Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

The Little Book of Network Security and

Download as pdf or txt
Download as pdf or txt
You are on page 1of 52

The Little Book of

Network Security
and Data Protection

Charlie Trumpess
The Little Book of
Network Security
and Data Protection

Charlie Trumpess
© MN Press 2017. Charlie Trumpess has asserted his right to be identified as the author of this work, in accordance with the Copyright, Designs and Patents Act,
1988. All rights reserved. No part of this publication may be reproduced, in any form or by any means, without permission from the publisher.
Contents
6 16
Chapter Three:
Patch Management
Introduction: Half of all successful
The uncomfortable truth about network cyberatacks exploit known,
vulnerabiliies and data breaches. patchable vulnerabiliies.

8 20
Chapter One:
The Human Factor of Cybersecurity Chapter Four:
Why your own employees are Always Have a Backup Plan
oten the greatest threat to your Disaster waiing to happen, a third
network security. of businesses never backup their data.

13 24
Chapter Two:
Segmented Networks Chapter Five:
& User Privileges Bring Shadow IT into the Light
Minimise the atack surface 80% of employees admit to
by sub-dividing your network and beter using unapproved, unsecured
managing user privileges. applicaions for work.

4
The Little Book of Network Security and Data Protection

28 40
Chapter Nine:
Chapter Six: Captain Crunch to Artificial Intelligence
Cybersecurity and GDPR Readiness A brave new world of autonomous
Data protecion for the digital age, systems and interconnected devices
are you prepared for the new promises opportuniies for some and
regulaions? threats to others.

32 44
Summary
Chapter Seven: Today’s businesses can only prosper
Anti-virus Endpoint Security with the right IT infrastructure in
Good old-fashioned ani-virus place, and yet many fail to take even
sill has a role to play in defending rudimentary precauions to protect one
your network. of their most valuable assets.

36 About Modern Networks


Modern Networks provides IT and
telecoms services to over a thousand
48

commercial properies across the UK


and hundreds of blue chip businesses.

Chapter Eight: About the Author 50


Advanced Solutions
There is no magic bullet to Contact Information 51
network security, it requires thought,
planning and defence in depth. Useful Web Links 51

5
Introduction
An Uncomfortable Truth
Ransomware is a hot topic right now. Recent high proile malware atacks like WannaCry show
just how vulnerable organisaions are to cybercrime. Designed to take your corporate data
hostage, ransomware is a growing problem, and no one is safe. Globally, it’s esimated that
ransomware afects another company every 40 seconds. Ransomware atacks doubled during
2016. Overall, cybercrime cost UK irms £34.1bn last year. The staisics are alarming, but also
hide an uncomfortable truth. Many organisaions fail to take the most basic precauions to
protect themselves.

For the remainder of this book, we look at the three core elements of improved network
security: people, processes and soluions.

6
The Little Book of Network Security and Data Protection

Human Error
While the mulitude of threats from malware and hackers might cause sleepless nights, the
real danger to your corporate data is probably closer to home. According to the Informaion
Commissioner’s Oice (ICO), human error remains the main cause of data breaches in the UK.
Staf need much beter training and greater awareness of everything from opening suspicious
emails to using unsecured ile-sharing apps. We will take a closer look at user awareness and
training in chapter one.

Upgrades, Patches and Version Control


The WannaCry cyberatack revealed just how many irms are sill running old, unpatched,
unsupported versions of Microsot Windows. In 2016, it was found over 60% of UK SMBs
placed themselves at needless risk by coninuing to use old, unsecured versions of Internet
Explorer (IE). Certainly, there is no such thing as 100% security. However, you are not
powerless. You can miigate the risks of becoming a vicim.
See Chapter Three: Patch Management.

Backup Plans
Regretably, bad things happen, even to the most prepared organisaions. Human error,
hardware failures, malware atacks, power outages and natural disasters. When the worst
happens it pays to have a backup plan. That means muliple secure backups of all your
company data, so everything is recoverable at a moment’s noice.
See Chapter Four: Always Have a Backup Plan.

Anti-Virus
Although WannaCry caught many irms of guard and caused a nice media storm, the fact is
that most enterprise-grade ani-virus applicaions, such as Webroot, can stop malware at the
point of atack. It is vitally important to have robust endpoint security policies and oversite
of all the devices that connect to your network. How’s your BYOD (Bring Your Own Device)
policies? Do you know which employees use personal devices on your network? Naturally,
ani-virus is only as good as the latest update, the consistency of its deployment, and your
irm having an integrated approach to network security.
See Chapter Seven: Ani-Virus Endpoint Security.

Advanced Security
In the popular video game, Resident Evil the shadowy Umbrella Corporaion creates a highly
advanced, self-aware and homicidal security system called the Red Queen. The Red Queen
adapts, evolves and anicipates new security threats, making her a formidable adversary.
Today’s advanced security systems might not be up to Red Queen standards yet, thank
goodness, but they are evolving fast. Soluions such as Cisco’s Umbrella gives organisaions
greater visibility and control of all Internet connected devices, over all ports, even when the
users are of the corporate network. Umbrella does some clever stuf, learning from Internet
acivity to spot the telltale signs of a potenial atack before it ever happens. Advanced
network security is a big subject, which is why we will dedicate an enire chapter to it.
See Chapter Eight: Advanced Soluions.

7
Chapter One
The Human Factor of Cybersecurity

8
The Little Book of Network Security and Data Protection

Any security system is only as good as its weakest link. In the


cybersecurity world, the weakest point is nearly always the human
element. Around 40% of UK irms have sufered at least one data breach
in the last 12 months. The most common form of breach is a staf
member unwiingly clicking on a malicious link within a fraudulent
email. Like the shockwave from an explosion, the outcome from a
cyberatack can be far-reaching and extremely damaging. In recent
years, irms such as payday lender Wonga, Tesco Bank and mobile
phone operator Three have had thousands of customer records stolen,
lost millions of pounds, seen share prices plummet, and found their
brand reputaions in taters.

Human Error
Public awareness of high proile cyber-crimes seems to have litle efect
on our workplace behaviour, but does inhibit personal online aciviies,
such as banking and shopping. Research by AXELOS found that most UK
organisaions signiicantly underesimate the human element of cyber risk.
In fact, half of the UK’s worst data breaches during 2015 were caused by
human error. Internaional standard for informaion security ISO 27001 and
some insurance policies require irms implement cybersecurity training.
However, most companies only provide training to senior managers and
the IT department. Typically, end user awareness training is a far more
casual, ad hoc afair for everyone else.

Security Strategy
A cybersecurity strategy can only be efecive where you have clear policies
and procedures that everyone understands and follows. Otherwise,
your own staf will constantly undermine your IT security regardless of
what countermeasures you put in place. First, you need to assess the
potenial risks to your IT infrastructure, and decide what to prioriise.
Next, ensure senior management advocate IT security as a business
imperaive. Finally, implement a clear informaion management regime
with the appropriate checks and balances. User educaion will play a criical
role in raising awareness of cybersecurity risks and changing behaviours.

