Organizations that aim to pull ahead of the competition need to develop a strong security culture from top to bottom
From headline-grabbing stories of ransomware to personal experiences of identity theft, cyber is increasingly finding its way into collective consciousness. During the pandemic, an escalation in threat levels also reminded IT and business leaders what’s at stake. Now we’re gradually entering a new era of hybrid work, it’s vital that teams go a stage further and embed security into every aspect of an organization. Too often, it’s still treated as something of an afterthought. There are also worrying signs that younger staff members in particular are resistant to anything that impacts their productivity.
That’s why one of the key themes during this year’s Cybersecurity Awareness Month is “Cybersecurity First.” It’s a simple idea, but one that may take some effort to operationalize. Security must be built-in rather than bolted-on – but not necessarily at the expense of business growth and innovation.
When employees rebel
We all know what happened during the pandemic. With mass remote work and digital transformation came an expanded corporate attack surface, and new gaps in protection ruthlessly exploited by threat actors. They hit unpatched Virtual Private Network (VPN) services and Exchange servers, hijacked Remote Desktop Protocol (RDP) endpoints protected by weak or breached passwords, target misconfigured cloud systems, and much more. In this context, driving a secure-by-design culture would do much to eliminate the gaps so frequently exploited by attackers.
Yet there is resistance. In new research, three-quarters (76 percent) of global IT leaders admit that security took a backseat to business continuity during the pandemic. That may have been justifiable at the time, but not now that operational risk is receding. Yet younger workers appear to be ignorant of policies, apathetic towards security in general, and increasingly frustrated at having their productivity “restricted.” Almost half (48 percent) of those aged 18-24 years old claimed security tools were a hindrance, and nearly a third (31 percent) said they’d tried to circumvent corporate policies to get work done.
Cybersecurity First will, therefore, require careful planning and execution to avoid a user backlash.
When security is an afterthought
There must be progress, because bolted-on security is failing organizations everywhere. A classic example is in the world of DevOps, where processes are geared towards time-to-value rather than risk mitigation. The result is often software that’s shipped with vulnerabilities which end up being exploited in attacks. One recent study claims that upstream attacks, in which threat actors inject new vulnerabilities into open source code, surged 650% year-on-year.
The costs of patching, plus the reputational damage that comes attached to a serious incident, can far exceed those associated with building better security into the CI/CD pipeline. There are many more examples. Just consider the huge financial and reputational fallout from the 2017 Equifax breach, said to have affected nearly half of all US adults. It could have been prevented by prompt patching. Or the 2019 Capital One breach that hit 100 million consumer credit applicants. Closer monitoring for cloud misconfigurations may have saved the bank’s blushes.
We need to get cybersecurity to a point where safety is now in the car industry. In this sector, safety teams are closely involved in the design and rollout of virtually every new feature in vehicles. It’s why we now have high-performance braking, shatter-resistant windshields, roll bars, air bags and many other technology innovations as standard in most cars today. And the operators of these vehicles are trained and tested to use them in a safe and compliant manner. Cybersecurity must be the same.
Putting security first
Secure-by-design is a key principle of the GDPR, widely regarded as a standard-setter in global privacy regulation. Building in rather than bolting on also just makes sense, from a risk mitigation and a cost perspective. So what does it look like in practice? Here are some suggestions:
- Data minimization and encryption everywhere can help to reduce data security risks and information exposure
- Continuous IT asset management and control across the entire environment will help you understand what you have, and then protect it
- Regular staff training and awareness sessions can turn a weak link in the security chain into a formidable first line of defense, and help create a culture of security first
- Close consultation with users will ensure that when policies are redesigned for the hybrid workforce, they’re done in a way that minimizes disruption to staff
- A focus on access management, following the principle of least privilege and featuring two-factor authentication by default, could prevent 90 percent of attacks
- Automated, risk-based patching programs can drive major improvements in cyber hygiene to reduce the size of the corporate attack surface
- Logging, monitoring and detection and response are also critical to finding and mitigating any breaking attacks across the environment
- Continuous monitoring and vetting of the supply chain will also help to proactively address a major source of cyber risk
- A Zero Trust security strategy is an increasingly popular way to head off risk through continuous authentication and other controls
The bottom line is that Cybersecurity First is all about turning security from a reactive to a proactive stance. And if you’re struggling to find the budget to undertake lasting change, remember to position it as an enabler. Brakes aren’t there only to slow down the vehicle, but also to ensure it can safely travel faster. That’s why secure-by-design organizations innovate faster, and ultimately pull ahead of their rivals. They have the confidence to drive ambitious digital transformation projects, because they’re built on a secure foundation.