Financial damages from consumer data breaches are being brought to light on a grand scale. Facebook may face a $1.6 billion fine in Europe for compromising 30 million user accounts, while Uber is expected to pay $148 million for its 2016 data breach. Harsh fines prove even the largest global enterprises are vulnerable and now more accountable by governments for their security practices.
Government fines aside, experts predict cybercrime damages will reach $6 trillion by 2021. Cybercriminals are making their way into what many believe are secure networks with increasingly complex and sophisticated cyber attacks, and it's becoming more challenging as Wide Area Networks expand to connect more people, IoT devices, and places.
IDC predicts that by 2020, 75 percent of all people will work entirely or partly in a mobile environment. Mobile enterprises will create a new range of security risks and challenges. An estimated 23 billion IoT devices are being installed worldwide, which cybercriminals can use to introduce malware or initiate denial of service attacks. Gartner predicts that by 2020, more than 25 percent of cyber-attacks will involve IoT.
Security models will no longer be able to secure fixed places only. This new WAN landscape demands elasticity. Unlike the fixed edge that relies on physical security and static security infrastructure, elastic edge networks encompass endpoints of people, mobile and connected devices, and even vehicles that are in the field, deployed within third-party environments, and on the move. It’s important to keep in mind that often networks can be penetrated from within by employees using unsecure personal devices and shadow IT deployments, such as unsanctioned file-sharing clouds.
Hardening network security
As our security efforts evolve from the fixed edge to the elastic edge, we can keep our networks safe with a combination of traditional and new best practices:
1) Educate employees – It never hurts to partner with HR to conduct training on network security as an ongoing development requirement. Administrators should hold regular discussions with employees whenever a major breach occurs, explaining the latest ways cybercriminals are gaining access to networks and the damage they’re causing. As part of the education process, IT can create simulated events so employees can see firsthand how phishing attacks occur and recruit their help to identify potential vulnerabilities.
2) Adopt a Zero Trust culture: authenticate first, connect second, segment everything –Traditionally, devices have first connected to a network before being authenticated. Now, with a huge volume of potentially vulnerable IoT devices, organizations should improve network security by authenticating devices before they connect to the network. Adding a software-defined perimeter will hide connections from the publicly visible Internet, significantly reducing the available attack surface. Each new device and user is then authenticated before being given access to the application layer. This approach is effective against most network attacks, including DDoS, man-in-the-middle, east-west traverse, and advanced persistent threats.
3) Blend on-premise and cloud-based security measures – Combining onsite with cloud-based solutions provides administrators the ability to be virtually anywhere and everywhere, which is extremely difficult if you’re managing support for hundreds of remote locations and thousands of kiosks. Cloud-based solutions facilitate large-scale configuration changes, manage remote routers, and quickly roll out firmware updates. They can also provide software-defined perimeters to create a separate network overlay that places IoT devices on different networks to prevent hackers from using them to access the primary network.
4) Use out-of-band remote access controls – When administrators need entry points to make changes to something like a remote IP camera, hackers can take advantage of an open firewall port to set up long-term, gradual incursions that are small enough and infrequent enough to avoid detection. Use out-of-band methods where possible for remote access rather than opening up your firewalls to inbound network attacks.
5) Automate configuration management and firmware updates – Leaving platforms prone to configuration mistakes or open to known vulnerabilities can be mitigated by automation.
As we move into the era of the connected enterprise and the need for more agile and pervasive networks, we need to recommit to tried and true security practices while adopting new approaches that leverage wireless, software-defined, and cloud technologies.