A recent Proofpoint survey of 1,600 CISOs found that 68% foresee a “material cyberattack” on their organizations within the coming year. For an organization to be confident in its security measures – and retain customer trust – it is essential to implement foundational best practices consistently and at scale. On the surface, this sounds simple, but it is not. Year after year, we see frustratingly related stories of cybersecurity breaches making headlines. It is almost always the same elements at play: misconfigured systems, failure to patch in a timely fashion, inability to track all the organization’s data and assets, and humans falling prey to social engineering attacks. So, how can CISOs stay a step ahead of threats and vulnerabilities that commonly lead to breaches? It begins with excellence in the essentials of cybersecurity. Let us explore four essential elements of a strong enterprise security posture.
Apply Security Controls Across the Distributed Environment
When it comes to endpoint security, we all know employees’ devices should be properly accounted for, monitored, and protected to accurately detect malicious activity. That said, this may be a different magnitude of difficulty depending on whether all devices are in the office and connected to the company’s network or not. In the post-pandemic environment, remote work and resumed travel have accelerated the phenomenon of a perimeter-less world. Beyond securing the devices themselves, tracking where data is stored is challenging, as data is being replicated very quickly across a multitude of locations.
Personal devices such as smartphones are an example. An employee takes a photo of a receipt on their iPhone and uploads it with an expense report to a third-party expense management app used by their employer. At the same time, it is also saved to the phone’s photo album and may have been automatically replicated to the employee’s personal iCloud. This can introduce new difficulties for companies trying to rein in data from a legal perspective, as they do not have access to that personal account. If that image included protected data, such as PHI or PII, or intellectual property – such as a contract with a customer – the employee using their smartphone camera as a scanner means that now the sensitive data is also in a cloud environment beyond the reach of the employer.
Understanding the employee mindset and anticipating behavior in the context of today’s work ecosystem is necessary for establishing processes for data and device management. Basing security protocols and software settings on expected behavioral trends can help keep your organization resistant to compromise.
Approach Cybersecurity as a Company-Wide Team EffortIt is no longer enough for security leaders and their teams within the organization to implement security measures; instead, the expectation should be pushed down to all members of the team. Optimizing behavior in the IT department, as well as throughout the organization and associated third parties, will help to improve security posture throughout. Most people do not have the interest or expertise in cybersecurity and may assume away risks that actually exist. CISOs should aim to strike a balance between sharing resources with the rest of the organization that has that expertise and educating and empowering everyone.
The National Initiative for Cybersecurity Education, through its Working Group, provided guidelines for what every employee can do to contribute to this effort, based on functional role. Just as we train our employees to spot phishing emails, we also must enable them to protect their own digital footprint. Personal devices are often used for work and also to manage their finances, their children’s education, and entertainment on the weekends. Enabling each employee to protect themselves will help everyone protect the organization.
Reduce the Data Attack Surface
Another key step to keeping ahead of threats is reducing the data attack surface overall, thus minimizing exposure to risks and allowing appropriate security controls to be applied where it matters most while ensuring successful deployment and ongoing administration. When it comes to data management, the best time to try to classify, encrypt, and manage the process is at the time that the data is created. It is much harder to find the data and apply controls afterward. Organizations need to ensure that they are thinking about their encryption strategy, from hardware to the data being created and stored, upfront and as early as possible.
Executing a data management strategy throughout the information lifecycle management will reduce the attack surface from the outset and enable data security throughout. It is also important to eliminate data properly and permanently at end of life through a mature data sanitization program. Data sanitization is defined as a mature, repeatable process for permanently erasing data so it cannot be recovered. A mature process includes erasure, verification, and reporting. In this way, sensitive or redundant, obsolete, and trivial data no longer poses an administrative burden or data security risk.
Take an Integrated, Holistic Approach to Security
Implementing a holistic security strategy across all business functions should balance technical and people-oriented cybersecurity best practices. Building a security strategy upon the foundations of a well-developed and validated framework from an authoritative independent source, such as the NIST Cybersecurity Framework or Center for Internet Security’s Critical Security Controls, will ensure that collective wisdom, gleaned from the real-world experience of many other organizations and analyzed against a well-researched threat landscape, is applied to each organization. In turn, that strategy should be brought to life by deploying carefully vetted technologies that implement security controls in an integrated and overlapping manner. CISOs can understandably be frustrated by vendors telling them all their problems will be solved by buying their product or service or by over-promising a solution’s effectiveness. It is certainly possible to over-interpret the value of a specific security control or tool. Third-party product reviews, customer references, and external consultants can help determine which tools are appropriate while ensuring effective integration with the overall strategy.
Effective security is often the result of doing the essentials well, at scale. By leveraging well-tested holistic frameworks, applying controls across the distributed environment, approaching cybersecurity as an organization-wide team effort, and reducing the data attack surface, an organization can stay a step ahead in the endless game of mitigating cyber risks.