As if data security couldn’t already keep you awake at night, two recent, widely reported studies have highlighted that it will be an even more pressing issue for IT teams in businesses and public sector organisations in 2022.
The consulting firm Gartner’s report ‘Top Strategic Technology Trends for 2022’ points out that businesses are seeking to drive business improvements through insights they gather from data. As they do so, they will need to ensure that digital infrastructure is resilient, secure and efficient. The Society for Innovation, Technology and Modernisation’s (Socitm’s)’ Public sector digital trends 2022’ applies similar thinking to public sector organisations. It predicts that public sector bodies will share and use data to transform public services while also reducing cost and duplicated effort. This will be possible because increasing processing power and emerging technologies like artificial intelligence and machine learning will uncover powerful insights.
And as departments and organisations become more interconnected, the risk of cyber attacks and data breaches increases. But although you should always be vigilant, there’s no need to be alarmed. There are several simple things you can do to put your organisation on a firmer footing when it comes to data security.
Get to grips with consent
If you have implemented Microsoft’s Azure cloud solution, or you are about to, check your Azure Active Directory (AAD) – and if you are using the default configuration settings, change them.
Busy organisations often stick with the default but it allows all users to connect third party applications to the Azure tenancy without any input from admin. If you’ve got numerous employees, this is obviously potentially risky. It opens up opportunities for malicious code to be deployed and for users’ data to be harvested and exploited for phishing and other harmful activities. That’s why Microsoft recommends its customers apply more restrictive user consent settings to reduce risks to organisational systems and reputation, and to users themselves.
It’s an important step, and you should take it immediately. To bolster your tenancy effectively against data breaches, we recommend that you should apply more restrictive defaults that require new applications to be approved by AAD admin. You can configure the admin workflow to manage this process so it doesn’t become a burden for your hard-working IT teams. Four things to take care of immediately:
- Set ‘users can register applications’ to ‘no’
- Set ‘users can consent to applications accessing company data on their behalf’ to ‘no’
- Set ‘users can consent to applications accessing company data for the groups they own’ to ‘no’
- Changing the default settings won’t prevent existing applications from gaining access, so audit all applications already connected to your Azure AD domain and remove any that aren’t directly relevant to your organisational goals. If in doubt, throw them out
Be aware that making these changes may affect workflows and have some impact on productivity in the short term – however these new protocols are worth the temporary inconvenience.
Manage your certificates
Amid the scary headlines about the cost and increasing frequency of cyber attacks, certificate issues might seem low on the priority list, but they shouldn’t be. Digital certificates keep your web and email services secure and allow you to send confidential data online safely. Streamlining their management boosts your defences and can save staff time.
Here are three easy improvements you can make:
1. Manage all your certificates in one place – even if your certificates are provided by multiple organisations. It’s more efficient and our Certificate Service makes this possible. The discovery function helps you find and manage all your certificates, keep a handle on them and manage renewals.
2. Automate certificate management – using Automated Certificate Management Environment (ACME) is a smart way to make sure your certificates are configured and implemented correctly, to save money and reduce risk. Our Certificate Service has ACME built in and you can also find free providers like Certbot.
3. Be prepared – when certificate management is sorted, it’s time to put your systems and networks to the test with simulated real-world cyber attacks. Penetration testing gives you the opportunity to evaluate and improve your set-up. It can make for a better night’s sleep and ensure that your organisation is compliant with relevant third party standards like the General Data Protection Regulation (GDPR), Cyber Essentials and various card payment processing protocols. We can do the penetration testing for you, and there are also other UK-based ethical hacking services you can try.
It’s easy to feel overwhelmed by stories about increasingly frequent and sophisticated security breaches but there are many simple, practical steps you can take to keep your organisation’s protection up to scratch and even save money and time when you do so. We’re here to provide information, expertise and support not just for education and research but for public sector organisations and non-profits too.
Find out how Jisc can improve your organisation’s data security and more.