"As hacker attacks rise, companies are spending more than ever on efforts to thwart them. But there's something that many companies aren't doing, and could do, that can have a big impact on cybersecurity: upgrading their networks so they aren't as vulnerable.
This type of IT spending goes well beyond narrowly defined cybersecurity tools such as firewalls and encryption. It involves replacing servers and other crucial hardware, operating systems, browsers and outdated applications.
Much of this may require spending beyond traditional cybersecurity budgets. And yet it pays big dividends for cybersecurity and beyond, say companies that have invested in such efforts.
"Modernization of the network is critical for a multitude of reasons and cybersecurity is one of them," says Rob Franch, chief technology officer of commercial-real-estate-services company Cushman & Wakefield. "It's critical to security," he says.
A modern network infrastructure does more to protect itself from hackers and user error. Instead of depending upon employees to install updates, configure servers and identify spam, it backstops them, making software updates and server settings automatically, or using machine learning and artificial intelligence to spot suspicious email attachments or malware and isolate them so that they can't cause widespread harm.
Between 2015 and 2018, Cushman & Wakefield modernized its network, the system of connected devices, software and services that link the company's information and communications platforms to one another and the outside world. As part of the effort, it doubled down on employee cyber awareness and training, according to Mr. Franch.
The return on that investment has been evident in several ways, he says. Since the modernization, Cushman & Wakefield hasn't been hit by successful crypto and ransomware attacks, in which attackers encrypt a victim's systems and demand money in exchange for decryption keys.
There is no single path to network modernization. There are, however, some important actions that most network modernizations take, and which business leaders should consider as they seek to optimize their company's cybersecurity posture, Mr. Franch and other information-technology leaders say.
Make your network simpler.
Companies often don't know what data, devices and users are on their networks in the first place, making it more likely that threats will go undetected. A key goal of network modernization is to simplify and upgrade networks, giving better insight into the activity -- legitimate and illegitimate -- taking place on their networks.
That can mean simplifying and paring down platforms.
Having a lot of different software platforms that don't communicate with each other well makes traffic difficult to see and understand.
There are different ways to create a simpler, more modern, high-visibility network.
In the case of Cushman & Wakefield, Mr. Franch winnowed down the company's older set of 15 corporate networks into a single, global network that put more emphasis on software. Software-defined networks make it easier to configure and update components and check for problems.
In addition, putting important functions into the cloud can simplify things, because cloud services offer built-in monitoring tools and automatic software updates.
Mr. Franch says that to improve security at Cushman & Wakefield, he consolidated a number of cloud networks into a single public cloud, Microsoft Corp.'s Azure. The simpler network and focused cloud also made it easier to deploy an additional set of security systems, Mr. Franch says.
The investments in a simpler network and greater visibility have paid off for Cushman & Wakefield in economic terms, according to Mr. Franch.
"This investment to get here was substantial, however the offset in ongoing costs allowed a payback in less than 4 years," he says.
Providing greater network visibility also supports advanced security approaches, such as the end-to-end encryption of data and the creation of so-called zero-trust networks, where users must enter credentials continually, says Steve Turner, a cybersecurity analyst at Forrester Research.
Maximize automation.
By modernizing their company's technology, companies can take advantage of growing levels of automation and default settings in software that shift much of the responsibility for cybersecurity away from the user, thereby reducing the opportunity for human error. The majority of cyber incidents can be traced to missteps by people who, for example, click on the wrong link or open the wrong email attachment.
Modernization also leads to faster response times to problems and less organizational complexity, says Mr. Turner, because employees don't have to manage these issues themselves.
Microsoft's Windows 11 operating system, which became generally available on Oct. 11, turns on 12 security features by default, instead of leaving those decisions up to the user, says Bret Arsenault, corporate vice president and chief information-security officer of Microsoft.
If Windows detects untrusted software on a user's device -- like phishing or ransomware attempts -- it can put the software into a separate operating system where it has the least level of privileges, according to Mr. Arsenault.
Modern computing architectures consider more dynamic authorization controls to flag certain kinds of behavior, according to Heather Adkins, senior director of information security at Alphabet Inc.'s Google.
If an employee who works 9 a.m. to 5 p.m. in North America and uses basic tools while at work suddenly shows up for work on the weekend in Europe and demands access to sensitive documents, the access-control system can flag the aberration, she says.
Move beyond passwords.
Instead of expecting people to manage passwords and other forms of authentication, some companies are using more modern methods that utilize cryptographic keys, according to Mr. Turner.
When a user signs up with an internet service personally or through work, a pair of encryption keys is created, a private one residing on the user's device and a public one with the company. Both keys must be available when the user logs on, with the user's private key typically being unlocked by providing their face, fingerprint or another authentication factor that proves they are who they say they are, Mr. Turner says.
The user's key is protected by a piece of software on the phone or computer, or a physical key, usually costing $20 to $70, that plugs into the device, according to Mr. Turner.
In the latter case, a user must have the physical key and the encryption key that it protects to log in, making it all but impossible for a hacker to remotely access an account in an email phishing scheme, he says.
Google uses an encryption-key standard called the Fast Identify Online, or FIDO. Google employees have to use hardware security keys, which are based on FIDO standards.
"Google hasn't had a successful phishing attack since we started using the keys in 2017," says Google's Ms. Adkins.
Integrate hardware and software.
The latest security software and protocols won't always work with older servers and network gear, so keeping hardware up-to-date can improve security.
"The software and hardware link between features, functionality, and security is becoming much tighter over time," Mr. Turner says.
Usually, the problem involves firmware -- the software, often built into a computer, that controls the device and permits other software to run on the machine.
But some businesses stick with old hardware that can't run the newest version of firmware, which often includes a host of cutting-edge security features. Imagine trying to take advantage of all the security features in Apple's newest operating system -- but using an old iPhone. The new features simply won't work on the outdated hardware. At some point, you must replace the phone.
Some new hardware has cutting-edge security features built into the computer chips themselves -- which older hardware obviously doesn't have.
Microsoft's Trusted Platform Module 2.0 security chip is necessary for a computer to run Windows 11.
The TPM 2.0 chip helps run the Windows Hello identity-protection systems as well as BitLocker data security, according to Microsoft.
Google's Titan security chip, which is built into Google servers and devices, can assess whether the operating system that controls machines has been compromised.
If the Titan chip determines there is a security risk, it can prevent the machine from booting up.
"We embed more critical security features into specialized hardware. The idea is to verify the integrity of software up the stack, using hardware," Ms. Adkins says." [1]
1. Cybersecurity (A Special Report) --- To Thwart Hackers, Stop Counting on Users
Rosenbush, Steven. Wall Street Journal, Eastern edition; New York, N.Y. [New York, N.Y]. 08 Dec 2021: R.1.
Komentarų nėra:
Rašyti komentarą