Three steps to good security hygiene

Three steps to good security hygiene

Image:
Three steps to good security hygiene

Organisations need to harmonise people and technology, not focus on one or the other

There is no hiding from the fact that the world has seen an exponential surge in the number of cyber attacks over the past two years since the onset of the global pandemic. For example, Orange Cyber Defense's 2022 Security Navigator report shows that there was a 61 per cent increase in the number of security incidents handled in 2021 compared with the previous year. And yet, despite the fact that an increasing number of these security breaches can be traced back to human error, more still needs to be done to address the human element of cyber security.

A recent example of where such failings have led to a breach is the Colonial Pipeline cyber attack, which took place in May last year. It resulted in the company being forced to shut down its IT systems and halt critical pipeline operations in the US after more than 100 gigabytes of data were stolen from its networks. Following investigations, security experts found that the attackers were able to gain access to the company's network infrastructure through a single compromised VPN password. While it is not clear how this password was obtained, stolen or insecure user credentials are often a key method of entry for cyber criminals.

This attack, is a prime example of how organisational infrastructure remains highly vulnerable to human error, driving home the fact that organisations must put the necessary measures in place to mitigate risk. Failure to take the human element of cyber security seriously can be devastating when organisations fall foul of malicious actors.

Aligning business and security goals

In light of the current security landscape, implementing cyber security measures to protect against the human element should no longer be considered an expensive insurance policy that companies only implement when there has been an attack. The employment of a comprehensive and concise security strategy should be celebrated for the benefits that it can bestow on a business.

Not only will it support organisations in helping to prevent hackers from installing malware or ransomware on its network infrastructure, but it will also enable both the company's hardware and software to run efficiently whilst remaining less vulnerable, ultimately increasing the efficiency of employees. This should encourage and accelerate the evolution of the security leadership and business decisions that govern cyber security.

The good news? Organisations are increasingly tuned in to the need to educate employees and increase awareness of the potential unwitting risk they pose to security. At the same time, businesses are taking advantage of the rapidly evolving security technologies that are now readily available to better protect themselves against external threats.

User awareness and security have long been top priorities for security teams. However, the Covid-19 pandemic provided a ‘compelling event' that led to organisations investing in significant changes around both security awareness and technology. The rise of mass home-working means that typical, perimeter-based approaches can no longer be relied upon to protect remote employees, creating greater exposure to risk that threat actors can take advantage of.

Hence the growing interest in making security awareness part of company policy and in deploying technology to enable secure employee access regardless of location, rather than the traditional focus on a secure workplace.

Achieving good security hygiene

To ensure that both the human and technological aspects of security are covered sufficiently, organisations need to take a blended approach to cyber security. Digital technology coexists with humans and should therefore play an integral role in the organisation's cyber defences. This blended approach can be achieved in three ways and, by taking these steps, organisations can encourage and accelerate the evolution of security leadership.

Firstly, organisations need to supplement security expertise. Business leaders must enlist specialist support to develop, implement and manage security strategy and risk. This could include a qualified, professional as-a-service delivery model. Enlisting a managed security service provider (MSSP) has become an increasingly popular strategy among organisations as it allows them to benefit from greater security expertise and to outsource certain tasks, saving time, money and enable employees to focus on the organisation's core competencies. An example of where this is proving particularly popular is for functional roles such as a compliance officer, or even a CISO.

A company only incentivised by profit will ultimately fall short when faced with an existential security threat

Secondly, organisations need to magnify their impact on security, augmenting security resources and capabilities to reduce the (often unnecessary) burden placed upon security professionals. Organisations can free up skilled security analysts' time to focus on higher-value and more critical tasks by augmenting in-house security teams. This means that security leadership should also seek to bolster security capabilities by providing access to state-of-the-art tools and capabilities, ensuring that security teams have access to the resources that will help them carry out their jobs more effectively.

Finally, security leaders must transition from positioning themselves as technologists to becoming business leaders. The role of a leader is to set a vision and purpose for the organisation to follow, but a company only incentivised by profit will ultimately fall short when faced with an existential security threat. Security leaders therefore need to be the driving force behind a business' overarching approach to cyber security strategy.

This, however, doesn't mean companies need to realign their priorities completely. The journey towards security practitioners becoming recognised as business leaders is eased by identifying and emphasising examples of how security measures align with key business challenges, goals and outcomes. A significant part of this endeavour involves engaging decision-makers and the board by positioning security concerns in the language of business, incorporating terms such as risk, cost, compliance and digital transformation.

More than ever before, we are operating in a cyber landscape where implementing a comprehensive security strategy is no longer an opt-in or opt-out option. It's imperative to safeguard the organisation from cyber attacks that are now becoming more frequent, with greater demands. Organisations can't just rely on technology to create a robust security posture. After all, whilst technology is at the core of cyber attacks, these incidents are instigated and responded to by humans, meaning the human factor must be central to these decisions.

Dominic Trott is UK product manager at Orange Cyberdefense