GPSJ Autumn 2024 ONLINE - Flipbook - Page 41
IT & IT SECURITY
GPSJ
Why “best practice” is failing to
protect personal data:
Simon
Pamplin
A call for data-centric security
The recent cyberattacks on London councils have exposed a fundamental weakness in today’s cybersecurity
strategies. Despite organisations investing heavily in perimeter defences such as 昀椀rewalls, anti-phishing
measures, and zero-trust policies, cybercriminals continue to breach these barriers. The reason? Traditional
best practices focus on keeping attackers out, rather than protecting what truly matters; the data itself. Simon
Pamplin, Chief Technology O昀케cer at Certes, discusses.
Perimeter defences are no
longer enough
The business impact: more
than just 昀椀nancial losses
The stakes in cybersecurity have
never been higher. Attackers no
longer rely on brute-force breakins; instead, they exploit stolen
credentials to log in undetected.
Studies show that over 84% of
breaches now involve credential
theft, allowing cybercriminals
to bypass traditional security
measures entirely.
Meanwhile, the 昀椀nancial impact
of these breaches is soaring.
Ransomware demands have
skyrocketed, with the average
ransom payment now exceeding
$2 million; a staggering increase
from $400,000 just a year ago.
But the costs extend far beyond
ransom payments. Organisations
face an average of $2.73 million in
recovery costs, not to mention the
reputational damage that follows,
often leading to lost customers
and diminished trust.
For public sector organisations,
the fallout can be even more
severe. Data breaches in
government agencies and
councils compromise sensitive
personal data, eroding public
con昀椀dence and triggering
regulatory scrutiny. Despite these
risks, many organisations still
rely on outdated security models
that focus solely on network
protection. But when attackers
are logging in rather than breaking
in, traditional defences o昀昀er little
protection.
Cybersecurity is no longer just
an IT issue; it’s a boardroom
crisis. Regulatory bodies such as
GDPR, DORA, and NIS2 impose
hefty 昀椀nes on organisations that
fail to secure data adequately.
For 昀椀nancial institutions, noncompliance with DORA alone can
lead to penalties of up to 2% of
global revenue.
Beyond 昀椀nancial losses,
reputational damage can be
devastating. Customers and
clients expect their data to
be handled securely, and a
single breach can drive them
away permanently. Operational
downtime resulting from an attack
can halt productivity, costing
millions in lost revenue. Perhaps
most concerning, executives
now face personal liability for
failing to protect sensitive data.
CEOs and CISOs are increasingly
being held accountable, meaning
cybersecurity failures could have
career-ending consequences.
The shift to data-centric
security
If cybercriminals are after data,
why is security still focused on
protecting the perimeter? It’s
time for organisations to shift
their mindset and prioritise a
data-centric security approach.
The fundamental principle of
this approach is simple: assume
breaches will happen and ensure
that, if they do, the stolen data is
worthless to attackers.
This is where solutions like Data
Protection and Risk Mitigation
(DPRM) become essential.
By encrypting, tokenising, or
otherwise devaluing sensitive
data, organisations can render
stolen information unreadable
and unusable. Even if attackers
successfully in昀椀ltrate a network,
they won’t be able to exploit the
data they access.
Equally important is protecting
backups. Many organisations
fall into the trap of securing live
data but neglecting backup
systems. Cybercriminals often
target backups in ransomware
attacks, leaving businesses with
no choice but to pay up. A robust
backup protection strategy,
incorporating immutable backups
and air-gapped storage, is vital in
mitigating ransomware risks.
The ultimate defence: a
multi-layered approach
Creating an impenetrable defence
may seem like a pipe dream, but
a multi-layered security model
that neutralises threats before
they cause harm is achievable. A
comprehensive approach should
include:
● Proactive security
measures: Implementing
encryption, tokenisation, and
access controls to devalue data.
● Regulatory compliance:
Adhering to frameworks like
GDPR and DORA to mitigate legal
and 昀椀nancial risks.
● Rapid recovery capabilities:
Ensuring businesses can resume
operations quickly after an attack,
minimising downtime and 昀椀nancial
losses.
● Advanced threat detection:
Using AI-driven analytics to
identify and stop threats before
they escalate.
By integrating these elements
into a uni昀椀ed security strategy,
organisations can not only defend
against cyber threats but also
maintain business continuity and
protect their reputations.
The future of cybersecurity:
act now or pay later
Ransomware and data breaches
are not just technical threats; they
represent 昀椀nancial, operational,
and reputational crises. The reality
is clear: perimeter defences alone
are failing, and organisations must
act now to protect what truly
matters.
Building higher walls will
not stop attackers. Instead,
businesses and public sector
organisations must invest
in making the data itself
untouchable. By shifting to a
data-centric security approach,
implementing robust encryption,
and ensuring resilience through
protected backups, organisations
can render cyberattacks
ine昀昀ective.
Cybersecurity is no longer
about preventing breaches
altogether—it’s about making
stolen data useless. Until
organisations embrace this
mindset, breaches will remain
inevitable. The time to rethink
security is now.
GOVERNMENT AND PUBLIC SECTOR JOURNAL WINTER 2024/2025
41
