04/04/2014

By Tom Colvin, CTO, Conseal Security

With the wide adoption of Bring Your Own Device (BYOD) and Cloud computing, businesses are looking to find different ways to maintain a controlled secure environment. Previously only a concern for larger companies, now even the greenest start-ups are looking to protect the business.

Businesses should be focusing on what they are trying to protect. With recent research suggesting the potential cost of a data breach ranging from thousands to millions of pounds – all businesses are at equal risk. Traditional security, such as one-step verification and passwords, just isn’t cutting it anymore.

Some data breaches, such as the one experienced by Tesco earlier this year, are caused by hackers simply trying their luck. Hackers are attempting to log-in using existing username and password combinations. In the case of the Tesco hack, over 2,000 customers’ login names and passwords were comprised and shared on a text-sharing site. Nothing technically ‘went wrong’ at Tesco: there was no system malfunction which produced the problem; and no single person worked around the security of the site. The vulnerability here is the password itself.

Currently other forms of authentication available are not developed enough to be rolled-out en masse. This leaves us with little choice but to use the username and password combination which, it is noteworthy to add, is what most online services in the business world support. For example, business tools such as Gmail, DropBox, Twitter, Outlook Web Access, Microsoft Office 365, Remote Desktop, Exchange, Salesforce, all require (at least by default) nothing more than usernames and passwords.

Businesses need to educate users to the fact that passwords are insecure. If you use the same password for multiple services, then any breach of the one will naturally permit access to all the others.

Businesses need to seek out services which provide a degree of control over location. For example: if every employee is UK based, and an attempt to access the data is made from abroad, it is probably malicious.

It is also important to use services which permit logging of access attempts. If something does go wrong a business must know where, how, and the extent of the disclosure/breach.

It is often preferable, from a security perspective, for organisations to host their own cloud services rather than rely on public ones. This provides the organisation’s administrators with complete control over who accesses them and could, for example, limit that access to the local network. This would require anyone from outside the organisation to use the VPN to get access to the login screen – adding an extra layer of security to the existing authentication challenge.

There is no easy answer for business security. Each business environment is unique and will require a variety of different solutions to provide a secure environment. What is known is that data breaches are a major challenge and the question you should be asking is – are you prepared to take the risk?