Part 4: 3 steps closer to safety

Cybersecurity is not addressed with a single solution. Gone are the days of feeling that your computer is safe just because you’ve installed an anti-virus on it. A single layer of protection cannot protect an organization from cyber threats.

There is a simple reason for this: information systems require access points. An organization needs to communicate, therefore their networks’ doors cannot simply be shut. Even when they are, such as on a fully isolated system, data can still be stolen as demonstrated in this amazing video.

A good cybersecurity strategy must be comprised of multiple layers. The ISO/IEC 27001:2013, the Cybersecurity NIST program or the CIS 18 controls are all examples of defense in depth.

Here is a simplified illustration of this approach:

There are 3 types of controls: Physical, Technical and Administrative.

Terms such as cybersecurity and hacking are usually associated with computer systems. But security has many different aspects such as safety or physical accesses. You can have the best technical and administrative controls, but if you lack physical controls, you will not protect your data for long.

Controls commonly have 3 functions: Preventive, Detective and Corrective

Definitions

Preventive: Physical control is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material.

Detective: Technical controls use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network.

Corrective: Administrative controls define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information

It’s not always possible to stop attacks by preventive controls. Being able to block threats before they find their way into your systems is ideal, yes, but realistically, the ability able to address a threat present in your systems and restore with a corrective control is just as important, if not more, that simply being able to prevent an intrusion.

Alas, technology alone cannot save the world.

As the former FBI director said, ‘Security is always too much until it’s not enough.’

We see cybersecurity as far as our perception of threats goes, but cybercriminals’ minds err where the average person’s does not or is less likely to.

This is why we can’t keep nice things

The human component in a cybersecurity strategy remains one its most uncertain layers.

Case in point, a study conducted by HP Wolf Security shows that in the workplace, non-security personnel are leaning towards the ‘security is always too much’ side of things, more so in the 18-24 age group. Enter office worker rebellions:

  • 54% of office workers aged 18-24 are more concerned with meeting deadlines than exposing the business to a data breach
  • 48% of office workers aged 18-24 say security measures result in a lot of wasted time and are a hindrance
  • 37% of office workers say security policies and strategies are too restrictive
  • 31% of office workers aged 18-24 have tried circumventing security

Your cybersecurity strategy is only as strong as the weakest human component of your organization. You may have closed or heavily restricted access to your data, yet a single human action (or inaction) can invalidate your best efforts and let attackers get their foot in the door.

The moral of the story here is quite simple: Cybersecurity is actually a team effort. It is every team member’s business, and this awareness should continue to be raised. One quick glance at the news and you can see the consequences of cyberattacks.

New vulnerabilities are discovered every day. Old ones, sometimes years old, are also being exploited on a daily basis. In too many cases, the common denominator is human, whether voluntary or not. Sometimes, unbeknownst to the victim, with the recent iMessage Zero-Click Exploit Captured in the Wild shows us. #FORCEDENTRY

While humans pose the biggest vulnerability to an organization’s cybersecurity posture, however, they can also be the most important part. An organization requires someone who has the skills and knowledge to understand the security risks and challenges, to interpret the data provided by the implemented controls. Unfortunately, this skillset has such a high demand at the moment that some organizations are not able to afford a full-time CISO.

The good news, however, is that organizations do have multiple options.

Hiring a CISO is the most logical and effective option. If they can find a good match. It is not impossible, but as I’ve mentioned earlier, there is a shortage of cybersecurity talent worldwide. This also means that the right person may be outside of an organization’s budget.

Upskilling their existing workforce is another option. Cybersecurity certifications are abundant and accessible. It should be noted that if an organization chooses to sponsor training for their team members, they should be aware of how their workforce’s value is increasing.

Outside of certifiable training, there is also a lot of cybersecurity knowledge that can be amassed for free online.

While waiting for staff to be trained or finding the right match, however, organizations can still take some action. It is now possible to get a CISO-as-a-Service on subscription, without a long-term impact to payroll. Another layer of security can be added through a cybersecurity insurance, which can help with various elements of the recovery process, such as limiting costs of data loss or business interruptions. Coverage varies from one insurer to the next, therefore careful study of policy proposal with the help of a professional is of the utmost importance.

Moral of the story

Cyber threats are not going anywhere. If anything, they will only increase. Might as well get used to it and act accordingly.