9
Raising Awareness
Changing how people think and behave isn’t easy. You might need some expert help.
According to research from AXELOS, “The one-dimensional and outdated cybersecurity
awareness training provided by most UK organisaions is not it for purpose and is limiing
employees’ ability to understand what good cyber behaviours look like.” Before you do
anything, you will need to establish a base level of cybersecurity awareness. Next, rather than
bombard staf with masses of informaion, focus on your top three threats. In the UK, this
might be raising awareness of fraudulent email phishing atacks, password protecion and use
of unsecured ile sharing applicaions, for example.

Audiences Segmentation
When building your end-user awareness programme it is important to consider your diferent
audience groups, and how best to communicate with them. Educaional research suggests
that interacive rather than passive learning tools and techniques produce the best results in
terms of engagement and retenion. Remember, there are diferent types of learners. Some
people respond beter to visual simulus while others prefer auditory, text or a kinaestheic
approach (learning by doing).

Games
The more interacive, group-based, relevant and fun you can make your awareness
programme the beter. Developed by PwC, Game of Threats™ is a cyber-threat simulaion
designed to test criical thinking and decision-making. The game rewards good decisions and
penalises teams for making poor choices in criical situaions. Ulimately, players come away
with a beter understanding of what steps they must take to improve cybersecurity across
their organisaion.

10
The Little Book of Network Security and Data Protection

Free Training Tools


Awareness of UK government-backed cybersecurity iniiaives and standards remains low. In
a recent survey only 8% of respondents said they were aware of the Cyber Essenials scheme.
Currently, only 20% of UK employees receive any cybersecurity or awareness training, and
that igure is skewed in favour of larger enterprises. However, there are a number of free
cybersecurity courses available such as Future Learn, Responsible for Informaion e-learning
and ESET Cybersecurity Awareness training to get you started. A quick Google search will
reveal a dizzying choice of paid tools, techniques and online courses to help you implement a
user awareness programme.

Assessment
Having created your cybersecurity policies and introduced awareness training, you will
want to measure the efeciveness of your scheme. As phishing atacks are so prevalent,
you might send a fake fraudulent email to all employees as a test. You can then measure the
number of people who click on a potenially malicious link and the number of people who
report the email as suspicious. You could then repeat this exercise randomly as part
of a phishing assessment of end user awareness. Alternaively, you can run a full network
and security assessment in secret. Use this assessment as a baseline before your users
start their awareness training, and then run a comparaive check ater your people have
completed the course.

For more information on cybersecurity


and network assessments:
Contact us now – 01462 426 500

Penalties of Inaction
Incredibly, most cyberatacks and data breaches go unreported. Many irms simply lack
an awareness of who to report to, why to report breaches, and what reporing achieves.
Nevertheless, failing to take the most basic cybersecurity precauions, not reporing accidental
data loss and malicious aciviies can prove costly. The 2015 hack of telecoms provider
TalkTalk cost the company an esimated £60m and 100,000 lost customers. They also received
a £400,000 ine as the regulator found the cyberatack was completely preventable. New
General Data Protecion Regulaions or GDPR will require every organisaion to report data
breaches to the Informaion Commissioner’s Oice from May 2018. Penalies for failing
to comply with GDPR will be severe. Learn more on Chapter Six: GDPR and Cybersecurity
Readiness.

Top Tips
1. Raising user awareness of 2. Changing human behaviour 3. Assess the state of your
cybercrime and data security isn’t easy. Use different network security before
starts at the top. types of media tailored to training starts so you can
your target audiences for measure results effectively.
best training results.

11
Chapter Two
Segmented Networks & User Privileges

12
The Little Book of Network Security and Data Protection

As we have seen, you are more likely to be a vicim of a data breach or


cyberatack due to the negligent or malicious acions of someone within
your organisaion. Network segmentaion or segregaion can improve
data security by restricing user access behind the perimeter irewall.
As the name suggests, network segmentaion means dividing your IT
network into a number of subnetworks or zones, such as inance and
human resources. In this way, you restrict user access to only those
with the right privileges. Should a hacker or computer virus gain
unauthorised access to your network, segmentaion will limit the
harm done. Similarly, local network failures are contained rather than
causing widespread problems, such as unexpected downime. Network
segmentaion is oten a regulatory condiion for those operaing in highly
regulated sectors such as inance and healthcare.

Third Parties
Depending on the nature of your business, you might need to provide
network access to third paries such as suppliers and partners. First, you
should have a policy in place to vet third paries before you give them access
to your systems. Next, ensure that they have segmented access, restricing
their aciviies to essenials only. Any data iles transferred to third paries
should be done using a secure protocol, encrypted in transit and at rest.
Finally, you will want to have an incident plan in place should a security
breach occur.

Need to Know
Operaing on a “need to know” basis is something common to intelligence
services, the police and military around the world. The idea is simple
and efecive, you only tell your ield agents enough about an on-going
operaion for them to perform their assigned tasks. Should an agent
be compromised, captured and interrogated they can only reveal a
small piece of the overall operaional plan. Similarly, resistance ighters,
acivists, criminal gangs and terrorist groups oten adopt a cell structure,
which restricts a member’s knowledge of the organisaion to just a few
individuals. This helps protect the group from informers and undercover
law enforcement. In the IT world, user privileges determine what you
can and cannot do on the network, a bit like operaing on a need to
know basis. However, many organisaions fail to apply the concept of
least privilege, whereby the majority of staf are limited to a standard
user account. Only a select few have super user or administraive rights. By
limiing user access you reduce the risk of malicious acivity and human error
causing major disrupion.

13
User Privileges
Out of the box, Windows PC users login with an administrator account. It’s easy enough to
create a standard account, but how many people do? Subsequently, any hacker or malware
can quickly take full control of your device, change seings, access any ile and monitor your
acivity, usually without your knowledge. The computer you are on right now might be part
of a botnet performing a denial of service atack or sending spam. Of course, organisaions
have to worry about more than just external threats. Disgruntled or negligent employees
with the wrong user privileges and full network access can easily cause mayhem. Finally,
organisaions must consider what user rights they assign to IoT or smart devices that are
being used everywhere from environmental controls to alarm systems. Many of these devices
are inherently unsecure. A recent Forrester report on idenity management found that
80% of breaches involved the misuse of elevated privileges, such as those used by systems
administrators, super users, and those with root access.

Risky Inactive Users


The days of a job for life are long gone for most of us. Today, many of us will have between
10 and 15 jobs in a lifeime. On terminaion of a contract, an employee usually returns their
company car, laptop, mobile, credit card and keys to Human Resources. The IT department
deacivates the leaver’s email and user account. The company and individual happily go their
separate ways, except when they don’t.

