The June 2017 cyber-attacks on the UK Houses of Parliament signify the need for any enterprise that holds valuable data to be prepared for an attack.
The attacks were a stark reminder of the dangerous world we now live in as hackers attempted to access the emails of MPs, Lords, aides and staff with up to 90 said to have been compromised. Though security services took the necessary steps to secure the network to stop the attack from spreading, the event signifies the need for any enterprise that holds valuable data to be prepared for an attack. It is no longer a question of ‘if’, but ‘when’. We have to assume that hackers will be successful – if not today, then tomorrow or the next day. The real question therefore is: are these Houses of Parliament systems – including email applications – protecting sensitive data from within? After all, this is what hackers are after.
A “sustained and determined” cyber-attack by hackers means that hackers have some access to username and password credentials and will use these to attempt to access IT systems and emails – a bit like a robber trying to break into your front door by picking your front door locks. Cyber criminals will use these credentials to get “mostly in” and from there, pivot internally within the network, gathering more and more information as they go, until they reach the crown jewels.
IT security of yesteryear was focused on implementing security systems such as ‘two factor authentication’ and ‘access and identity management’ systems to prevent this type of attack – akin to making sure the locks and front door have good security systems in order to prevent entry.
In a modern IT architecture, companies need multiple levels of both IT security as well as data security. IT security hardens the IT infrastructure, where data security protects the data itself, so that if hackers find a way around IT security (and they will if the target is valuable enough), then the data itself is still protected. Therefore, organisations must assume that not only can attackers come through the front door, they can also access data via other points of entry – and there are many.
What if the attackers do gain entry via breaking in via user passwords? Will they have easy open access to the data in email and other systems that contain sensitive data such as HR, expenses, accounts and sensitive parliamentary data?
The focus therefore becomes more about where the email systems are storing this data. Is it an on-premises email or a Cloud based mail system where this email maybe stored on a Cloud based service? Is this data encrypted throughout its entire lifecycle? Even if hackers are successful and find a way in, if data is encrypted properly on Premises or in the Cloud, then there is nothing the criminals can do with it without the means to decrypt it.
Furthermore, let’s not believe mere ‘Data at Rest’ encryption systems are enough. Though it’s a start, companies have to protect this sensitive data through its entire lifecycle. ‘Data in Motion’, ‘Data in Use’ and ‘Data at Rest’: these are key points to complying with the General Data Protection Regulation (GDPR) that every company operating in Europe will have to adhere to come next May.
We just hope that the Houses of Parliament have this next level of more advanced data protection systems installed as well. If not, then there may be a very serious issue of gaining access to email and other systems that use and store sensitive data.