Making Sure Your Business Is Cyber Smart

Uploaded on 2021-10-22 in TECHNOLOGY--Resilience, FREE TO VIEW

Being cyber smart, the theme of this year’s Cybersecurity Awareness Month, is not unachievable, but it certainly requires investment of both time and money. 

Every business and every individual has a role to play in keeping our data safe from the hands of hackers. We spoke to some cybersecurity experts to get some top tips on how and why we must work both together and with technology to ensure we keep the cyber criminals at bay. 

Where To Invest Your IT Budget 

There are three key areas that the experts we chatted with believe need to be revaluated. The first comes as no surprise: technology. That’s because “opportunistic cybercriminals continue to take advantage of the evolving digital environments that individuals, governments, and organisations have embraced,” according to Chris Huggett, SVP EMEA, Sungard Availability Services

Raymond Pompon, Director, F5 Labs, added that “web application exploits are the biggest cybersecurity risk facing organisations today. In fact, recent research has shown 56% of the biggest cybersecurity incidents over the past five years were related to web application security issues, constituting 42% of all financial losses recorded for these extreme events. The pandemic has also thrown significant challenges at our defences and now, as employees shift to hybrid working models, another layer of complexity is added to the mix.”

In light of this landscape, Huggett believes “Cybersecurity Awareness Month should act as a timely reminder to organisations, both big and small, to review their security processes. In their hunt for ‘big game’ enterprises, threat actors are holding third-party vendors hostage to reach their ultimate targets. Organisations need a holistic view of their entire infrastructure to make sure that every touch point is secure.”

This can, of course, be challenging at a time when businesses are doing their best to make a comeback from the pandemic, but Rob Treacey, Head of Security, Professional Services, EMEA at Rackspace Technology, says “organisations should be looking to spend between 15-20% of their budget on cybersecurity.” That’s compared to the “7-15% of their IT budgets [that is currently being spent] on cyber security.” Treacey advises that “the best way to decide what you spend is to figure out what percentage of your budget is proportionate to the information assets you are protecting. If a breach within your organisation would result in irreparable reputational damage, significant customer loss or regulatory non-compliance, then you probably require a healthy security budget to prevent any of those consequences from becoming a reality.”

One of the biggest priorities to review when deciding where to spend cybersecurity budget, according to David Higgins, EMEA Technical Director, CyberArk, are “innovations like machine learning, [which] are making organisations more cyber smart because they eliminate excess login requests.” He warned that “cyber criminals know [our] dirty little password secrets and target weak passwords as an easy way to steal information and even get rich quickly, often via common methods like phishing and impersonation. That’s why 80% of hacking-related breaches can be linked to stolen or brute-forced credentials.” 

Gareth Jehu, CTO, Com Laude believes that cyber security practices around domain names are another thing that can often be overlooked. He advises, “one of the first places to start is implementing an up-to-date TLS encryption protocol. This protects the confidentiality and integrity of data in transit and authenticates the parties that are exchanging information. Adopting a robust domain lock solution such as Registry or Super Lock can also provide protection by implementing a domain specific approval handshake for any modification to domain name settings such as name servers. An organisation should also manage its domain assets carefully, ensuring it has appropriate and active SSL certificate coverage. Mismanagement of these certificates can lead to erroneous expiration, opening the door to disruption of critical services”

Prioritising Training & Awareness

The second element to reviewing a business’ cyber practises comes down to its people. Mark Belgrove, Head of Cyber Consultancy, Exponential-e, told us that “most businesses, despite having access to advanced protections and the best threat intelligence on offer, remain vulnerable to one key factor: human error. It is a constant vulnerability that can never be fully eradicated. The remote working whirlwind brought on by the pandemic, and the use of corporate devices on less secure home networks, often for personal use, means human error has left organisations vulnerable to even more threats in the last 18 months too.”

The problem stems down to the fact that, “while most organisations want to increase security awareness among their employees, the stark reality is that many don’t know where to begin,” explained Erez Yalon, Head of Security Research at Checkmarx. He added that “fundamentally, implementing a shared cybersecurity responsibility boils down to two tactics; increasing awareness, and providing training. Without awareness, change can’t happen. It’s the first step in helping notice a problem exists, hasn’t been addressed, and that action is needed. Staff must be made aware of their security responsibilities and there needs to be concrete alignment across departments to create a comprehensive and cohesive security program. To further this, ongoing training programs must be implemented as a priority. Often, such training sessions can be tedious, and so organisations should conduct bitesize, interactive lessons, not extensive monotonous ones.”

