What was once the domain of a niche group within IT professional circles is now a water cooler topic – the subject of cyber security is now part of mainstream conversation. Due to an abundance of security breaches recently hitting the news, this has brought network security top of mind.
The headline-grabbing hacks of major companies and organizations speak for themselves. And though the data breaches resulting from these hacks have been devastating for the customers and employees affected, the breaches have made everyone care more about how IT is secured.
“Every year, it gets easier and easier to speak about security, just because people are listening more carefully,” says Dmitriy Ayrapetov, director of product management for Dell SonicWALL. “Five, even seven years ago, network security was an add-on conversation. It was ‘We’re going to run a business, and then there’s the guy who’s complaining about security.’ Times have definitely changed.”
But with the stakes in IT security higher than ever, real conversations about how company data should be secured, stored and transmitted are now occurring on a daily basis at all levels of business. This is happening in part because the failure to employ security best practices is having life-changing effects.
“There are CIA agents being pulled from China because whoever applied for a classified clearance, their information is now available to the public jeopardizing their personal security,” says Ayrapetov, referring to the data breach that rocked the Office of Personnel Management.
Twelve years ago, October was officially deemed National Cyber Security Awareness Month by the Department of Homeland Security and the National Cyber Security Alliance. On September 30, 2015, President Barack Obama issued an official proclamation reaffirming the recognition that every October will focus on raising awareness about cybersecurity.
“During National Cyber Security Awareness Month, we recognize the importance of remaining vigilant against any and all cyber threats, while recommitting to ensuring our people can use new digital tools and resources fearlessly, skillfully, and responsibly,” Obama said.
If the White House is on high alert over cyber security, it goes without saying that enterprises and small organizations should stand guard when it comes to their own IT security habits.
Turning Security Awareness into Action
While it’s great that the spotlight is officially on security, the reality is that awareness alone won’t help organizations tackle serious security threats. The unfortunate thing is that, in many cases, the simple or basic security protocols that could have a significant effect on improving organizational security go unimplemented.
“You have to make sure that all your systems are patched. I can’t stress the importance of patching software, patching Windows, patching browsers, patching Flash, patching Java, patching Office,” emphasized Ayrapetov.
Another mistake that small businesses often make is choosing consumer technology for enterprise use. The network router, for example, which will transmit critical and essential business information, is something that a small business should carefully consider before purchasing; a consumer version of a network router just won’t cut it.
“What they’re getting is a non-patchable, non-updatable system that doesn’t perform any security measures. It’s just a router,” stated Ayrapetov. “Intrusion prevention and anti-malware needs to be in every single network.”
Beyond the hardware, something as simple as network segmentation can at least help small and medium-sized businesses contain the effects of a breach.
“If you have a business of a 100 people, you absolutely should separate your sales staff from your engineering staff, from your finance, and from your HR,” Ayrapetov emphasized. “It’s almost like a submarine: You should have bulkheads inside the organization so that if one sub-network gets breached, you have the same type of security protections internally as you do externally.”
Enterprise Security Operates on a Different Scale
With cyber security, what often separates enterprises from the small business sector is the increased scale and complexity of the attacks that enterprises face, not the threats.
“In an enterprise, you might have 50 to 100 people in an IT department, and then you start running into questions like, do you have the same root password for all of your Linux servers?” says Ayrapetov. If you share the same root password and one admin feels mistreated and decides to mess with the IT systems before he leaves, it’ll be hard to pin down the culprit.
“How do you know which admin did that if they’re all sharing the same passwords?” he questioned.
Larger number of staff and greater complexity requires enterprises to add additional tools and resources to track and manage access to IT within the company.
“You start getting into things like privileged account management so you can check out temporary passwords and have an audit trail of who did what,” Ayrapetov adds.
Cybersecurity’s New Boogeyman: Encrypted Traffic
Within security circles, there are certain viruses and malware that have legendary super villain status, on par with the Joker. But the thing that has most security specialists shaking in their boots isn’t a maniacal clown, but a friend who is suddenly being turned into a foe: Encryption technology.
“I think the industry as a whole is grappling with the enormous rise in encrypted traffic. Call it the Snowden effect, or call it whatever you want, but there’s a number of movements from HTTPS everywhere, and search engines started encrypting by default,” Ayrapetov says.
The fear is that we’ll eventually get to a point where 100 percent of data traffic is encrypted. That means intrusion detection systems, perimeter devices and next-gen firewalls will be blinded to this data, similar to how IT systems were, prior to having the ability to conduct deep packet inspections, he stated.
One of the things Ayrapetov is recommending for organizations is SSL decryption for perimeter firewalls. Many companies actually have this technology but do not realize this, thus are not deploying the required technology. Though it might help, it’s certainly no silver bullet for a future in which all data is encrypted.
“As a security industry, that’s the big boogeyman in the room. What do you do when all traffic is encrypted? How do you deal with that?” says Ayrapetov.