14
The Little Book of Network Security and Data Protection

A few years ago, I worked for an internaional IT company as a contractor. Ater my contract
ended, quite amicably, I discovered I sill had access to the company’s website CMS and
analyics. I retained these privileges for some years unil the company was the subject
of a takeover. This simple oversight meant I could have easily changed or deleted website
content. Clearly, failing to disable or delete the network user accounts of former employees
represents a major security risk. Inacive user accounts enabled in Acive Directory are also
temping targets for outside atackers. Ater all, it’s a valid account so less likely to be noiced
when accessing the organisaion’s private data and applicaions, depending on privileges.
Because the account is inacive, the original owner is no longer around to alert anyone that
something is wrong.

Every organisaion must ind the right balance between the operaional needs, IT and security.
Next, an organisaion must develop efecive procedures for managing ideniies and user
privileges. Wherever possible, only grant minimal user privileges to carry out required tasks.
Idenify and review all those with privileged user status. Don’t allow passwords to be shared,
and establish processes to monitor and manage any shared accounts. Ensure you have
processes in place to disable or delete inacive accounts in Acive Directory ater an agreed
period. By 2018, it’s esimated that 60% of insider misuse and data thet will be the result of
poor user access management and suicient controls.

Top Tips
1. Segmenting your network 2. Apply the concept of least 3. Ensure you have a process
into subnetworks or zones privilege, whereby users in place to disable or delete
can help prevent the spread only have enough network inactive user accounts from
of malicious applications and access to perform their the Active Directory.
insider misuse. specific roles.

15
Chapter Three
Patch Management

16
The Little Book of Network Security and Data Protection

Unil recently, patch management was barely a consideraion for many


organisaions. Instead, ‘install and forget’ was the common approach to
deploying systems. In fact, many systems were rarely or never patched.
Of course, the rise of cybercrime and myriad of threats has changed all
that, or has it?

Incredibly, 44% of security breaches occur ater vulnerabiliies have


been ideniied and soluions found. A report by BMC and Forbes
Insights found that many months oten elapse before ideniied security
vulnerabiliies are ixed, leaving organisaions needlessly exposed.

The devastaing inancial and reputaional costs of a security breach are


well documented. At the same ime, the risk of a breach has increased
exponenially. That’s why patch management is now regarded as a criical
part of an integrated defence strategy.

The Cost of Complexity


The rapid evoluion of IT systems has meant increased complexity, more
points of entry and a greater atack surface ripe for exploitaion. Today’s IT
professionals must look beyond core systems, and safeguard enterprise
business applicaions, remote sites, desktop operaing systems and
mobile devices. At the same ime, businesses have become far more
reliant on technology for everything. Even short periods of unplanned
downime can cause disproporionate harm.

Erroneous Task
So, what does good patch management look like and how do you
manage it? The key objecive of a patch management program is to
create a consistently conigured environment that is secure against
known vulnerabiliies in all systems and applicaions. This sounds simple
enough. However, in reality patch management can become a complicated,
ime-consuming and erroneous task, even for smaller businesses with
limited IT infrastructure.

There are many sotware soluions available to help with patch


management but this is only part of the soluion. To be successful, patch
management requires a combinaion of people, process and technology.

17
Where Are You Now?
At this point, many organisaions turn to IT frameworks such as ITIL (Informaion Technology
Infrastructure Library) to provide a structure and best pracice for execuing efecive
patch management. We would recommend you review your patch management strategy.
Does it include the right components of people, process and technology? If not, then
this is something you should tackle quickly before it becomes a bigger issue.

IT Audit
It might seem obvious, but a good place to start is by conducing an audit of all your
IT systems and endpoints. You can only manage IT assets you know are part of your
network, so understand what you have, where it’s located, what operaing systems
and applicaions are running.

18
The Little Book of Network Security and Data Protection

Do you need help performing an IT audit?


Contact us now – info@modern-networks.co.uk

Rationalisation
You might want to think about standardising hardware and sotware choices, making
everything easier to manage. You will also want a list of all the security controls you have in
place. In this way, you’ll know what requires atenion when alerted of a vulnerability. You
might also want to think about doing a risk assessment, so you can prioriise your workload.
Raionalising your IT will help make it more manageable, but replacing kit or applicaions
because they’re going end of life is seldom immediately necessary. Vendors typically coninue
support, security upgrades and patches for years. Once again, having the right people and
processes in place will help you make informed decisions that support your business.

Patch Staging
When a patch becomes available, you should resist the urge to push it out across your
network immediately. Someimes, patching a system can have unforeseen consequences
and cause problems. Doing a quick Google search and checking IT forums, for example, can
provide an early warning that something is wrong with a patch and ofer possible soluions.
We would recommend you adopt a patch staging process, whereby patches are applied
gradually across your organisaion rather than in one go.

Top Tips
1. Focus your patch 2.Conduct an IT audit so 3. Patch staging will reduce
management strategy on you have a clear picture of the likelihood of a new patch
people, processes and then everything on your network. causing unforeseen problems.
technology.

19
Chapter Four
Always Have a Backup Plan

20
The Little Book of Network Security and Data Protection

Amazingly, over a third of organisaions do not backup their valuable


data. Of the remainder, many irms have outdated or unreliable backup
systems. The result being criical data is either corrupt, out of date or
missing when it’s needed most. Eliminaing ransomware, for example,
will require you wipe your systems. So, you’ll need a companywide
backup plan to quickly recover from the atack. The more frequent the
backups, the less data is lost.

Strategy
Whatever your industry, data backup, archiving and recovery are criically
important. You must develop a clear strategy. First, you will want to think
about just how much data you’re going to generate, it’s probably a lot
more than you would imagine. On the plus side, the costs of storage have
fallen dramaically.

Redundancy
Next, you need to plan for redundancy. What happens if you backup fails?
An on-premise server can instantly restore lost or corrupt data to the local
network, but not if the building burns down, loods or collapses due to an
earthquake. Then you will be glad of your Cloud backup. It means you can
ind a temporary oice, recover your data and be back in business.

Compliance
You will certainly want to think about your legal and regulatory obligaions
around data storage, backup and recovery. Highly regulated industries, for
example, have rules around data handling, retenion, disposal and audiing.
Not all data is created equal, so you might want to adopt diferent backup
and retenion policies for business criical and non-criical data.

21
Remote Workers
Over 30% of a company’s data resides locally, on PCs, laptops and mobile devices. However,
laptops are vulnerable to thet, damage, human error, mechanical failure and malware.
Adoping an automated, secure Cloud backup ensures the integrity of your data, wherever it
resides, even outside the corporate irewall, making it the perfect soluion for remote workers.

