Making Sure Your Business Is Cyber Smart

Being cyber smart, the theme of this year’s Cybersecurity Awareness Month, is not unachievable, but it certainly requires investment of both time and money. 

Every business and every individual has a role to play in keeping our data safe from the hands of hackers. We spoke to some cybersecurity experts to get some top tips on how and why we must work both together and with technology to ensure we keep the cyber criminals at bay. 

Where To Invest Your IT Budget 

There are three key areas that the experts we chatted with believe need to be revaluated. The first comes as no surprise: technology. That’s because “opportunistic cybercriminals continue to take advantage of the evolving digital environments that individuals, governments, and organisations have embraced,” according to Chris Huggett, SVP EMEA, Sungard Availability Services

Raymond Pompon, Director, F5 Labs, added that “web application exploits are the biggest cybersecurity risk facing organisations today. In fact, recent research has shown 56% of the biggest cybersecurity incidents over the past five years were related to web application security issues, constituting 42% of all financial losses recorded for these extreme events. The pandemic has also thrown significant challenges at our defences and now, as employees shift to hybrid working models, another layer of complexity is added to the mix.”

In light of this landscape, Huggett believes “Cybersecurity Awareness Month should act as a timely reminder to organisations, both big and small, to review their security processes. In their hunt for ‘big game’ enterprises, threat actors are holding third-party vendors hostage to reach their ultimate targets. Organisations need a holistic view of their entire infrastructure to make sure that every touch point is secure.”

This can, of course, be challenging at a time when businesses are doing their best to make a comeback from the pandemic, but Rob Treacey, Head of Security, Professional Services, EMEA at Rackspace Technology, says “organisations should be looking to spend between 15-20% of their budget on cybersecurity.” That’s compared to the “7-15% of their IT budgets [that is currently being spent] on cyber security.” Treacey advises that “the best way to decide what you spend is to figure out what percentage of your budget is proportionate to the information assets you are protecting. If a breach within your organisation would result in irreparable reputational damage, significant customer loss or regulatory non-compliance, then you probably require a healthy security budget to prevent any of those consequences from becoming a reality.”

One of the biggest priorities to review when deciding where to spend cybersecurity budget, according to David Higgins, EMEA Technical Director, CyberArk, are “innovations like machine learning, [which] are making organisations more cyber smart because they eliminate excess login requests.” He warned that “cyber criminals know [our] dirty little password secrets and target weak passwords as an easy way to steal information and even get rich quickly, often via common methods like phishing and impersonation. That’s why 80% of hacking-related breaches can be linked to stolen or brute-forced credentials.” 

Gareth Jehu, CTO, Com Laude believes that cyber security practices around domain names are another thing that can often be overlooked. He advises, “one of the first places to start is implementing an up-to-date TLS encryption protocol. This protects the confidentiality and integrity of data in transit and authenticates the parties that are exchanging information. Adopting a robust domain lock solution such as Registry or Super Lock can also provide protection by implementing a domain specific approval handshake for any modification to domain name settings such as name servers. An organisation should also manage its domain assets carefully, ensuring it has appropriate and active SSL certificate coverage. Mismanagement of these certificates can lead to erroneous expiration, opening the door to disruption of critical services”

Prioritising Training & Awareness

The second element to reviewing a business’ cyber practises comes down to its people. Mark Belgrove, Head of Cyber Consultancy, Exponential-e, told us that “most businesses, despite having access to advanced protections and the best threat intelligence on offer, remain vulnerable to one key factor: human error. It is a constant vulnerability that can never be fully eradicated. The remote working whirlwind brought on by the pandemic, and the use of corporate devices on less secure home networks, often for personal use, means human error has left organisations vulnerable to even more threats in the last 18 months too.”

The problem stems down to the fact that, “while most organisations want to increase security awareness among their employees, the stark reality is that many don’t know where to begin,” explained Erez Yalon, Head of Security Research at Checkmarx. He added that “fundamentally, implementing a shared cybersecurity responsibility boils down to two tactics; increasing awareness, and providing training. Without awareness, change can’t happen. It’s the first step in helping notice a problem exists, hasn’t been addressed, and that action is needed. Staff must be made aware of their security responsibilities and there needs to be concrete alignment across departments to create a comprehensive and cohesive security program. To further this, ongoing training programs must be implemented as a priority. Often, such training sessions can be tedious, and so organisations should conduct bitesize, interactive lessons, not extensive monotonous ones.”

