Following the news that the Houses of Parliament had been hit by a cyberattack, compromising the email accounts of MPs, cybersecurity expert Ravi Pather, senior VP of eperi GmbH, believes enterprises need to implement multiple levels of IT and data security, saying: "We have to assume that hackers will be successful - if not today, then tomorrow or the next day. The real question therefore is: are these Houses of Parliament systems - including email applications - protecting sensitive data from within? After all, this is what hackers are after.
"A "sustained and determined” cyber-attack by hackers means that hackers have some access to usernames and passwords credentials and will use these to attempt to access IT systems and emails – a bit like hackers trying to break into your front door and are trying to pick your front door locks. It's been separately reported that UK MP's user credentials were on sale in Russian criminal websites, suggesting this may have been previously obtained.
"IT security of yesteryear was focused on implementing security systems such as 'two factor authentication' and 'access and identity management' systems to prevent this type of attack – akin to making sure the locks and front door had good security systems and preventing entry.
"In a modern IT architecture, companies need multiple levels of both IT security as well as data security. They have to assume that not only can attackers come through the front door, they can also access data via other points of entry.
"In other words, what if the attackers do gain entry via breaking in via user passwords? Will they have easy open access to the data in email and other systems that contain sensitive data such as HR, expenses, accounts, sensitive parliamentary data?
"The focus therefore becomes more about where the email systems are storing this data. Is it an on-premise email or a cloud based mail system where this email maybe stored on a cloud based service? Is this data encrypted throughout its entire lifecycle?
"Furthermore, let’s not believe mere 'data at rest' encryption systems are enough. Though it's a start, we have to protect this sensitive data through its entire life cycle. 'Data in motion', 'data in use' and 'data at rest'.
"We just hope that the Houses of Parliament have this next level of more advanced data protection systems installed as well. If not, then there may be a very serious issue of gaining access to email and other systems that use and store sensitive data."