Focusing all your security efforts on protecting the network has its risks. Like a wall it might keep threats at bay, but if they can get a foothold inside the perimeter they're hard to stop. All it takes is an unsecured printer or some piece of network hardware with old firmware and the username and password at defaults perhaps someone clicking on something they shouldn't or delivering credentials to the wrong people. You don't even know it, but the hackers have tunnelled under your wall and they're running amok on the network inside.
What might they find there? Obviously, a lot of confidential company data, including contracts, financial records, intellectual property, employee data and forward-looking plans. Then there's the customer data; sensitive financial information, agreements, confidential data indeed a whole range of data that might be covered by industry regulations or legislation. There may even be information a hacker could use to gain access to your customers' systems the root of several high-profile hacks of recent years.
Beyond that, hackers may gain access to a mass of email and personal information that could be used to steal identities, unlock more systems or simply embarrass your organisation. Think of the Sony Pictures email hacks of 2015 or the hacks into the Democratic National Committee last year for examples of the damage done to relationships and reputations by a simple hack.
You can't easily put a price on that kind of information or exposure, but The Ponemon Institute's 2016 Cost of Data Breach Study put the average total cost of a data breach at 2.53 million, once compromised records, lost business and customer churn are taken into account, while TalkTalk estimated the total cost of its 2014 data breach at 60 million, including the customer support and recovery costs, trading impact and loss of business. Throw in changes to the UK's Information Commissioner's Office which could see fines rise from a maximum 500,000 to 3% of annual turnover, and these are risks organisations can't afford to take.
Network security can only go so far
It's not that network-focused approaches to security aren't effective. They do a great job of filtering out threats before they get a chance to reach your high-value data. All the same, they can also throw up a lot of noise, confusing the picture or even setting off false alarms, which makes it more likely a genuine attack may be missed. Some network security measures have been known to degrade performance, tempting harassed admins to ratchet them down to maintain network speed.
Now throw in the inventive ways hackers are using new attack vectors, like printers or mobile devices, not to mention exploiting human error to set malware on the loose. An infected email attachment or code concealed in a website could be enough to get through your defences, as could malware hidden in a smartphone app or smuggled onto a USB memory stick. It's no wonder that network-level security can't catch everything at once. According to Verizon's 2016 Data Breach Investigations Report, the percentage of breaches involving a compromised person or device has doubled in the last six years. And personal computers are still very much a target; there's been a 232% increase in reported attacks on desktops and laptops over the same period.
Device-level defence
How then, do you stop an attacker once they've infiltrated the network? The answer is by doubling up on your security to properly secure your endpoints, protecting not just the servers, but your mobile devices, laptops and PCs. A software-led approach can take you much of the way there, including full-disk encryption and centrally managed malware-protection, updating and patching. Rigorous user management and data classification should ensure that employees can access only the information they need to do their jobs, while intelligent monitoring and threat-detection can help guard against insider threats.
Yet software can't do everything. Let a hacker into the network and credentials can be stolen, making it possible to access and reconfigure any accessible PC. Hackers are now actively targeting password management systems and apps, in the hope that one successful attack will enable multiple follow-up attacks on a range of high-value systems. USB host attacks code injected into USB host controllers are a huge potential threat and near-impossible to detect. Meanwhile, the most dangerous malware continues to assault the BIOS, compromising PCs and laptops in ways that can't be easily discovered or recovered from, and which give hackers a back door into computers and the data contained therein. Once they have the BIOS, your systems are dancing to their tune.
Hardware to stop hackers
That's why complete protection requires a little help at the hardware end too. Biometric security, for example, can prevent hackers using stolen credentials to access systems by asking them to prove who they are, not just what they know. A username and password may be stolen, but a fingerprint or face is harder to fake. Smartphone security apps and NFC-based touch-to-authenticate systems can ensure that a stolen password can't be used without the user's mobile device close at hand. RFiD tags and smartcards add another option for two-factor authentication, helping keep attacks at bay.
That's also why HP builds business PCs, laptops and printers with advanced security built-in. HP Elite PCs and EliteBook laptops, for example, work with a suite of tools designed to safeguard your devices, identities and data and put a halt to hackers before they get a chance to take control.
- HP BIOSphere Gen 3 HP's firmware ecosystem automates data protection for business PCs, working seamlessly with HP's Client Security Solution and Client Management Solution to secure the BIOS and optimise security and management across the organisation's PC fleet.
- HP SureStart Gen3 A key component of BIOSphere, the third generation of HP's SureStart technology continually watches the BIOS for signs of tampering, protecting the data that controls configuration and policy. If signs of attack are detected, Sure Start restores the BIOS to its original state along with any custom settings and policies configured by your IT team. With SureStart Gen3, malware targeting the BIOS can be stopped and shaken off.
- HP Client Security Suite Gen 3 Multi-factor authentication backs up basic security credentials with a second factor, including built-in biometrics such as fingerprint or facial recognition. When authentication requires evidence of who you are, not just what you know, a stolen username and password is no longer the key to a PC. HP SpareKey gives users the ability to recover their credentials without a call to the help desk, while HP Device Access Manager prevents data being copied to external drives.
With an effective mix of software and hardware solutions in place, it's much, much harder for hackers to waltz into your network, tango with your systems and lift your data. Get your device-level security working, and keep the wolf from the dancefloor.