Jonathan Smee, Information Security Consultant & Technical coach at Grayce, echoes this message, highlighting that “there is a widening skills gap in IT security, with research from Department for Digital, Culture, Media & Sport (DCMS) stating that two-thirds (64%) of cyber firms have faced problems with technical cyber security skills gaps, either among existing staff or among job applicants.” Smee believes “organisations should therefore look to provide continuous learning opportunities and adequate training to keep their employees up to date with the latest cyber threat trends.”

Putting The Focus On Your Software

The final element we must consider, according to Rick McElroy, principal cybersecurity strategist, VMware and Bill Mason, Senior Project Manager, Distributed, is the foundation on which most of our businesses are now built – software – and the people that build it. 

Mason explains that “with the mass transition to remote and hybrid working comes a growing reliance on software to keep us connected and productive, no matter where we’re working from. But as organisations continue to integrate new tools to future proof themselves, they need to consider the security implications. Businesses should be thinking about track and trace – but not as we know it. What this means in the context of distributed workforces is tracking any potential vulnerabilities that are incorporated into third party and open-source libraries when developing software, as well as scanning code and fixing all security issues that are identified to a requisite level.” He adds, “cybersecurity is complex, and one of the best pieces of advice I have received is to ensure that your developers are following appropriate standards. They exist for a reason. They make developers’ lives easier because they give them a framework for reference.”

In McElroy’s opinion, “a lack of common goals between security, IT and developers has long been an issue, one being exacerbated by the potential complexity of today’s multi-cloud, modern app world. Teams are working in silos, and this is having a detrimental impact on a business’ security and its ability to meet objectives.” He believes, one of the biggest problems is that “security is being considered a barrier to developers and IT. We need to move from this towards a scenario where security as a technology is thought of differently. It is there to support the brand, build trust, and optimise app delivery for developers. It’s there to eliminate the false choice between innovation vs. control. This culture shift will enable stronger collaboration between security, developer and IT teams.” 

Keeping Up With The Fast Paced Cyber World

Ultimately hackers will always be one step ahead – constantly coming up with new and innovative ways to disrupt the cyber world and get access to our data. The best we can do to keep up is put cybersecurity higher up the priority list and take note of the insights from experts like this. Only then will you have the best chance of winning the cyber war. 

Dark ReadIng:         DCMS:        F5 Labs:      Grayce:        Distributed

You Might Also Read:

Data Is Your Most Valuable Asset. How Are You Protecting Yours?:

 

« New Report: Average SIEM Deployment Is Over 6 Months
US Cyber Security ‘Kindergarten’ Compared To China »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

EfficientIP

EfficientIP

EfficientIP helps organizations drive business efficiency through agile, secure and reliable network infrastructures.

Stott & May

Stott & May

Stott & May is a specialist cyber security recruitment agency.

Ionic Security

Ionic Security

Ionic provide a high-assurance data protection and control platform built on strong encryption, fine-grain control and contextual analytics.

ARC Advisory Group

ARC Advisory Group

ARC is a leading technology research and advisory firm with expertise in both information technologies (IT) and operational technologies (OT)

North American Electric Reliability Corporation (NERC)

North American Electric Reliability Corporation (NERC)

NERC is a not-for-profit international regulatory authority whose mission is to assure the reliability and security of the bulk power system in North America.

Entersekt

Entersekt

Entersekt is an innovator in push-based authentication and app security.

TAC Security

TAC Security

TAC Security is a leading and trusted cyber security consulting partner that specializes in securing the IT infrastructure and assets of enterprises.

Cyber Security Forum Initiative (CSFI)

Cyber Security Forum Initiative (CSFI)

CSFI is a non-profit organization with a mission to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training.

PrivacySavvy

PrivacySavvy

PrivacySavvy's mission is to provide you with all the information that you need to ensure that your internet privacy is intact, your devices are secure, and that any time you step online, you’re safe.

Shearwater Group

Shearwater Group

Shearwater Group is an award-winning organisational resilience group that provides cyber security, advisory and managed security services to help secure businesses in a connected global economy.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

DeNexus

DeNexus

DeNexus is the leading provider of cyber risk modeling for industrial networks. Our Mission is to build the Global Standard for Industrial Cyber Risk Quantification.

Citizen Lab - University of Toronto

Citizen Lab - University of Toronto

Citizen Lab focuses on research and development at the intersection of cyberspace, global security & human rights.

MicroAge

MicroAge

Powered by five decades of experience, lasting partnerships, client relationships, and the values that guide us daily, MicroAge is here to help you secure, accelerate, and transform your business.

Fullstack Academy

Fullstack Academy

A trailblazer in bootcamp education, Fullstack Academy prepares students for fulfilling careers in tech through our NYC campus, online learning, and university partnerships.

Nexer

Nexer

Nexer is a modern tech company with expertise in strategy, technology and communication with a strong vision.