These are the most vital issues to consider if you want to ensure your organisation is protected from breaches, according to five cybersecurity professionals.
No business wants to suffer a cyberattack, particularly not one large enough to attract headlines, compounding the reputational damage these kinds of events generally cause on top of any operational or financial implications. Yet with threat actors coming in from all sides, how do you ensure your company and employees are not vulnerable?
Here, a number of cybersecurity professionals give their take on the most essential elements of good enterprise security culture.
‘Cybersecurity is viewed as a necessary evil, a distraction, something for the IT department to worry about. These outdated attitudes need to change’
– PAUL ROSE
The threat of human error
Graham Marcroft is the operations and compliance director at Hyve Managed Hosting. For him, the greatest threat to an organisation’s cybersecurity is, without fail, human error. “This is often down to a lack of appropriate training and education for people who work in businesses that become victim to cyberattacks as a result,” he says.
“Forget dreary seminars and PowerPoint presentations – instead, give practical and accessible advice about how to recognise cyberattacks and prevent them. This could be driven by fun competitions, ethical hacking initiatives or simply by focusing on the individual’s vital and ongoing role in cybersecurity.
“Just by understanding phishing attacks, encouraging safe password management and safeguarding sensitive information, employees will be well-informed to make decisions about potential security hazards.”
The power of social engineering
Part of why human error can be such a vital pitfall for organisations is because social engineering attacks have become incredible sophisticated.
Steve Wainwright, EMEA managing director of Skillsoft, describes them as a “go-to method” for hackers. “[Social engineering attacks] rely on unwitting, unsuspecting and, at times, careless employees. Hackers use information gained on social media or the dark web to build a profile of a person, and then pose as someone they might know via email.
“The key to defending against this type of threat is education. By training employees to question and look out for suspicious emails – for example, checking if the sender email address looks odd and scanning the email for poor grammar and spelling – organisations can reduce the likelihood of successful attacks.”
The importance of the IT team
However, responsibility for preventing attacks is not solely down to employees being hawkish when opening attachments. A company needs to ensure its IT team is constantly testing infrastructure in order to quickly identify vulnerabilities, as Steve Nice, security chief technologist at Node4, explains.
“It’s the responsibility of the IT team to ensure that the business’s security is up to speed, and so a vulnerability testing programme can help the team understand where the weaknesses are and support these areas. This means that valuable time – and money – can be saved from being spent on unnecessary security infrastructures before knowing where the holes in the defence really lie.”
The unique challenges of cloud
Cloud technology has become a darling of the digital transformation world, promising to exponentially increase an organisation’s efficiency and help shepherd businesses into the technological future. Michael Scheffler, acting EMEA vice-president of Bitglass, feels that though cloud isn’t inherently less secure than traditional ways of storing data, it brings its own unique considerations.
“Allowing data to move beyond the traditional network perimeter can cause concern for many executives – if not properly secured, it can leave an enterprise vulnerable to data leakage, malware, unauthorised data access and regulatory non-compliance.
“As adoption of cloud-based applications and services continues to grow throughout the business world, organisations need specialised security technology that is capable of protecting sensitive data wherever it is stored or accessed.
“The enterprise needs end-to-end security across all devices, locations and users, as well as complete visibility throughout, and cloud access security brokers are designed to meet this very challenge.”
Is cybersecurity a ‘necessary evil’?
Paul Rose, chief information security officer at cloud-led managed service provider Six Degrees, questions whether there is a serious enough culture of cybersecurity in workplaces. Despite how potentially damaging a hack can be to all elements of a business, C-suite leaders may hesitate to devote much of their energy to it.
“The organisations I speak to are all too aware of the risks they face, whether from rogue internal operators, ever more sophisticated email attacks, ransomware, or any number of other threat vectors that could – if exploited – result in serious financial, operational and reputational damage,” Rose explains.
“The threats are known, documented and evidenced, but the fact remains that even mentioning the world ‘cybersecurity’ in the boardroom can elicit eye rolls, shuffling in seats and muttered excuses to leave.
“Cybersecurity is viewed as a necessary evil, a distraction, something for the IT department to worry about. These outdated attitudes need to change.”