Mounting a successful attack against a company’s website or network requires three things:
- Access to the website or network in question. This is obviously true of any public website. For non-public websites, such as internal SharePoint sites, or for the corporate network, this requires some form of specific access, such as access to a wireless access point or VPN access.
- The existence of a vulnerability that can be exploited using whatever form of access is available under #1.
- The existence of an attacker able and willing to find and exploit it.
We tend to assume that the attacker is from outside and it is true that the type of data breaches caused by someone with no connections to the organisation and no support from insider are the most difficult and time-consuming.
However the top three IT security threats that lead to data loss12 are of an entirely different nature: malware, phishing attacks and accidental data leaks by staff. These three types of attacks account for almost half of the successfully mounted cyber-attacks. Of the top three most expensive types of security breaches, one – fraud by employees – is conducted entirely inside the organization, and another one – cyber espionage – is conducted after infiltration inside the organization.
In other words, nearly half of the security incidents are caused by circumvention of security measures from the inside, and two of the most expensive types of cyber-attacks are conducted from inside a company’s network. This suggests that securing a company’s corporate network is at least as important as securing its user-facing component.
Securing a corporate network involves work on two fronts: securing on-site access, and securing remote access. On-site access refers to access from a company’s offices, using the company’s own equipment. Securing remote access – from outside a company’s offices, often from equipment not owned by the company – is far more complex, but is a growing concern in the age of remote working and globalization. Even if a company does not offer benefits like working from home, remote access is an almost universal requirement: on-call employees, salespeople who need to travel to potential customers’ sites, support staff that works on customers’ premises are just a few examples of cases where remote access to a company’s network may be required.
On-site access security is typically enforced on four main axes:
- Physical access control. Only authorized personnel should be allowed to access a company’s premises in the first place. Attackers who gain physical access to a company’s equipment have the largest possible attack surface: they can use physical keyloggers, obtain and secure access to a company’s internal network, or even physically remove sensitive data, by snatching storage media like the hard drives on which data is stored.
- Data access control and privilege separation. Access to any kind of data should generally be restricted to those who need it in order to perform their work. This sounds rigid, but it can be enforced through simple, non-intrusive measures, like password-protecting sensitive documents and distributing the documents and their passwords only to those who need them, restricting administrative access to a company’s equipment to system administrators, and restricting access to various segments of the company network to people who need it (e.g. by using a separate wireless network for guests and business partners). These measures ensure that gaining basic access to a computer network does not immediately result in access to sensitive data.
- Reducing attack surface. Reducing the attack surface available to attackers who do gain basic access to a company’s network is a valuable defense technique that is very easy to implement. Using an antivirus with up-to-date virus definitions on all workstations, keeping internal websites up-to-date, just like public websites, using SSL-encrypted connections to all websites – both internal and external — and using only authorized software installations, with timely-applied security updates on all workstations, ensures that even if an attacker can get into a company’s network, they will not be able to access any data. Ideally, an attacker should not be able to gain access to any sensitive data even if he or she were allowed to connect to the company’s internal network.
Employee awareness and security procedures. Phishing attacks and accidental data leaks, which account for 20% of the data loss incidents, can be prevented solely by educating employees on correct security practices. Another 24% of the incidents – which occur due to malware – can be prevented by adequate employee education, in conjunction with the security practices mentioned above. Many other types of security breaches can be prevented in this manner, such as accidental login credentials leaking (e.g. by keeping them written down in a notebook that gets lost or stolen) or social engineering attacks.
At the same time, it is important to recognize that employees are not security experts. A coherent security implementation can only be achieved through a solid set of procedures that employees are educated to follow. It is also critical that these procedures be implemented throughout the organization, by everyone, regardless of role and position.
It is also important to recognize that all these solutions are, to some degree, inter-dependent, and that they form an interlocking mechanism. For example, forbidding the practice of writing down passwords on post-its helps protect against accidental credentials disclosure; however, if (or, rather, when) someone fails to observe this rule, physical access control can still prevent leaking this data to outside parties, while data access control and privilege separation ensures that even leaking them to malicious actors inside the organization is somewhat less harmful.
These practices ensure adequate protection of data that is stored and accessed on the company’s premises. However, in modern workplaces, data is routinely accessed remotely. In fact, some remote access scenarios – such as checking your work email from home – are so common that we barely think of them as “remote access” anymore.
Remote access poses unique challenges to securing access (i.e. ensuring that only authorized parties are granted access to data) and securing data (i.e. ensuring that data is delivered correctly only to those authorized to receive it). These challenges stem from the fact that access is carried out through the Internet (and, therefore, through infrastructure that is not company-owned), from locations that may not be as secure as the company’s premises. Even the identity of the person who is accessing data is more difficult to verify if the data is accessed remotely, rather than on-premises.
In most SMEs, these challenges are made even more difficult by the prevalence of employee-owned devices and by the sheer scale of remote access: a survey conducted by Sophos13 revealed that a staggering 90% of the surveyed SMEs have at least some remote workers.
Securing remote access is mainly achieved through four main strategies:
- Maintaining the same good security practice for off-site work and equipment as for on-site work and equipment. In other words, all equipment (computers, tablets, smartphones) should be subject to the same security practices, such as running up-to-date, approved software, and security procedures that apply for on-site working (not writing down passwords, not leaving computers unattended etc.) should apply for off-site working as well.
- Using only secure channels for authentication and data transfer. In practice, this means two things: strong authentication schemes (good passwords or personal keys) over encrypted channels (HTTPS for web-based access, VPN for general network access).
- Ensuring secure storage and controlled access for delivered data. Ensuring that, once transferred, any kind of data remains safe is the one area in which things have improved tremendously during the last ten years. In 2017, it is entirely feasible to require full-disk encryption for all devices (including on-premises devices, but especially devices used for remote access). This ensures that, even if the device is stolen, the data cannot be accessed. As usual, of course, prevention is better than treatment, so it is best to ensure that access to data remains controlled under all circumstances. This includes both protection against theft (ensured by mandating the use of Kensington locks) and protection against accidental disclosure (e.g. to onlookers in an airport cafeteria).
Clear and uniform procedures for granting and revoking remote access privileges. Remote access should always be accounted for, just like local access. More importantly, however, SMEs need to have solid procedures for revoking remote access. Gaining local access requires more than just the proper login credentials – it requires physical access to the company’s premises, which is often difficult to obtain even when there is no formal physical access control. In contrast, remote access requires nothing but the proper credentials. If there is any reason to suspect that a set of credentials have been compromised – for example, because a device on which they have been used has been stolen – it must be possible to revoke those credentials immediately.