A recent study by Thales has found that the majority of businesses still have concerns over cybersecurity during remote working, even one year into the Covid-19 pandemic. Nearly half (47%) of organisations surveyed reported an increase in volume, severity, and/or scope of cyber attacks over the last 12 months. 41% of the organisations that experienced a breach did so in the last year, which is almost double the amount compared to 2019 (21%). This has led to 81% of organisations reporting concerns about the security risks of employees working remotely.
What do we know about the current privacy and compliance issues? Across all sectors, we are seeing a huge rise in the number of Data Subject Access Requests (DSARs) being issued. Many have attributed this increase to the Covid-19 enforced redundancies and furloughs which have been forced upon companies during the global pandemic. In order to prepare and combat this surge, it is recommended that organisations need to get their record of processing activities and retention policies up to scratch now. Any delay in doing so will put your organisation on the back foot when it comes to DSARs and having to deal with a backlog of documents and communications dating back several years.
Another problem arising from the pandemic has been the seismic shift in workforces moving to remote working capabilities, and as a result, the number of devices connecting remotely to networks has increased significantly. This has opened up the number of access points for cybercriminals to attack. In extreme cases, organisations were forced to relax their security protocols due to the sudden and unprecedented response to the pandemic, which has only led to a rise in data breaches occurring as they tried to balance the need for workers to have remote access to their systems against the risk of a cyber attack.
Some adaptations have seen the adoption of new technology without the usual rigorous testing schemes and assessment of options on the market. This too can lead to weaknesses in an organisation's cyber defence. Risk assessments and policy and process gap analyses are a vital way to keep an eye out for vulnerabilities that may have been introduced into the system, and hence, the compliance department needs to be focused on these areas.
With the digital transformation that companies are on, the shift to hybrid and multi-cloud has allowed for more opportunities to arise for some organisations, but in return, there is an increased risk inherent in the storage of data in the cloud. According to the report by Thales, 56% of organisations now store more than 40% of their data in an external cloud. Half of these organisations say that more than 40% of the externally stored data is of a sensitive nature.
Most worrying is the fact that 83% of organisations state that more than 50% of the sensitive data stored in the cloud is not encrypted at all and that only 25% of companies have complete knowledge of where their data is stored. With numbers as low as these, what can be done to make sure that the remote workforce is as prepared and protected as possible?
All across the globe, laws and regulations around data and privacy are being updated and tightened to keep up with the rapidly changing digital era. While ensuring compliance is already hard enough given that data is growing exponentially, 46% of respondents agreed that adding cloud environments to the mix makes managing privacy and data protection regulations even more complex.
Implementation of a zero trust policy when it comes to cybersecurity and regulatory compliance is something that has been gaining a lot of traction recently. The report by Thales found that 34% of companies claim to have a formal strategy and have actively embraced a zero trust policy, while 65% rely on concepts of zero trust security to shape their cloud security strategy.
But what is zero trust? Zero Trust is based on "Never Trust, Always Verify" and views trust as a vulnerability. This removes the default access given to users or devices looking to access confidential data and instead implements a system where every access is challenged and verified using a technology such as two-factor authentication.
This approach gives organisations the power to maintain a high level of security remotely, without the need for a physical location to authenticate access. Zero trust will provide organisations with the robustness to repel ransomware attacks, even in a legacy system. A recent example of this was the Colonial Pipeline cyber attack which was perpetrated by cybercriminals taking advantage of a legacy VPN to gain access to the system and leaving them free to wreak havoc on the fuel supply of much of North America. With zero trust, it might have been possible to stop the attackers from navigating inside the network, whereas with conventional security approaches, once attackers are ‘through the door’, they’re already in a very strong position.
The biggest challenge for organisations is understanding that achieving zero trust is an ongoing journey with multiple steps along the way. Companies will have to adapt their strategies based on their specific business needs and regional constraints. To find out more about the 2021 Thales Data Threat Report, you can download it here.