There is no “one size fits all” when it comes to cybersecurity.
Over the last six months, we have seen an escalation in the number of reported cyberattacks, in their range, sophistication and in their long-lasting impact on businesses such as the Colonial Pipeline attack, and SolarWinds to name just two. These events obviously highlight the importance of having an effective cybersecurity strategy per organization, because even if an organization undergoes such an attack, there should be company processes in place to mitigate the severity of the consequences. To do that, companies must monitor and be aware of the main existing security risks and effectively respond to these types of incidents as they occur.
Still, each organization is different in its make-up, business needs, productivity measurements and workflows. Each organization has different network architectures and software. There is no “one size fits all” when it comes to cyber security.
CISOs and security teams are usually aware that they need to identify the cyber risks most likely to affect their own business’ smooth running and build a security infrastructure aligned with the company’s risk tolerance level. But that is easier said than done.
Even now, with everything that has occurred, many enterprises do not prioritize personnel and budgets for this purpose, often leaving the CIO or CISO and her/his team to “fend” for themselves. Without the appropriate resources and without full company involvement and support, that is a very tall order.
In addition to organizational support, with the plethora of different approaches and tools, identifying the optimal security path requires adopting proactive and scalable methods and the ability to prioritize the different types of cyber threats.
Whether you obsess about cybersecurity every day or you are completely new to the process, there are certain things that you should consider to make your company’s cybersecurity strategy successful. In this post, we’ll reveal five elements you should include in your strategy, regardless of whether you are the sole proprietor of a brand new business or looking to transform the security posture of a large, well-established organization.
-
- Understand the difference between compliance and security. In any instance where your company collects personal information or data as part of your relationship with your customers or vendors, you have an ethical if not legal obligation to be a responsible steward of that data. It is not enough to say “we won’t share your personal information” or be able to produce required audit reports if asked, because that’s not really security. The first step to creating a security strategy is knowing what data you collect, where it’s stored, who has access to it, and why. This enables you to establish what is “normal” data use for your organization and makes it much easier to see when someone is trying to steal it.
- Make data security everyone’s responsibility. Forrester Research recently reported that 80% of security breaches involve privileged credentials. That means an insider either unwittingly or with malicious intent exposed their credentials, and likely sensitive personal data, to a cyber-criminal. Another pillar of a cybersecurity strategy should be educating employees on the fundamentals of how to proactively limit exposing their credentials. This can be as simple as asking people to log out of sensitive databases when finished with them or helping them identify a likely phishing attack. An organization like the National Cyber Security Alliance offers great resources to get you started. It’s also important to consider data access control issues. With the right technology, organizations can apply role-based user privilege access control rules to align individuals’ privilege levels with the actual requirements of their job function. Not just once, but on a continuous basis.
- Account for the roles of your cloud vendors and ISPs. Organizations large and small share sensitive data with cloud-native architectures for a myriad of reasons. AWS’ very useful Shared Responsibility Model explains very well that cloud vendors provide secure architectures in which their customers can store data, but it’s the customer’s responsibility to apply their security policy to the data. This detail seems to be lost on the vast majority of organizations. Gartner reports that at least 95% of cloud security failures until 2022 are predicted to be the customer’s fault. Part of your security strategy should be working with all your cloud-native vendors to ensure that their environments are configured to enable full visibility into your data so you can apply your security policy to them. Many retail and services organizations use ISPs to host their websites. They depend on their ISPs to keep their websites up and running regardless of traffic levels. If your website were ever subject to a Distributed Denial of Service (DDoS) attack, an incident whose sole purpose is to make your website and servers unavailable to legitimate users, you could be facing an existential threat. In many instances, to ensure the other websites they host are not subject to diminished performance, an ISP will simply shut down a website under a DDoS attack until it stops. Part of your security strategy needs to account for DDoS attacks and have a solution in place to disperse illegitimate web traffic without shutting down your website and ensure real customer traffic reaches your organization.
- Have a plan for if you are breached. In spite of best efforts, breaches happen and your data security strategy needs to account for what happens next. You should have a disaster recovery plan in place to secure your network, prevent further damage and identify the breach source as well as inform stakeholders and law enforcement. The plan should turn the incident into a positive by ensuring knowledge gleaned during the breach is internalized so it can be used to prevent future incidents.
While these elements are essential, they are not all you need. We strongly recommend working with cybersecurity experts to accurately evaluate your specific threat landscape and help you build a sustainable data security strategy for today and the future.
Today’s hyperconnected and decentralized workforce maneuvers within dynamic network architectures and programs that have moved to the edge and the cloud. Therefore any effective cyber defense strategy must start with open communication between the CIO/CISO, security teams, and company executives.
This open line of communication is especially important since 2020. With the increased number of employees working remotely, security officers face the added challenge of providing remote workers with additional layers of security, as the organization is more exposed to cybercriminals. They are also tasked with improving the monitoring ability of workers with access to sensitive information to prevent internal breaches.
Integrating business operations with security personnel helps employees understand security better. It also allows cybersecurity professionals to consider the organization’s business strategy and priorities, while establishing cyber security policies and managing cyber risk solutions and monitoring.
Additionally, establishing the following core security principles and policies empowers the CIO/CISO to focus both on individual applications and the broader company infrastructure.
While CISOs are tasked with keeping an eye on cybersecurity threats, identifying key vulnerabilities and coming up with defensive and risk mitigation solutions, the organization’s management should be actively involved in improving the company’s cyber-resilience.
Sources:
(1) Security Boulevard
(2) CIO.com
(3) The World Economic Forum
Picture: <a href=’https://www.freepik.es/fotos/negocios’>Foto de Negocios creado por rawpixel.com – www.freepik.es</a>