As 2020 comes to an end, we’re looking ahead to how we can strengthen security measures in the new year with some advice from the experts.
I think it’s safe to say that 2020 is a difficult year to sum up. In fact, even the team of expert lexicographers who usually determine the annual Oxford Languages Word of the Year couldn’t pick just one term.
However, if I had to go with a single word to sum it up, which is also a word I never want to hear again, it would be unprecedented.
An unprecedented pandemic led to an unprecedented new way or working, an unprecedented focus on the scientific and research community, an unprecedented mass movement towards e-commerce and, from an enterprise and infosec point of view, an unprecedented rise in cyberattacks.
As we put 2020 behind us, the security challenges this year’s events have created will seep into 2021 and business leaders and infosec professionals alike will need to ensure they keep their data secure.
Luckily, our weekly CIO interviewees this year have given us a treasure trove of security tips hinged on the trends they see coming down the line. Here are some of their nuggets of advice to help you stay secure in 2021.
1. Stick to industry standards
Pierre-Alain Bouchard said it’s really important that companies stick to security industry standards. “Trying to build your own security is only likely to lead to complications down the line,” he said.
“Security and data protection regulations like FedRAMP and GDPR are opportunities to build and offer a best-in-class solution. In making sure that this is part of your company’s foundation, you can continue to build on it over time and keep it up to date.”
2. Avoid email where possible
Perhaps unsurprisingly, Larkin Ryder, director of product security at messaging software company Slack, said one of the best ways of protecting data is by avoiding email.
“With email being an open protocol, it’s more difficult for individuals to validate who they’re working with and, as a result, data may get into the hands of bad actors. To tackle this and better protect data, I strongly believe that businesses need to use a shared collaboration environment wherever they can.”
3. Shift to a zero-trust model
Boston Consulting Group’s Matthew Leybold said many of his company’s clients are looking to move away from perimeter-based security to next-gen solutions such as zero-trust models and DevSecOps.
“Successful adoption of zero trust and DevSecOps allows for end-to-end security of a multi-environment ecosystem that expands outside the traditional data centre and automates the accreditation, audit and delivery pipeline for getting new capabilities to customers, business partners and operators,” he said.
4. Adopt the principle of least privilege
Yan Zhu, chief information security officer at Brave Software, said companies need to think about data from the principle of least privilege. “Only collect data that is absolutely needed for your business, keep a registry of the purpose of the data and retain the data for as little time as possible,” she said.
“When possible, move your data processing client-side. This can save on infrastructure costs while further minimising the data collected by your services.”
5. Measure cybersecurity posture and readiness
Smarttech247’s CTO, Andy Grzess, said he recommends that companies measure their cybersecurity posture and readiness annually using well-established frameworks such as the NIST, CIS Top 20, ISO 27001 or SOX.
“Moreover, companies need to consider having the right security intelligence tools and network controls in place, irrespective of their size. Cybercriminals do not care about your size or line of business.”
Deltek’s CIO, Ronda Cilsick, echoed Grzess’s point, saying that constantly reviewing and auditing current environments is the best way to mitigate risks. “As more tech enters the market and becomes widely accepted, there will always be ways to improve and boost security measures,” she said.
6. Train staff in security practices
While each of our CIOs this year had many different pieces of advice, one tip came through in almost every interview: the importance of training employees in security hygiene. But Siro’s Lydia Martin put it best.
“You can build highly secure systems using all the security intelligence out there and all it takes is a simple human error, like falling for a phishing scam, forgetting security protocols or giving away a password, and the business is compromised,” she said.
“The way to protect against this is to train and train and train and don’t stop. If your people are on alert, then your business is very well protected.”
7. Consider the user experience in security
While training staff is essential, Healx’s Meri Williams made a strong point for ensuring that the security processes remain user friendly.
“There’s a really fine balance to strike between keeping things secure and making the security process so onerous that your employees start to work around it. I think in general security needs to take much more notice of user experience, otherwise we’ll continue to be easy to breach,” she said.
8. Incorporate proper access control management
While global CIO of Syntax, Joe McKenna, cited encryption at rest as an easy way to start protecting data, he is also an advocate for “proper management of access control”.
“In other words, you must control who can access your organisation’s data. It is important to create a proper data protection plan that includes backups, snapshots and replication.”
Apex Analytix’s Walt Kristick echoed McKenna’s advice, saying: “A strong data governance programme adds another layer of protection by limiting individuals and systems that can access the data, tracing the lineage of the data, defining how the data can be used and tracking data use and movement.”
9. Remove the need to store data where possible
From a technology developer point of view, Patricia Moore from space-related ICT consultancy company Mindseed said one way to tackle data protection is to remove the need to store or transmit sensitive data.
“Low-cost edge compute devices are now enabling smart sensors to continuously analyse data ‘on the fly’ at source with no long-term data storage or retention,” she said.
“Where sensitive data must be stored or transmitted, it is vital that GDPR guidelines are followed to ensure that rights to privacy are respected and measures taken to protect those rights.”
10. Give security a seat at the table
Finally, perhaps the most important takeaway – and another point that was repeated a number of times – is that security needs a seat at the table in terms of corporate strategy.
OpenX’s Paul Ryan hammered this point home. “The security team is often seen as the people in the room who are quick to say no or slow down product development, but taking this view is the wrong approach,” he said.
“Data protection and security need to be baked into strategy from the start. It needs to become second nature, and addressed regularly, so every year there isn’t a rush to make updates to meet the latest security requirements.”