Cyber security is a constant topic in the news. There is not a single day without the headline that passwords were stolen, companies breached, or data or bitcoins lost. The list seems endless. As the CEO of Securosys I regularly get asked whether and how we can help companies against all these threats. Unfortunately, there is not a single measure or pill that will take care of everything. So, what can a business do to protect its systems and data?
You need several layers of protection: It starts with password security, email security, data security, infrastructure and device security, and goes on and on. So, since I got the question, let me recommend some best practices and solutions to tackle these threats.
Weak passwords are a major threat. Therefore, passwords must be long (the longer, the better) and should be hard to guess, e.g., best are random strings. They should avoid any words found in dictionaries – nothing new here. A suitable password policy enforced by the company’s IT team through their directory server (e.g., AD) can enforce this. Obviously, such passwords are hard to remember. A password manager like SecureSafe from the Swiss company DSwiss can be a good solution to store and remember one’s passwords. Other recommended password managers can be found on Bruce Schneier’s blog (Bruce is one of the best resources on cyber security). In addition, everybody should be reminded not to post or answer even non-critical personal questions on social media accounts. Hackers use such social engineering to generate a profile on people that will then be used to get into their accounts (video on how it works).
To go one step further, these hard-to-guess passwords should be combined with second- factor-authentication to harden access to all company services, internal and external. This can be done with SMS, authenticators, or other schemes. If you need help with that, the Swiss company Nevis provides even password-less solutions: Go check them out.
The second trapdoor is email. The danger is two-fold: what gets sent to you and how secure and private the content is you are sending out. Phishing is a persistent problem in emails and no matter how good spam and phishing filters are, stuff still gets through. Employees know that they should not click on links or open attachments, but these email lures get more deceptive every year. A simple measure to remind people can be implemented by the company’s IT team: Add a banner to each email coming from an external source.
or
Also, checking with the sender again before opening or clicking anything might help. There is no 100% protection, and the mindfulness of your team is needed, as well as repeated training.
Regarding messages that you are sending out via email, simply assume other people can read them with little effort. That should give you an indication of what to write and enclose in emails. To spell it out: Confidential content does not belong in emails unless you are using message encryption and authenticated emails. If you must send something confidential by email to a party not capable of receiving encrypted mails, then encrypt the file (password protect your pdf, word, or excel file, or use DKE, see below) and share the password via a different channel (like the Swiss messaging tool Threema). While some experts might point out that the communication between authenticated mail-servers is encrypted there is no guarantee it will work for all emails. Moreover, the emails will still be stored in plaintext on both, the sending and receiving mail servers involved. As such, it is better to remain cautious. Finally, consider adding certificates to your email and sign your emails with a publicly verifiable signature.
Before tackling data security, let’s look at infrastructure and device security. Personal devices are used in almost every business these days. Employees use their mobile phones to read and send company emails. The most important thing is not to delay any software update on these devices. Mobile phone vendors are adamant about ensuring their systems are secure – so update your phone! If you want to know how you can make your personal digital life more secure, then check out this great Arstechnica article.
Most companies don’t want to run their IT infrastructure in their basement anymore, and they rather prefer using public cloud services. For most companies, the benefits of a cloud service, such as Microsoft 365, far outweighs its risks. Running your systems on your own rack neither provides redundancy, fail-over, nor offsite backup. The big public cloud providers have teams that monitor, maintain, upgrade, and check the infrastructure 24 hours a day, seven days a week. If a company wants to do that by itself, it would need a team of several dedicated experts – something that most smaller and medium size businesses simply cannot afford. In public cloud services your data is orders of magnitude more secure. However, you have to take care not to lose data sovereignty and privacy.
Public cloud providers are busy building data centers all over the world, in many countries. This enables companies to keep data within their region and reduce the latency to access it. However, without proper measures, data sovereignty and privacy are gone. These American (AWS, Google, Azure, etc.) or Chinese (Alibaba, Tencent, etc.) public cloud providers are subject to their country’s jurisdiction and, when compelled so, must give their governments access to the data in their clouds, no matter wherever in the world the data is held. Microsoft even exemplary shows on its website how often that happens.
So, how can you keep your data private in public clouds? Even if you think your data does not require privacy, regulations such as GDPR or your data protection officer (internal or local government) may force you to make sure that nobody can read your data, not even the cloud provider and its admins. The answer, of course, is encryption. Before anything confidential is stored in the public cloud, it is first encrypted on your local computer before sending it into the cloud. The company itself, you, then holds the encryption key. Again, Microsoft is exemplary as it developed the DKE – double key encryption – service for Microsoft 365 Office products. With it, you can label documents (and emails) as secret and encrypt them on your laptop before they go into the Azure cloud, while the encryption key remains with you. This way, data sovereignty and privacy can be maintained. Here comes the plug: At Securosys we offer the cloud service, Securosys 365 DKE, that will store these DKE keys with Securosys Hardware Security Modules in our CloudsHSM. It is seamlessly integrated with Microsoft 365, set up in a snap, and simple but secure to use.
At Securosys we have great solutions to keep encryption and digital signature keys secure. Some companies mentioned above use our solutions to protect their services. However, you are never done with Cyber Security. There is no single pill that will take care of all cyber threats and, more effort is required every year, every month. Unfortunately, the list of threats discussed above is not complete. New attacks will be invented and you have to keep improving your systems continuously. A great resource to dig further, learn more, and stay up to date on how you can protect your company is the website of the Swiss National Center for Cyber-Security. And if you think Securosys can help, don’t hesitate to contact us.