If You Connect It, Protect It

The line between “online” and “offline” is disappearing, as is the distinction between “work” and the rest of our lives. Ubiquitous connectivity makes many incredible things possible, but now we’re also seeing the downside: Malefactors can find us and hurt us from anywhere on the planet. When hacking an employee’s baby monitor can threaten a company’s crown jewels, we’ve been unceremoniously dumped into a different world. As a security professional, what can you do? Four things stand out:

1. Focus on the fundamentals and make sure the cybersecurity basics are firmly in place.
2. Revisit any tradeoffs you’ve made between tighter security versus greater ease-of-use to ensure that you’ve struck the optimal balance.
3. Automate everything that can reasonably automated, because manual efforts can’t possibly prevail against today’s threat environment.
4. Most importantly, zero in on organization-wide cybersecurity awareness training. This is critical because people are the weakest link in the cybersecurity chain and strong security depends on everyone’s best efforts.

1. Focus on Cybersecurity Fundamentals

Even effective security organizations have gaps in their defenses. They may be aware of these and have plans in place to close them, but for one reason or another these haven’t come to fruition. Perhaps the best example is the rollout of ubiquitous multifactor authentication (MFA). Per 2019 research by LastPass, 57% of global businesses are making use of MFA, up from 45% in 2018.[1] But that still leaves more than two in five organizations that have yet to adopt this basic line of defense. Others may be using it for some of their employees, but not for all.

Unsurprisingly, the laggards include many smaller businesses, even though their risk of falling prey to an attack may be as great or greater than that of a larger enterprise, and they typically have fewer resources to mitigate the damage. LastPass, however, found that 22% of businesses with 1,001 to 10,000 employees, and 13% of businesses with over 10,000 employees, made no use of MFA. For security professionals looking to upgrade their company’s cyber defenses, this is low-hanging fruit.

2. Revisit Tighter Security Versus Ease-of-Use

Some organizations have delayed MFA deployment because some of their employees view it as an impediment. But given today’s growing risks, security professionals may want to reconsider the tradeoffs between more robust security and employee ease-of-work. For example, some companies may want to ease up on their support for BYOD and issue more company-controlled devices instead. Even where this isn’t possible, the company should deploy a robust mobile device management (MDM) solution. Enhanced mobile device security is already critical for just about every business — and as the 5G rollout leads to more work migrating to those devices, it will become even more important.

Cybersecurity teams may also want to roll out automatic VPN enrollment to better safeguard key business applications. And they may want to accelerate their transition to the cloud, given the increasingly sophisticated security that cloud-based services offer.

3. Automate As Much As You Sensibly Can

No company has sufficient personnel to manage all the security alerts or handle all the cybersecurity-related issues that confront it. The only possible way to stay ahead of this curve is to automate these tasks and look for opportunities to leverage machine learning.

Yet, a recent SANS survey finds that roughly half of all organizations either use no security automation or just minimal scripting for data collection and functional lookups.[2] If your company is included in this group, it’s time to adopt what SANS describes as “medium” automation: automated processes that support decision-making and use complex logic to improve processes including workflow. If you’re already there, consider deploying even more automation, such as systems that can act autonomously based on complex threat intelligence and analytics.

4. Above All, Step Up Cybersecurity Awareness Training

In many organizations, cybersecurity awareness training has been treated as an annoyance: something everyone has to do, dislikes and assumes is of limited value. This is a self-defeating approach that runs counter to the real, demonstrable benefits that such training can provide.

To reduce your company’s cyber risk, every employee from the executive level on down needs to be aware of those risks and the role they can play in helping to curtail them. Effective training that utilizes “bite-sized” and entertaining content linked to timely and relevant examples can help jolt your employee population to attention. Programs like these make use of phishing tests based on actual attacks that were directed against your company’s employees. They also help you identify the employee groups at greatest risk — at every level of the organization — allowing you to concentrate your defensive measures where they’ll do the most good.

The Bottom Line

Ubiquitous connectivity has created ubiquitous cyber threats for businesses and their employees. To counter these, cybersecurity professionals must fully deploy basic protective measures, such as across-the-board MFA, and stiffen their security requirements — even at the expense of employee convenience. They should also automate more aggressively and make effective cybersecurity awareness training their number one priority.

[1] “The 3rd Annual Global Password Security Report,” LastPass

[2] “2020 SANS Automation and Integration Survey,” SANS