Security reimagined: five key steps to protect your organisation

Covid-19 has accelerated a move to digital and online services in work, retail, health, education and more.

And with millions of people now working from home, outside their company’s security system, it is vital for organisations to take cybersecurity seriously.

While cybersecurity has always been important for businesses, Niall Tuohy, Security Product Manager at Vodafone Ireland, says threats have become more advanced, frequent and difficult to manage.

Niall, who has been working in Vodafone for 17 years and has been in his current role running the Security Portfolio for approximately three years, says, “Cybersecurity for a business can be difficult to keep up with and can have serious consequences if not done right. Challenges can be as simple as understanding what they need to protect, where their information is and who within their organisation has access.”

Here, Niall speaks about the main cybersecurity threats facing businesses of all sizes, and shares his top tips on how to ensure effective security from digital predators.

Securing data

As organisations are now gathering more and more information in order to grow their business and customer base, this brings new risks.

Niall says the first practical step a business can take to protect their organisation from digital predators is to “know what data you have”.

“Know where it is stored, who has access, why they have access, and if it’s required for them in their particular role.

“Most importantly, ask yourself do have I clean, regular back-ups?”

Niall references John Kindervag from Palo Alto Networks, who popularised the phrase of zero trust.

“His approach was ‘never trust, always verify’.

“The zero trust approach advocates mutual authentication. This includes checking the identity and integrity of devices without respect to location. It also includes providing access to applications and services based on the confidence of device identity and device health in combination with user authentication.

“This has never been more important. As part of the reaction to Covid and enabling remote working, some organisations may have overlooked how they are managing and securing the home worker.”

Update your operating system

Niall advises undertaking basic tasks, such as always performing recommended OS/Firmware updates, which can help to keep hackers out. “Make it mandatory to perform these updates, or you lose connectivity to the work environment.

“Nobody in an organisation is too important when it comes to cyber threats, including the CEO, and they should never be exempt from following the same processes as everyone else. Simple steps such as forcing the changing of passwords at regular intervals should be standard practice.”

Protecting your customers

Niall says phishing/smishing, either via email or SMS and ransomware, is a real issue today, “and it is often the end-user that is the weak link.”

Phishing is the practice of tricking Internet users (through the use of deceptive email messages or websites, for example) into revealing confidential information.

“Consumers expect companies to be protecting their data and will steer clear of those that don’t.

“Fraudsters are not always sitting around writing code. It can be mass mail/SMS type campaigns and hoping someone bites. With the likes of ransomware, however, the way into an organisation is often through an end-user.”

Niall says this risk can be mitigated by limiting what your end-users can access internally. “The zero trust approach is the way forward. Lock everything down and only grant access to those that have a legitimate requirement.

“By only securing the perimeter, you are still leaving yourself exposed should someone gain access to your network. So, internally, you should be taking every measure to block lateral threats as much as you would protect against threats for client-to-server traffic that moves in and out of the business.”

For organisations of any size, it can be simple issues like fraudulent invoices, where the person responsible for paying invoices may assume that it’s a legitimate invoice request.

Niall says a strong email security solution can go a long way of weeding out fraudulent emails. “Companies should be very cognisant of what an end-user can download to their laptop, tablet or smartphone. There is no legitimate reason for end users to have admin rights on their devices for installing third-party applications that are not approved by the employer. Segregating work profiles from personal on smartphones and tablets should be standard practice.”

Safe working from home

For businesses looking to ensure security for their employees working from home and handling smart devices, firstly consider: who is working from where and what devices have they access to company data from?

“The days of carrying two devices, one for business and one for personal use are long gone. Whilst it’s convenient to deal with personal and business information from one device, it’s important to segment work and personal data.”

Some people may worry that if they use a company device, they’ll lose the freedom to do as they wish with personal applications. Others might be fearful of losing a work device that contains sensitive data, or not being able to keep up with necessary software updates to stay protected.

Luckily, many providers and software services exist to make this easier for businesses to manage, including Vodafone’s Secure Device Manager product, which can create secure personal and business spaces on an end-user’s device.

“So, for example, if you try to screenshot a work email, this is blocked, but it allows you to do as you please with your personal applications.

“Or if you are running an old version of software on your handset, we can restrict access to corporate data until you bring your device up-to-date.”

If a device is lost, it can be locked remotely and all corporate information stored on it is wiped. “We can also apply corporate policies and threat-hunting capabilities to the mobile device, similar to what you would want when in the office.

“With Extended Detection and Response solutions (XDR), we can manage the endpoint with the same level of control and security, as if you were connected to your internal LAN network. We can also restrict and block known malicious sites and sandbox unknown sites.”

Educate your employees

Niall says, as a business, Vodafone faces the same challenges as other businesses. “When the pandemic started, we were lucky that flexible working wasn’t new to us. So, it wasn’t as difficult to enable a secure remote workforce as it may have been for other organisations.

“Our portfolio of security solutions continues to grow, such as the Virtual Private Network (VPN), which enables secure and encrypted connectivity.

“We also have a Security Operations Centre, which provides organisations with cybersecurity experts who monitor your network and cloud environment, devices, logs, and hunt for threats 24/7.”

According to Niall, cybersecurity should be a key element for businesses when introducing any new initiatives.

“We now live in a world where the expectation is that we can access anything from anywhere. However, securing the remote worker isn’t just about buying and deploying the best technologies, it’s also about education.

“In Vodafone, we are continuously educating our employees on how to be more cyber aware. Education and attitudes of employees are as important as the security solutions you purchase and need to be addressed on an ongoing basis.”

Secure your business from a host of cyber threats with Vodafone's security solutions for businesses of all sizes.