Cloud-to-Cloud
Finally, some irms rely heavily on Cloud-based applicaions such as Oice 365 and Salesforce.
Certainly, these services are highly resilient and secure. However, many Cloud-based
applicaions have limited data retenion periods, which is no good if you are a regulated
industry that must retain every email and document for 7 years. Some vendors ofer very
limited liability when it comes to compensaing you for lost, stolen or corrupt data. Only you
know the true value of your data to your business. Of course, having all your data reside with
one vendor gives them a lot of power and makes it harder for you to go elsewhere. Having a
backup gives you some leverage, and makes migraing to another service easier.

22
The Little Book of Network Security and Data Protection

The reputaional and inancial cost of a high-proile cybersecurity or data breach can be
immense. A study by the Briish Chambers of Commerce found that 93% of businesses that
sufered a data loss for 10 days or more iled for bankruptcy within a year. Half of them went
out of business almost immediately. At Modern Networks, we understand the importance of
having a secure, fully integrated data backup, storage and recovery strategy. We are always
happy to discuss your business needs, provide expert advice and pracical soluions.

Top Tips
1. Have a clear backup and 2. Keep multiple copies 3. Backup frequently.
recovery strategy. of your data.

23
Chapter Five
Bring Shadow IT into the Light

24
The Little Book of Network Security and Data Protection

We’ve all done it, used our personal email, a popular ile sharing app or
something similar to get the job done. In fact, around 80% of employees
admit to using unapproved, oten unsecured sotware applicaions for
work purposes. On the other hand, only 8% of organisaions have any
idea what shadow IT applicaions staf are using. Shadow or stealth IT
might sound a litle creepy or threatening, but in reality it’s just
a catchall term for any applicaion not oicially sancioned for use by
your organisaion.

Cyber Threats
The problem is that every ime someone uses an unsancioned
applicaion to get something done, it exposes your organisaion to
cybercrime and accidental data loss. Of course, work completed using
shadow applicaions might not be compaible with internal systems, and
valuable data cannot be backed up or recovered if it never resides on your
network in the irst place. By 2020, Gartner predicts that a third of all
successful cyberatacks will be achieved via shadow IT resources.

The more technologies we all use in our work and everyday lives the
greater the risks. According to a report by the UK’s Naional Cyber
Security Centre, a range of fake business-enabling mobile apps appeared
in 2016 designed to steal users’ login credenials. Cybercriminals have
also started to exploit social media sites knowing that many employees
regularly check Facebook and Twiter feeds throughout the day, and
especially at lunchime, using company devices. Clicking a link on a
hilarious cat video while at work can prove just as damaging as
opening a malicious email.

The IT Bypass
Shadow IT has become something of a double-edged sword for many
organisaions and IT departments. Ater all, shadow applicaions clearly
meet important business needs otherwise they wouldn’t be so widely
used. However, the IT department simply cannot do its job if it’s bypassed
and let in the dark about what applicaions people are using. Most
employees adopt shadow applicaions without considering the security
risks or compliance issues. When data resides on a third party applicaion,
outside of the knowledge or control of an organisaion’s IT department,
it is quite clearly at risk. Ignorance is no defence when sensiive client
or personal data leaks out of your organisaion and ends up on the Dark
Web for sale. Failing to meet regulatory obligaions about how sensiive
data is handled, stored and shared can lead to prosecuion, big ines and
negaive publicity.

25
Let’s get Visible
There is no-one-size-its-all soluion to the shadow IT conundrum. However, a prety good
place to start is visibility. How can you manage anything if you’re in the dark about what Cloud
applicaions are being used in your organisaion? A small business with extremely limited IT
resources might simply ask employees and departments what applicaions they are using. You
might not get a completely truthful answer, but it’s a start. Medium and larger irms might
look at a Cloud access security broker (CASB) such as Cisco Cloudlock. Essenially, a CASB sits
between an organisaion’s IT infrastructure and the Cloud service providers. It then enables
you to see which Cloud applicaions people use, and any data being transferred or shared.
What’s more, CASBs can provide risk assessments of the apps used. The organisaion can then
deine rules, procedures and restricions to ensure data compliance and security. Similarly,
data loss prevenion (DLP) soluions like Cisco Stealthwatch give you complete visibility of your
enire network out to the Cloud, and provide valuable insights and early detecion of security
vulnerabiliies and potenial threats.

Greater User Awareness


For many organisaions, BYOD, a more agile, mobile workforce and cheap, instantly accessible
Cloud applicaions have been a godsend. The downside is a greater “atack surface” for you
to defend and others to exploit. Alongside the high-tech soluions, beter user educaion and
situaional awareness is criically important to reduce the likelihood of data breaches and
cyberatacks. IT security procedures and policy documents are no good to anyone siing on
the company server, lost and forgoten. The UK’s Naional Cyber Security Centre suggests,
“Giving the right user training and awareness intervenions at the right imes can help prevent
security compromises. An organisaion’s staf can be one of its most efecive defences, yet for
many businesses a lack of user-centred security design is leaving them vulnerable.”

Crime Report
Lastly, reporing cybercrime and data breaches is vital to idenifying vulnerabiliies and
combaing threats. A survey by Barclays Bank and Insitute of Directors (IoD) found that
nearly ¾ of data breaches and cyberatacks go unreported by business. Clearly, the fear of a
hety ine from the Informaion Commissioner’s Oice (ICO), which has the power to impose
monetary penalies of up to £500,000 for breaches of the UK Data Protecion Act, is one
deterrent to reporing. However, many irms do not report breaches simply because there
was no material loss or damage caused. Nevertheless, those same irms spend more ime and
money on improving cybersecurity. Of course, bad publicity and potenial loss of business is a
powerful deterrent to reporing.

26
The Little Book of Network Security and Data Protection

GDPR and NISD


The European Union’s General Data Protecion Regulaions (EU GDPR) comes into force on
May 25th 2018. GDPR will introduce a duty on all organisaions to report certain types of data
breach to the relevant supervisory authority, and in some cases to the individuals afected.
That means a breach of security leading to the destrucion, loss, alteraion, unauthorised
disclosure of, or access to, personal data. Penalies for those failing to meet the new
requirements are extremely severe. Similarly, the Network and Informaion Security Direcive
(NISD) focuses on protecing criical IT infrastructure across European states. Those businesses
that the direcive categorises as essenial services, such as uiliies, air transport, banking and
some Cloud services will have to comply, meet all security requirements and report incidents
to the appropriate authoriies. The UK will adopt these new regulaions regardless of its
decision to leave the EU.
Learn more about GDPR in the next chapter.