Jonathan Smee, Information Security Consultant & Technical coach at Grayce, echoes this message, highlighting that “there is a widening skills gap in IT security, with research from Department for Digital, Culture, Media & Sport (DCMS) stating that two-thirds (64%) of cyber firms have faced problems with technical cyber security skills gaps, either among existing staff or among job applicants.” Smee believes “organisations should therefore look to provide continuous learning opportunities and adequate training to keep their employees up to date with the latest cyber threat trends.”

Putting The Focus On Your Software

The final element we must consider, according to Rick McElroy, principal cybersecurity strategist, VMware and Bill Mason, Senior Project Manager, Distributed, is the foundation on which most of our businesses are now built – software – and the people that build it. 

Mason explains that “with the mass transition to remote and hybrid working comes a growing reliance on software to keep us connected and productive, no matter where we’re working from. But as organisations continue to integrate new tools to future proof themselves, they need to consider the security implications. Businesses should be thinking about track and trace – but not as we know it. What this means in the context of distributed workforces is tracking any potential vulnerabilities that are incorporated into third party and open-source libraries when developing software, as well as scanning code and fixing all security issues that are identified to a requisite level.” He adds, “cybersecurity is complex, and one of the best pieces of advice I have received is to ensure that your developers are following appropriate standards. They exist for a reason. They make developers’ lives easier because they give them a framework for reference.”

In McElroy’s opinion, “a lack of common goals between security, IT and developers has long been an issue, one being exacerbated by the potential complexity of today’s multi-cloud, modern app world. Teams are working in silos, and this is having a detrimental impact on a business’ security and its ability to meet objectives.” He believes, one of the biggest problems is that “security is being considered a barrier to developers and IT. We need to move from this towards a scenario where security as a technology is thought of differently. It is there to support the brand, build trust, and optimise app delivery for developers. It’s there to eliminate the false choice between innovation vs. control. This culture shift will enable stronger collaboration between security, developer and IT teams.” 

Keeping Up With The Fast Paced Cyber World

Ultimately hackers will always be one step ahead – constantly coming up with new and innovative ways to disrupt the cyber world and get access to our data. The best we can do to keep up is put cybersecurity higher up the priority list and take note of the insights from experts like this. Only then will you have the best chance of winning the cyber war. 

Dark ReadIng:         DCMS:        F5 Labs:      Grayce:        Distributed

You Might Also Read:

Data Is Your Most Valuable Asset. How Are You Protecting Yours?:

 

« New Report: Average SIEM Deployment Is Over 6 Months
US Cyber Security ‘Kindergarten’ Compared To China »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

True Cybersecurity

True Cybersecurity

True Cybersecurity services include security audits, network and application security, managed security services and incident response.

Entersekt

Entersekt

Entersekt is an innovator in push-based authentication and app security.

TCPWave

TCPWave

TCPWave IPAM is the world’s first acclaimed DNS/DHCP management software to pass the most stringent Information security tests.

Sabasai

Sabasai

Sabasai specialises in all aspects of insider threat management from training and education to building security frameworks and insider threat programs to on-site risk & vulnerability assessments.

IoTsploit

IoTsploit

IoTsploit provides 20/20 visibility of network connections, protecting critical infrastructure assets from IoT vulnerabilities.

Elitecyber Group

Elitecyber Group

Elitecyber group is a team of Cyber Security recruitment experts who work for Cyber Security and Cyber Defence clients and candidates throughout Europe.

Cisco Networking Academy

Cisco Networking Academy

Cisco Networking Academy is the world's largest classroom, bringing technology education, 21st-century skills, and improved jobs prospects since 1997.

Comparitech

Comparitech

Comparitech strives to promote cyber security and privacy for all. We are committed to providing detailed information to help our readers become more cyber secure and cyber aware.