The cyber threat landscape is constantly evolving, CISOs are overworked and the irony, cyber attacks are more successful than ever before — so how can you ensure your organisation is safe from the cyber threat?
It is a monumental challenge, but an entirely necessary one. Security failings will not only lead to significant fines, based on an increasing volume of regulation and laws, but trust in a product or company will evaporate, customers will run and profits will fall.
With increased media attention surrounding those companies that fail in their cyber security duties, maintaining customer trust will help define business success or failure. And this trust is built by ensuring your organisation is safe from the cyber threat.
Below, three experts provide their advice on how organisations can do this.
Visibility and awareness
“As Muhammad Ali put it, “the hands can’t hit what the eyes can’t see” — when it comes to protecting your organisation from cyber threats, visibility and awareness is key; starting from the basics of knowing what systems and software your organisation has to protect,” explains Andy Ash, head of Operations at Netacea.
“There are many security frameworks that businesses can adopt, but compliance does not equal security. Security is a journey not a destination and businesses must constantly evolve with the threat landscape.
“For example, one of the biggest challenges is a lack of visibility into website traffic. Without being able to differentiate between real users and malicious bots trying to impersonate real users means constantly trying to catch up with fraud and data breaches rather than getting ahead of them,” he continues.
10 cyber security trends to look out for in 2020
Zero trust
Alex Hinchliffe, threat intelligence analyst at Unit 42 (Palo Alto Networks) believes that “radical steps like the zero trust model must be considered — something that designs out the risks to the most significant degree.
“Zero trust has a very simple premise; eliminate the concept of “trust” from your network. It means that no communication, system, user or machine can access any part of a network without inspection and validation.”
He adds: “Ongoing reviews and reduction of the attack surfaces reduce the chance of exploitation by threat actors. Increasingly this must extend to new computing architectures like cloud containers, as well as IoT devices now entering the business environment.
“Managing an effective security posture to keep your organisation safe can risk putting security teams under huge pressure. Too many teams simply have too many tools to coordinate, inhibiting their response to a threat. Consolidating and integrating tools and processes needs to be embraced, as does greater automation that reduces manual intervention and ensures attacks are prevented swiftly.”
Moving to the cloud, digital transformation and prioritising zero trust security
A holistic approach
Referring to the last point from Hinchliffe, in order to manage an effective security posture, “senior IT management must have a holistic approach to cyber security,” according to professor Kevin Curran, senior IEEE member and professor of cyber security at Ulster University.
He says: “This must be as an organisation-wide undertaking, along with understanding the legal and regulatory implications of cyber risks as they relate to their company’s specific circumstances. This includes identifying which risks to avoid, accept or mitigate, as well as developing specific plans for each case and communicating this to senior management.”
Cyber security training
Human error was to blame for nine in 10 UK cyber data breaches last year, according to analysis of data from the UK’s Information Commissioner’s Office (ICO) by the cyber security awareness and data analytics company, CybSafe.
Cyber security training for staff is paramount, because people are the weakest link in security — intentionally or otherwise.
“It is, therefore, important to ensure all employees are well trained on aspects of cyber security best practice — such as phishing and data sharing practices, keeping software updated, unique strong passwords, enabling two-factor authentication etcetera,” continues Curran.
“The first line of defence for organisations is to simply educate employees about the dangers of clicking on links. However, it’s likely that only a fraction will listen — in general, it takes people to make a mistake before they learn.
“There is a new movement in some places, where security teams send phishing emails containing fake malware to their employees, which when activated simply lead them to a website informing them of their mistake and educating them on the dangers of what they did. In short, employee education is crucial.”
Cyber security training: Is it lacking in the enterprise?
Cyber security by design
The final piece of advice when it comes to ensuring your organisation is safe from the cyber threat surrounds the concept of a cyber security by design framework.
“Introducing a cyber security by design framework into a company provides it with a holistic set of pragmatic guidelines, which can enable an organisation to more completely consider the full remit of protection and processes which should be in place to cope with the ever present cyber threat,” advises Curran.
“Cyber security by design provides a number of core principles, but ultimately, it enables organisations to be more proactive to cyber threats by making compromise detection. Organisations can collect all relevant security events and logs, design simple communication flows between components, detect malware command and control communications, make it difficult for attackers to detect security rules through external testing and simply react to the abnormal traffic more quickly.”
In concluding, Curran says: “All aspects relating to the protection of data must be considered. This includes examining the security of physical locations and employee access, data storage, data backups, network security, compliance and recovery procedures and all IoT devices. It can be easy to neglect software but this also needs to be audited, and a security architecture survey should follow. This should form part of a larger threat modelling/architecture risk analysis of an organisation’s infrastructure.”