Into the Light


Shadow IT is an opportunity and a threat to most businesses. Overstretched, under resourced
IT departments oten struggle to meet the many, varied demands of today’s tech savvy
workers. Corporate governance has oten been woefully inadequate in its understanding and
response to the widespread adopion of shadow applicaions. The security risks aside, shadow
IT clearly ofers tools and technologies that make people more producive, collaboraive and
eicient. Organisaions must make more of an efort to educate users about the dangers and
beneits of using shadow applicaions for work purposes. Similarly, staf must accept a greater
burden of responsibility for the applicaions they use to get the job done.

Top Tips
1. To better manage your 2. Technology can help you 3. The laws on data protection
network and data, first, you need better manage your network, are getting much tougher. The
visibility of who and what are but don’t forget processes and consequences of failing to
accessing your systems. people are just as important in comply with regulations, already
maintaining data security. severe, could put many more
firms out of business.

27
Chapter Six
Cybersecurity and GDPR Readiness

28
The Little Book of Network Security and Data Protection

Media hype around GDPR (General Data Protecion Regulaion) has


produced considerably more heat than light. GDPR is the European
Union’s replacement for things like the UK’s Data Protecion Act (1998).
The new regulaions are set to come into efect in May 2018. All companies
wishing to trade with the EU must be GDPR compliant. The UK will
adopt GDPR regardless of its decision to leave the EU. The main driver
behind GDPR is that current data protecion legislaion is no longer it
for purpose, having been writen into law decades ago when digital
technology was in its infancy.

Into the Unknown


Regardless of all the media and markeing hype, the truth is that we just don’t know what the
full implicaions of the new data protecion legislaion will be. Certainly, it is true that there
are substanial penalies for non-compliance, but we sill don’t know how diferent European
states or the UK will actually interpret various elements of the new regulaions. Surely, no one
will beneit from Draconian penalies and excessive red tape that siles business acivity and
innovaion.

Data Protection
In reality, GDPR isn’t that much diferent from current data protecion legislaion. It’s simply
being brought up to date. The main personal data protecion principles remain the same.
Personal data should be:

• used fairly and lawfully


• used for limited, speciically stated purposes
• used in a way that is adequate, relevant and not excessive
• accurate
• kept for no longer than is absolutely necessary
• kept safe and secure
• not transferred outside the European Economic Area without adequate protecion.

Individual Rights
Some of the new rights for individuals include the “right to be forgoten” and data portability
(the right of individuals to obtain and reuse their personal data for their own purposes
across diferent services). There will be new provisions to increase the protecion of
children’s data such as parental consent for under sixteens waning to sign-up for online
services and a stronger “right to be forgoten”. Under the new regulaions, you must also
be able to demonstrate compliance. That means clear processes, procedures and metadata
management. The new legislaion further disinguishes between general personal data
(contact details) and sensiive data (medical records, religious beliefs and unique biometric
ideniiers, for example).

29
Naturally, the regulaions require you keep personal data securely. However, the direcive is
not speciic or prescripive about how you secure the data you hold. Data controllers must
report personal data breaches to their supervisory authority and, in some cases, the afected
individuals. This must be done within 72 hours where feasible.

The Informaion Commissioner’s Oice (ICO) provides plenty of informaion on what steps you
can take now to prepare for GDPR compliance. Visit the ICO’s website for their handy 12-step
checklist.

Cybercrime
Today, all organisaions should consider themselves targets of cybercrime. No one is immune.
The new regulaions build on what is required by exising data protecion legislaion. Firstly,
you should take appropriate organisaional and technical measures to protect your systems
and the data that resides on them. Although not a mandatory obligaion, it is recommended
that personal data is always encrypted.

Your IT systems should be secure, resilient and backed up. In the event of a physical or
technical incident, you should be able to recover all personal data records in a imely manner.
You should also have a process in place to regularly check the efeciveness of your data
security. As well as meeing new obligaions on data breach reporing, organisaions must
keep their own internal records of all data breaches and similar incidents.
All scaremongering aside, the truth is that having an IT security strategy in place will help
miigate the risks from cybercrime while ensuring you meet many of your data protecion
obligaions.

User Awareness
Firstly, as we have already seen, the majority of data breaches are caused by human error,
not technical failings. It is important that everyone across your organisaion is aware of
cybersecurity threats, and assumes their share of the responsibility to keep your corporate
data safe. Your staf should be properly educated about risk miigaion through good pracices
and procedures.
See chapter one for more informaion on user awareness and training.

Cybersecurity Audit
Next, you’ll want to determine the current state of your cybersecurity and deine where
you need it to be. This process can be broken down into policy, employee and technical
assessments. You will probably ind a mix of easily ixed vulnerabiliies and those that will
require a more planned, long-term response. Naturally, any business criical operaions
assessed as vulnerable should take priority in your remediaion plan.

Constant Monitoring
Running a cybersecurity audit gives you a snapshot of your strengths and vulnerabiliies.
However, once you’ve conducted the remedial work necessary to close any ideniied gaps,
you sill have work to do. The cybersecurity landscape is constantly changing and new threats
emerge all the ime. Subsequently, you will need to establish a regime of constant monitoring.

30
The Little Book of Network Security and Data Protection

According to the Naional Cyber Security Centre (NCSC), “Good monitoring is essenial in order
to efecively respond to atacks. In addiion, monitoring allows you to ensure that systems are
being used appropriately in accordance with organisaional policies. Monitoring is oten a key
capability needed to comply with legal or regulatory requirements.” The NCSC provides a 10-
step checklist for cybersecurity monitoring.

For more information on IT network


and cybersecurity assessments:
Contact us now – 01462 426 500

Remediation
Unfortunately, you can take every conceivable precauion and sill be the vicim of cybercrime,
so it will pay you to be prepared should the worst happen. It’s important you have the right
skills and technical resources to quickly idenify, isolate and deal with threats while minimising
their impact on your business operaions. Building resilience into your systems, ensuring
business criical data is backed up and establishing a coherent disaster recovery plan will make
a signiicant diference to your organisaion’s survivability ater a cyberatack.

Plan for the Worst


Currently, no one knows exactly how the UK or European states will choose to interpret
or enforce GDPR. There is a wealth of free advice and guidance available from the UK
government and its various agencies to help you comply with the new regulaions. Certainly,
it makes good business sense to take every precauion to safeguard your corporate data
from accidental or malicious breaches, and have coningency plans in place should an
incident happen.

Cyber Essentials
The UK government has a Cyber Essenials scheme that you can refer to in order to help
address important cybersecurity concerns. You can use this as the foundaion stage of your
cybersecurity strategy before looking at the iner details. Once completed you can then self-
cerify for Cyber Essenials.
See: UK government’s 10-steps to Cybersecurity

Top Tips
1. GDPR becomes law across the 2. Main personal data protection 3. Having an IT security strategy
EU including the UK in May, 2018. principles remain the same in place will help mitigate the
as Data Protection Act (1998) risks from cybercrime while
with some new additions such helping you meet many of your
as right to be forgotten, data data protection obligations.
portability and child protection.

