, enabling stronger authentication methods when they are available, and reviewing security settings for applications and services used. He added, “For enterprises, this includes security training for users, audits of security policies, and ensuring security policies are implemented and enforced. Phishing attacks continue to be a primary attack vector for cybercriminals. S/MIME certificates provide an additional layer of protection against phishing attack by validating the sender of an email is authentic.”
Step 3: Make sure your web applications and all connected devices, whether connected by VPN, virtual desktop environments or other access mechanism, are protected by strong authentication.
“Use of passwords is no longer sufficient, either for ‘device to device’ authentication or for ‘user to device’ authentication,” said Grau. It is critical to use more advanced authentication methods including certificates, multi-factor authentication and biometrics for user authentication. He added, “Enterprises must evaluate current authentication methods and eliminate outmoded authentication methods. Individuals must ensure they are using the strongest authentication methods available for the devices and services that they use. Organizations must also ensure that authentication mechanisms remain current as new threats emerge, and new countermeasures are developed. For example, PKI solutions need to migrate from traditional RSA and ECC encryption over the next few years to new encryption algorithms that provide protection from attacks by quantum computers.”
Step 4 – Incorporate principles of Zero Trust Architecture, which is a modern expression of the principle of least privileges. PKI identities serve as the basis of security for the fundamental shift to digital assets beyond the firewall, the move to the cloud, IoT, and DevOps.
Grau said that Zero Trust Architecture is an architecture in which no device or service is trusted by default. Every device and service must authenticate itself before it is trusted. The legacy paradigm in which devices are trusted just because they are located behind the corporate or network firewall no longer provides the required security. He added, “The network perimeter has largely disappeared. Work from home and bring-your-own-device are the new normal. With this reality, every device, service and application must only be trusted and allowed access to the network after it has provided the appropriate credentials. PKI and digital certificates provide the foundation for enabling authentication for Zero Trust Architecture.”
Step 5 – Have a single pane of glass view of all your digital identities, security processes and protocols – that incorporates certificate automation for all different kinds of certificates, even those from different vendors.
There are millions of attacks that occur daily via the web, most often against small and medium-sized enterprises. The entire organization and resources must be literate and trained in the correct use of company tools and the dangers that can arise from a lack of a “culture of sensitive corporate data”.