The shift in cybersecurity: It’s time to stop focusing on your perimeter and start focusing on your data
It’s a sad fact of life in 2021 that cyberattacks are inevitable and data breaches are highly likely. So why are so many businesses focused on keeping cybercriminals out, instead of limiting what they can do once they get in?
Most enterprises are aware of the need to protect themselves from cyberattacks, and employ some form of perimeter security to that end, whether that’s in the form of network firewalls, anti-malware software, intrusion detection and prevention systems, or all of the above.
Over time, and in line with the WFH explosion, that perimeter security mindset has expanded to endpoint security – the practice of securing network-enabled devices like desktop computers, laptops and mobile devices from attack.
But despite these efforts to keep bad actors out of their environment, businesses are falling prey to cyberattacks with alarming regularity. A recent Australian Institute of Criminology report estimated the total annual economic impact of cybercrime in Australia at $3.5 billion, while the FBI reported a 400% increase in cybercrime after the onset of COVID-19.
A report into the economic impact of cybercrime by McAfee and the Center for Strategic and International Studies (CSIS) found the global losses from cybercrime had reached almost $1 trillion by the end of 2020, while the number of groups launching ransomware attacks grew month on month throughout 2020.
Cybercrime is spiralling out of control, despite significant investments in perimeter security – and there’s a simple reason for that.
The limits of perimeter security
The reality is that you can have all the protection mechanisms in the world in place, but one human interaction can bypass all of them.
That’s not to say perimeter security isn’t important. Of course it is – there’s no point making a cybercriminal’s life any easier for them, and perimeter security certainly plays a role in reducing risk. It’s just not the be-all and end-all that some businesses might think.
The ever-increasing interconnectivity of networks, and the sharing of information across them, is providing cybercriminals with more opportunities to seize data, as this data is often less secure while in motion (i.e. actively moving from one location to another).
And while networks have become more secure, social engineering – the old-fashioned art of the con, exploiting human error and psychology – remains the most effective way to bypass an organisation’s defences.
Social engineering is less of a hack, in the traditional sense, than it is a trick. A phishing email is a social engineering scam, for instance. And as the world becomes more connected, and more information about a business’ employees becomes available online, it becomes easier for attackers to trawl for details that will make these tricks more compelling and convincing.
Once an attacker finds their way into your infrastructure through a careless or compromised user on the inside (or even, for that matter, a malicious user like a disgruntled employee), perimeter security is powerless to do anything about it.
Cybersecurity expert Mathias Gaertner, Director of the Technical Advisory Board at the Australian Computer Society (ACS), says perimeter security fails to take into account the human factor.
“With ransomware, it’s usually the user who invites in the intruder through clicking a link in a phishing email that installs spyware,” he said. “This constitutes a breach which a firewall can’t work against.
“It’s like a castle with a moat, but everyone inside has the freedom to do whatever they want within those walls.”
Cryptoloc founder Jamie Wilson agrees that perimeter security has its limitations.
“Think of it like a house,” he says. “The perfect home security system has got CCTV cameras, bars and security screens on the windows, double deadlocks on the door, a massive fence and maybe even a couple of vicious dogs. Those are your perimeter controls.
“But the weakest link in that security system is the person who’s already inside the home, and is scammed into letting a criminal walk through the front door. Well, it’s the same with an employee who opens a phishing email, or connects to the wrong IoT device – before you know it, the cybercriminals are inside your system, and your perimeter controls that were supposed to stop anyone from getting in can’t protect you.”
As soon as an attacker can convince a user to do something for the attacker’s benefit, they’ve effectively bypassed whatever perimeter security controls an organisation might have in place – but there is still a way for that organisation to take back control.
Beyond perimeter security
Ultimately, the key to overcoming the limits of perimeter security is to put data security first.
After all, your data is your bedrock – it’s the reason you have perimeter security controls in place in the first place, and it’s what cybercriminals are after when they attempt to breach those controls.
Cybercriminals are increasingly utilising a tactic known as ‘double extortion’. Not only do they force organisations to pay a ransom to unlock their encrypted files, but they also threaten to leak the data in those files if the ransom isn’t paid.
Compliance requirements, such as the European Union’s groundbreaking General Data Protection Regulation, have also highlighted the role of data privacy, and the need for organisations to place a greater emphasis on data security.
But too often, businesses overlook or neglect the role of data-centric protection in a comprehensive security solution.
Essentially, it’s a matter of changing your mindset to focus more on the outcome of a cyberattack (the loss of data) than the method of attack (such as a perimeter breach).
It’s the data breach, not the unauthorised access to your network, that will truly cost you – not just in terms of whatever it costs to recover that data, but also because of the reputational hit your business will take, and the potential legal ramifications you could face in the form of lawsuits from aggrieved customers and fines from regulators.
Obfuscation techniques, such as Cryptoloc’s patented three-key encryption technology, will enable you to protect your data when perimeter security and the other controls you have in place fail. Cryptoloc’s technology also encrypts data while it’s in transit between networks.
Encryption renders stolen data worthless to anyone who gains access to it without authorisation. Even if an attacker breaches your perimeter and gets into your network, what they find there will be of no value to them if the data is securely encrypted.
“If the intruder is within the network or firewall, but the data is encrypted,” Mathias Gaertner says, “it makes that data useless to them.”
It’s also important to back up your data as often as possible, so that it’s easily recoverable in the event of a breach and you won’t be beholden to a cybercriminal to get it back, and to track changes, in case a cyber attacker has had access to your system for some time.
With Cryptoloc Cloud, for instance, you can see exactly who accessed your data and when, with every user and action verified and accounted for. You can then safely access any version of your content at any time.
Having control over that data – choosing who has access to it, and knowing what they do with it – is the only way to secure your system in the event of a perimeter breach.
There’s no doubt that investing in perimeter security is worthwhile. But to truly reduce your risk and combat the threats posed by today’s cybercriminals, securing your data should be your top priority.