31
Chapter Seven
Anti-virus Endpoint Security

32
The Little Book of Network Security and Data Protection

The number and variety of cyberatack faced by organisaions coninues


to grow daily. Businesses of all sizes and across all industries are being
targeted. To compound the problem, the atack surface is becoming
greater and more varied with the proliferaion of mobile devices,
Cloud services and BYOD. This is creaing a major headache for security
professionals trying to counter this growing threat.

Ransomware
The enormous global press coverage of recent ransomware atacks
put cybersecurity front of mind for many organisaions. The term
“ransomware” was probably new to many people unil May 2017.
However, ransomware is not a new issue, but is a muli-billion dollar
problem.

Damaging Fallout
Besides the immediate monetary loss, the longer-term fallout from
a malware atack can be devastaing. There’s the public relaions
nightmare and reputaional damage done to the brand. Other
consequences include regulatory compliance issues, legal acion,
operaional disrupion, lost customers, cancelled contracts, raised
insurance premiums and diiculty obtaining credit. In a 2017 global
study, over 30% of irms reported a loss of revenue and nearly 25%
lost customers as a result of a data breach.

Think Data Breach


Unfortunately, there is no such thing as 100% security. However, you
can take precauions and safeguards to protect your data, reduce the
likelihood of being a vicim of an atack, and ensure you can recover
quickly should the worst happen. Many CIOs now think in terms of
when will our organisaion sufer a breach, and how will we respond
to minimise the impact. Although there is no silver bullet of data
protecion, you can take a number of precauions. In the remainder
of this chapter we will look at ani-virus as a crucial piece of your
security puzzle.

Security at the Endpoint


So why is ani-virus important? Ani-virus is a key component of
endpoint protecion and is used to prevent, detect and remove malicious
sotware. It helps protect against a variety of atacks including viruses,
ransomware, Trojans, worms and many other types of atacks. If you
don’t have ani-virus sotware deployed across all of your devices we
recommend you address this immediately.

33
Question the Status Quo
If you already have ani-virus, it is sill worth asking the quesion: does it give your
organisaion the right level of protecion you need? Do you regularly audit your systems to
ensure that all your endpoints (PCs, tablets and mobiles) have ani-virus sotware installed,
and are they running the latest deiniions? This is a criical point, as many organisaions
deploy ani-virus sotware as a ‘set and forget’ soluion but fail to monitor the endpoints and
ensure they are coninually protected.

Do you need an IT network and security


assessment? We’re here to help.
Contact us now – 01462 426 500

Central Administration
It is crucial that you choose a soluion that can be centrally managed by an administrator.
Ani-virus providers regularly release new updates for new threats as they are detected. If
your sotware isn’t centrally managed or requires the user to update the sotware ‘at their
convenience’ it may not happen at all, and leave your network vulnerable.

34
The Little Book of Network Security and Data Protection

Does Your Anti-virus Measure Up?


Secondly, how does your ani-virus score in independent tests? Organisaions such as
PassMark carry out independent tesing of ani-virus soluions covering a range of areas such
as reliability, usability, detecion and performance. If your soluion doesn’t score well in these
tests you should reconsider its suitability for your organisaion.

Inexpensive but Vital


Ani-virus doesn’t need to be an expensive soluion but is a key component of your security
strategy. The costs can be as litle as a couple of pounds per user per month with lexible plans
and opions to suit most businesses. The key is to have the right level and type of protecion
that’s appropriate for your business and the data you hold.

Top Tips
1. Choose an anti-virus solution 2. Choose an anti-virus that 3. Choose your anti-virus
that’s been independently tested. can be centrally managed. based on business needs.

35
Chapter Eight
Advanced Solutions

36
The Little Book of Network Security and Data Protection

In this chapter, we will look at a range of soluions designed to


safeguard your network from iniltraion and detect any malicious
sotware that is present. Cybercrime is a muli-billion dollar business. This
means atackers are very well funded, and will coninue to produce beter,
more disrupive malware and viruses. FBI research has found a single
ransomware campaign can generate $60 million annually. Capable of
generaing massive proits for the cyber criminals, ransomware and
other forms of cybercrime are with us for years to come.

Umbrella Roaming
Umbrella Roaming is a Cloud delivered service that protects all your
employees’ devices, even when they are not connected to your network. It
works by blocking user requests to malicious domains at the Internet DNS
layer, which means a connecion is never made.

Umbrella Roaming constantly analyses real-ime, diverse data sets


to learn Internet acivity paterns. It then uses machine learning and
complex algorithms to spot trends, paterns and threats before an atack
even happens. Because Umbrella Roaming is a Cloud delivered service, it is
completely device and plaform agnosic, and can eliminate potenial blind
spots when users are not in the oice.

Currently, if users are working remotely without a VPN connecion the


perimeter security such as a irewall is being bypassed. Umbrella Roaming
ensures every device gets the same level of corporate protecion regardless
of where your employees are based, working from home, in the oice or at a
motorway services.

ISE Potential Threats


Do you have complete visibility of all the devices connecing to your
network? Do you know if all those devices are security compliant and
only running approved applicaions? Idenity Services Engine (ISE) is
an applicaion that enables you to beter manage and secure your
corporate network. ISE includes a posture service allowing you to
check and verify the state of all devices connecing to your network
before graning them access.

Working across both wired and wireless, corporate and guest networks you
can control the devices connecing, and make sure they meet your speciied
criteria for access. For example, what operaing system is a device running?
Is it patched suiciently? Does it have enterprise ani-virus installed and
is it up to date? If not, you can quaranine the device, and give the user
limited or no access unil they have addressed the problem. This can
signiicantly increase your level of control over devices that have the
potenial to threaten or infect your network.

37
Before, During and After an Attack
Advanced Malware Protecion (AMP) for endpoints provides protecion against the most
advanced cyberatacks, will prevent breaches and block malware at the point of entry. It will
also rapidly detect, contain, and remediate advanced threats if they evade front-line defences,
such as irewalls, and get inside your network. As we have said in previous chapters, no
prevenion method will catch every threat. However, AMP will help you be prepared when
advanced malware does get inside. AMP enables you to see executable ile acivity across all
of your endpoints, so you can spot threats quickly and ix them.

One area where AMP difers from other soluions is it coninues to monitor and record acivity
ater a ile is on the endpoint. It coninues to watch, analyse and record ile acivity, regardless
of the ile’s disposiion. When malicious behaviour is detected, AMP shows you the recorded
history of the malware’s behaviour over ime: where it came from, where it’s been, and what
it’s doing. The malicious ile is then quaranined automaically, any damage done is ixed and
further harm prevented across all endpoints on your network.

