This is a fitting time to reflect on another year of working with clients to help them protect their organisations from IT security threats.
The world of cyber security never stands still so it’s important to look at what we’ve learned – and how this can be incorporated into the months ahead.
Everyone’s opinion is important, and feedback comes from across Turnkey; these are the key thoughts on 2022 from some of our consultants.
Remember the basics
One of the simplest ways to protect against cyber attacks is to be rigorous about following basic good practice. This includes steps such as running up-to-date software and operating systems and using antivirus software.
It also involves ensuring everyone in the organisation is clear about their responsibilities, so that they use strong unique passwords, know not to open unexpected email attachments (potentially infected with malware) from unknown sources, don’t click on unfamiliar websites, report security incidents, and avoid using insecure Wi-Fi networks, for example. (More on “the human firewall” and managing the human risk later.)
Robust security measures are hard to introduce and enforce if an organisation doesn’t have a comprehensive understanding of its assets; these include employees and intellectual property, as well as software, systems and networks. Identifying these assets and documenting them in an asset register (that is then regularly maintained and updated) is a key first step to understanding what potential threats and vulnerabilities could put the organisation at risk.
Document internal processes
As well as documenting assets, it is important for companies to build up and document their own internal processes as they are developed or implemented. Failure to understand what processes are in place and how they function can result in a more complex and expensive cyber security solution being required further down the line if the one implemented does not meet the requirements of any undocumented processes which suddenly surface.
Secure by design is a commonly used term in the development of software, and the principle of building in security from the ground up should also be applied to internal processes to combat the risks of fraud or other regulatory or legislative concerns in addition to security.
The ultimate responsibility for the activity should rest with business process owners, but the practice also needs to be encouraged among everyone involved in each specific process to ensure the overall picture is as complete and accurate as possible. For example, an incorrect process flow diagram could lead to the wrong access being granted to an employee, and this may not be identified in a security review if the initial documentation used to determine the access is inaccurate.
Protect the cloud
The current business technology world relies heavily on the cloud as a data storage platform, making it essential that this virtual environment is securely protected. Cloud security encompasses the technology, protocols and best practises required to protect cloud computing environments, cloud applications and cloud data.
As with assets and internal processes, understanding what is being secured, as well as the system aspects that must be managed, is a key first step. Many organisations still believe that because their data is hosted or managed by a third party, they no longer need to consider the risk. The reality, however, is that they are still accountable for the risk, but it needs to be managed in a different way.
Key processes for managing security, such as handling security vulnerabilities, is largely in the hands of cloud service providers and, as a result, visibility might be limited. It is critical to select a supplier with a proven track record for cloud security and have a framework in place to check compliance. Organisations should also ensure that there are appropriate contractual agreements in place to get the visibility they need to confirm that their data and processes are secure.
Invest in security training
Many of the major data breaches and scams in 2022 have one thing in common – they started through someone falling into a phishing email, smishing or vishing trap.
Traditionally, hackers have focused on breaking through firewalls. Today, however, much of their time is invested in social engineering that will help them to gain the access to the data they want with the “help” of an organisation’s users. There is no substitute for investment in IT security – but this must be reinforced with awareness training with the aim of building a human firewall that can also protect the organisation through its actions.
This training needs to go far beyond being a compliance tick box – it should be considered a core area of an organisation’s cyber security roadmap. Each level of user throughout the enterprise needs to be catered for with content that is appropriate, and training should be reinforced with simulated attacks to assess learning and knowledge gaps, as well as teach people how to respond. Understanding how to change the behaviours of employees, third parties and, in some cases, customers, is critical to making this change.
Cyber criminals continue to evolve their game, making it essential that developing a human firewall is an ongoing and consistent process.
Encourage all users to take responsibility
Even with awareness training, users don’t necessarily think about security in the same way as IT security professionals. It’s not their role to be aware of vulnerabilities and threats, and they may often find security controls a hindrance to their day-to-day business activities. From Post-it notes putting passwords on display to the avoidance of an extended security process via shadow IT, there are many ways in which controls can be circumvented by people trying to do their job efficiently, which presents a threat to the wider company.
Operating a zero-trust policy, introducing multifactor authentication, and ensuring that security/phishing training is part of the onboarding process are just a few ways to strengthen the human firewall.
Everyone has some responsibility for cyber security on a personal and organisational basis. Communication and training need to make this clear, while practices should make it easy to protect data and systems.