Over the past six months, the business environment has dramatically changed. Digital transformation has rapidly increased, remote working has become the new norm, and organizations are migrating to cloud computing services more quickly than anticipated. All these changes are designed to provide for minimal disruption to business continuity during this unprecedented time of the COVID-19 pandemic. Yet, because of these seemingly positive technological shifts, the attack surface has grown, and the current cyber landscape has become more volatile and open to intrusion by either determined external adversaries or innocent behavior from internal employees coping with new ways of doing business.
To counter the mounting threats, businesses need to provide that the in-house security staff are kept up to date on the latest trends and threats…but how can this effectively be achieved without significantly impacting a static security budget?
Ask the right questions
Security needs to be a business imperative and should be woven into the fabric of all business decisions, whether that is regarding digital risk, business continuity or business adaptability.
To begin with, businesses should review their current state of cybersecurity to understand where there may be red flags or glaring gaps. Be honest and ask the difficult questions. Does positive cybersecurity hygiene exist in your organization? Is the company doing enough to raise security awareness? Are there adequate protections in place to allow employees to work remotely? Are the cloud infrastructures being continuously monitored and highly secured? Do all endpoints, including dedicated IoT devices, have security in place? Do we have defenses to help mitigate potential DDoS and other network-based attacks? Can we guarantee that we understand the business’ attack surface? And, most importantly, is security deeply embedded and rooted within the company’s culture?
It is important for organizations to drive operational efficiency into security practices but making this happen can be difficult, depending on business objectives. For instance, it takes preparation, collaboration, and vision to scale initiatives quickly like cloud, digital or mobility transformation. Cooperation is required between security, IT personnel, and the line of business. This is especially necessary for larger enterprises where there are more processes and factors to take into consideration. If this is conducted efficiently with little to no complexities, then the overall cost of protecting systems will be kept to a minimum.
Bring in help where necessary
Having an outside perspective can be advantageous in addressing the essentials of security and gaps in the overall environment. Through consultations, security personnel can gain a truer grasp on security insights, threats, and the overall security posture. The same can be said with security training and hiring an external third-party to provide it can be a positive. Often the service will bring a unique perspective and have a duty in raising any concerns. This collective knowledge and resulting best practices allow a third-party to help guide an enterprise with how to train, when to train, how to reward behavior, how to discourage behavior, and how to embed security as part of the culture versus ticking a box for governance.
But should this training be face-to-face, or classroom based or online? Given the current pandemic, where people are rightfully cautious and adhering to social distancing measures, there can be a call for training to be carried out online. Let us not forget that everyone learns differently, so every business must understand its workforce and judge what will work best. Either way, the training must be engaging, interactive and enjoyable while reinforcing the message of security.
Still, security training is just a piece in the wider security puzzle and should be an integral part to any organization’s security culture and not merely conducted to pass a requirement. Having this perception will only lead to failure. A security-first mindset should be expected from all employees, starting with the boardroom. In leading by example, CISOs are setting the tone from the top. It will be advantageous to tie security to business objectives and outcomes and create a shared a responsibility model for employees to take security more seriously. By making the individual realize the importance of being cyber aware and the positive impact this will have, you can help protect the business.
Get involved locally
As the cybersecurity community promotes collaboration, encourage your security staff to attend cybersecurity events, conferences, and forums to widen their education and security scope. Furthermore, networking with peers and other security leaders will provide valuable insight. But, do not limit who from your organization attends such events as security has moved beyond a technical issue tended to by a specific team; it is now the responsibility of the entire company. Just as employees take care to protect their physical assets such as the office, company issued equipment, and the building; they should transfer this mindset to defend their digital assets.
There is also great demand for those of an inquisitive mind, so having professionals within your organization wanting to be more vigilant, aware, and up to date with the latest trends is important. Cybersecurity is part of our zeitgeist. In general, people are curious about how cyber-attacks work, the type of information being targeted, and how to be aware. Therefore, promoting self-training can play a significant role in keeping a security team in the know. While the human factor is vital in a security program, you cannot deny the significance technology can play. Machine Learning, AI and threat simulators are commonly used to keep teams sharp and help to detect attack patterns that provide valuable insight for modern threat hunters.
Having an unprepared workforce can be just as dangerous as having inadequate security technology; and if the arrival of Covid-19 has taught businesses anything, it’s that cybersecurity needs to be pro-active, regardless if it’s for the business, cloud or network. While it may seem obvious, following proper cybersecurity practices will go a long way in protecting your digital organization. To maximize this, arm the security, IT and network teams with the necessary tools to provide that this is being followed throughout the organization. Ultimately, a security program can only ever be as good as its personnel and overall cybersecurity culture. Remember, humans are the weakest link in the cybersecurity chain.