Threats You Cannot See


On average, malware goes undetected for around 200 days. That’s 200 days cybercriminals are
inside your corporate network doing harm. To even the playing ield, Stealthwatch uses low
data to give you incredible visibility across your enire network including the data centre and
Cloud. First, it establishes a baseline for normal network behaviour. Next, it uses advanced
analyics to idenify unusual paterns and alert you of possible threats.

38
The Little Book of Network Security and Data Protection

Stealthwatch can help you spot a compromised device talking to an external command
and control server, detect abnormal traic and idenify data exiltraion, if unusual ile
transfers are taking place. Without an applicaion like Stealthwatch, the irst ime you
learn there’s been a data breach is when your customers’ data goes on sale or is splashed
across social media.

Choose Wisely
These are just a handful of advanced cybersecurity soluions available to you. They vary
in complexity and costs. Naturally, we would recommend you evaluate your current levels
of protecion; check they are adequate for your needs and compliant with your industry
standards. However, before you rush out and spend a shed load of cash because the Board
have been reading the newspapers; take a moment to consider your security needs and
opions.

First, you need to agree what are your security prioriies. Next, shortlist vendors and
applicaions that meet your requirements now and for the near future. Get some independent
advice and look at what exising customers have to say about applicaions. Look at total cost
of ownership (TCO) and any hidden fees. You will also want to think about support and service
levels. Take the applicaions out for a test drive, and give your IT people a chance to look
under the bonnet.

Top Tips
1. Assess your current IT 2. Agree security priorities. 3. Evaluate different
network security. applications based on
your needs, budget, TCO
before purchasing.

39
Chapter Nine
Captain Crunch to Artificial Intelligence

40
The Little Book of Network Security and Data Protection

Back in 1971, the makers of Cap’n Crunch breakfast cereal had no idea what they had done
when they included a seemingly harmless toy whistle in every box as a promoional git.
Just one of many people who enjoyed a bowl of Cap’n Crunch cereal was a young computer
enthusiast named John Draper. John found that the Cap’n Crunch toy whistle produced
exactly the same 2600-hertz audio tone needed to open a telephone line and allowed
him to make free long-distance calls. Nicknamed “Captain Crunch”, John had successfully
hacked the US telephone system. John went onto share his discovery with two enterprising
Berkeley college students, who saw a business opportunity in being able to hack the
telephone network and make free calls. Someime later, the two Berkeley students, Steve
Jobs and Steve Wozniak, would go onto found a litle computer company called Apple.

The Greatest Threat to Business


Since that fateful morning back in 1971, when John Draper found a toy whistle in a box of
breakfast cereal, computer hacking and cybercrime have become one of the world’s most
serious problems. Forbes esimates that cybercrime will cost businesses in excess of $2
trillion USD by 2019. Mulinaional technology giant, IBM’s Chairman, CEO and President,
Ginni Romety, recently said, “Cybercrime may be the greatest threat to every company in the
world.” Of course, the damage done by cybercrime goes far beyond the business community.
It threatens internaional peace, democracy, individual privacy, health and public safety.
Just as the problem of cybercrime has grown and mutated, so have the moivaions of the
cybercriminals. Certainly, poliical acivism, espionage and terrorism remain key moivators.
However, cybercrime for proit has seen the most dramaic increase in recent years. Organised
criminal gangs now run sophisicated crime-as-a-service operaions while ransomware atacks
have roughly tripled in frequency year-on-year.

Open Doors
Our every increasing dependence on digital technologies and poor
digital hygiene have created the perfect storm of cybercrime. Weak
password policies, leaving ex-employees on your Acive Directory,
failing to patch or replace for known vulnerabiliies, using
shadowy IT applicaions for business purposes, and opening
suspicious emails and text messages are some of the most
common reasons businesses and individuals fall vicim to
cybercrime. These are crimes of opportunity, like leaving
the doors and windows of your building wide-open.

41
Simple Solutions
Creaing, communicaing and enforcing some simple, common sense IT security policies could
save you a world of pain. Disable and then remove dormant user accounts from your Acive
Directory ater 30 days. Once manufacturers stop producing criical security updates for end of
life hardware and sotware, you need to replace it. You keep it running at your own peril. The
majority of data breaches are the result of human error such as losing paperwork, emailing
data to the wrong person, mistakenly uploading conidenial or sensiive informaion to public
websites, gossiping and being indiscreet on social media. A lot of this stuf might seem trivial,
but brute force atacks, ransomware and spyware are successful because people use weak
passwords and don’t patch or replace their systems when they’re clearly vulnerable.

As our computer networks become more complex, dispersed and interconnected so the atack
surface grows proporionally. Every smart device you hook-up to your network represents an
opportunity and a threat. The environmental sensors that control your eco-friendly building,
for example, might be just the gap in your IT security perimeter that a hacker has been
waiing to exploit. A recent survey by the Electrical Contractors’ Associaion (ECA) and Scoish
electrical trade body SELECT found that some four in ten smart buildings in the UK do not
currently take any steps to counter cyber threats. To take maximum advantage of mobility, big
data or the Internet-of-things (IoT) requires you have a network infrastructure that’s resilient,
scalable and secure.

Robots
There will be tens of billions of connected devices jostling for bandwidth by 2020. Keeping
tabs on all those devices will be no easy task, let alone ensuring they’re secure. Predicing
the future is a notoriously tricky task. For decades, roboics and ariicial intelligence (AI)
have been the stuf of science icion and horror movies. However, today we are seeing
the irst widespread and successful use of these technologies. We see robots deployed in
manufacturing, logisics, uiliies, scieniic research, law enforcement and the military.
Primarily used to ofer help and advice, chatbots are deployed everywhere from social
networks and ecommerce websites to call centres, banks and healthcare providers. Online
giants Amazon and Neflix use sophisicated, self-learning systems to study the shopping and
viewing habits of their customers, so they can beter serve them.

AI, machine learning (ML) and quantum compuing ofer the possibility of cybersecurity
systems capable of idenifying threats the moment they emerge anywhere in the world.
Automatous systems that can anicipate a cybercriminal’s next move based on previous
behaviours, and take acion without any human intervenion. Similarly, cybercriminals will
probably harness AI-based technologies to launch sophisicated atack agents designed to
avoid detecion and adapt to changing defence strategies.

42
The Little Book of Network Security and Data Protection

Ajay Arora, CEO and Co-founder of data security irm Vera suggests, “We need to adopt
intelligent and automated security systems. Automaion means invesing in tools that
automaically secure data based on locaion, context, the recipient, the user’s idenity, and
more importantly, tools that don’t require constant human interacion. We simply cannot rely
on employees or our partners to do the right thing.”

The Spread of IoT


IoT devices are expected to spread faster than smartphones and tablets once did. Given the
diversity of operaing systems, absence of security features and lack of regulaion for these
devices, we may see large-scale cyberatacks against businesses and consumers. As always,
regulaion will probably follow in the wake of a series of damaging, high proile incidents.
According to McAfee Labs 2017 Threats Predicions Report, “Internet of Things malware will
open a backdoor into connected buildings and could remain undetected for years. There
should be no doubt that networks of devices infected with malware without their users’
knowledge will be one of the most common cybercrimes in years to come.”

No Simple Answers
The cyber-threat landscape coninues to evolve, and no one security vendor can or will
ofer a complete soluion to the problem. Instead, organisaions will have to work with
security consultants and trusted partners such as Modern Networks to combine best-of-
breed soluions to meet their own unique set of requirements, challenges and risks. Today,
successfully changing employee aitudes and indiference towards cybersecurity will go a
long way to prevening many accidental data breaches, phishing and other social engineering
atacks.

The anicipated spread of smart, connected devices into every conceivable part of our work
and home lives will certainly pose major security challenges. A requirement of the new
European General Data Protecion Regulaion (GDPR) is data security by design. In other
words, manufacturers and sotware developers must build data security features into their
products. This paricular GDPR obligaion might prove an important weapon in the ongoing
ight against cybercrime in years to come.

Top Tips
1. The war of cybersecurity versus 2. Create, communicate and 3. The majority of cybercrimes
cybercrime has only just started enforce simple, common sense remain crimes of opportunity.
and will only intensify. IT security policies, and adopt You can mitigate many of these
defence in depth approach risks by taking simple remedial
to network security and data actions, such as patching known
protection. vulnerabilities, and raising
user awareness.

43
Summary

44
The Little Book of Network Security and Data Protection

Cybercrime is an unpleasant fact and daily occurrence. However, many organisaions


coninue to ignore the new reality and take inadequate precauions to protect themselves
or their customers. Subsequently, private and public sector organisaions coninue to
ind their names splashed across the media because of embarrassing data breaches or
successful system hacks.

Tremendous Cost of Cybercrime


Around 60% of smaller businesses will cease trading within six months of a data breach or
cyberatack due to the inancial burden and reputaional damage. The costs of cybercrime can
be tremendous in terms of inancial penalies, negaive publicity, lost customers, downime
and higher insurance premiums. Nevertheless, the majority of data breaches can be atributed
to human error or staf negligence. Similarly, over 70% of cyberatacks exploit known,
patchable vulnerabiliies.

In order for organisaions to get a beter grip on network security and data protecion, they
need to think about three things: people, processes and then soluions.

People, Processes, Solutions


Organisaions need to change the employee mindset, so cybersecurity is at the forefront of
their thinking rather than a distant aterthought. That means user awareness training and
communicaions programmes. Organisaions also need to review processes and procedures to
ensure they are it for purpose. Have you ideniied and prioriised your security assets, such
as personal customer data? Have you done any threat modelling? Next, audit your IT network
to idenify vulnerabiliies. Develop a remediaion plan to improve security where it maters
most. Evaluate diferent soluions that can provide you with a defence in depth.

Backup
Unfortunately, there is no such thing as complete cybersecurity. Should the worse happen,
and you are the vicim of a cyberatack or data breach, it’s criically important you have a
reliable backup and recovery plan that can swing into acion.

45
Regulation
The full implicaions of new EU data protecion legislaion remain to be seen, but promise
to be far more stringent in certain areas, such as right to be forgoten, data portability and
breach reporing. Having a coherent IT security strategy will help miigate risks and ensure you
meet many of your data protecion obligaions.

Brave New World


The Internet of Things and proliferaion of connected devices will almost certainly dictate the
future of network security. The more interconnected devices, the more potenial entry points
for hackers and malicious applicaions to exploit. The brave new world of ariicial intelligence,
machine learning and quantum compuing promises many new user beneits, business
opportuniies and asymmetric threats.

Every human acivity comes with some level of risk. Good networks security can help miigate
many of the risks associated with doing business, ensure regulatory compliance, reduce
liabiliies and protect an organisaion’s reputaion.

46
The Little Book of Network Security and Data Protection

47
About Modern Networks
Established in 1999, Modern Networks is an IT and telecoms managed service provider
(MSP) helping clients across the UK maximise the value of their enire IT infrastructure.
The company has oices in Herfordshire, Cambridgeshire and Manchester. We
have considerable experise within commercial property management working with
over thirty managing agents and a thousand sites. Our clients include CBRE, Cushman and
Wakeield, Savills, JLL and Lee Baron. We are a corporate member of the Briish Insitute
of Faciliies Management (BIFM). We are also a Gold member of the Service Desk Insitute
and ofer ITIL best pracice standards of IT support.

48
The Little Book of Network Security and Data Protection

Enterprise
Modern Networks provides advanced, innovaive IT managed soluions for over 200 varied
enterprise clients from accountancy irms, travel agents and media companies to naional
chariies and not-for-proits. The company is a ceriied partner for Cisco, HP, Microsot,
VMware, NetApp and Pure.

RADD Telecoms
Our sister company, RADD Telecoms is one of the UK’s leading data cabling installers. They also
provide business WiFi, CCTV and secure access control systems.

Our range of IT and telecoms services include:

Our other services include:


• IT consultancy, design and build.
• IT network and security assessments
• Compeiively priced, ixed monthly fees
• Simple on-boarding process
• IT cabling, access control and CCTV
• Digital signage
• Business computers, tablets and mobiles
• Business email and sotware
• UK based IT support
• Wired and wireless computer networks
• Cyber security
• Data storage, backup and recovery
• Cloud compuing
• Telephony, business Internet and broadband.

49
About the Author

Charlie Trumpess, DipM, MCIM, CM


Charlie is a markeing professional with over 20 year’s
experience working for a range of tech companies in
the UK and Northern Europe. He holds a professional
diploma in markeing (DipM), is a Member of the
Chartered Insitute of Markeing (MCIM) and a CIM
Chartered Marketer (CM).

50
The Little Book of Network Security and Data Protection

Contacts
Modern Networks, Hitchin
18 Knowl Piece
Wilbury Way
Hitchin, Herts
SG4 0TY
01462 426 500

Modern Networks, Manchester


20–21 Albert Square
Manchester
M2 5PE
0161 667 3100

www.modern-networks.co.uk

Company No. 3881576


VAT Reg. GB 750991117

Useful Web Links


• Naional Cyber Security Centre: www.ncsc.gov.uk
• GCHQ: www.gchq.gov.uk
• AcionFraud: www.acionfraud.police.uk
• UK Government: www.gov.uk
• Cyber Essenials: www.cyberaware.gov.uk/cyberessenials
• Informaion Commissioner’s Oice: htps://ico.org.uk
• EU General Data Protecion Regulaion (GDPR): www.eugdpr.org

51
modern-networks.co.uk
Email: info@modern-networks.co.uk Call: 01462 426 500
18 Knowl Piece, Wilbury Way, Hitchin, Herts, SG4 OTY

52

You might also like