Five Solid Security Principles [Article]

The art of building a resilient business

Technology and the way we work changes, but we still need to protect what is important.  Solid security principles can ensure your security strategy is effective through technology and business change.

Some people say that change is the only constant, and I think anyone who works in IT will understand this all too well. Accepting that everything you need today may change tomorrow, will help you develop the pragmatic and future-proof approach to security and resilience that you need to have at the heart of everything you do.

So why is cyber protection even more important now?

Digital transformation and cloud adoption are reshaping IT environments at an increased rate, with working from home becoming standard working practice for many industries (especially in the past 12 months), and connectivity and agility more critical than ever before.

This transformation creates significant new risks for information security leaders and IT teams. Infrastructure estates are becoming more diverse and complex, increasing the volume of attack surfaces and opportunities for cybercriminals to exploit and making it more difficult to keep data protected.

Who is at risk?

Absolutely everybody! Nobody is immune to cyberattacks, whether a company, government agency or individual. The sophistication of such attacks is constantly evolving and improving; a veritable arms race between the good guys and the bad guys if you like. These attacks may be attempts at gaining sensitive information such as personal identities, account credentials and credit data. There may also be attempts at corporate sabotage. The onslaught of ransomware cases demonstrates that attackers are increasingly likely to hold data hostage by encrypting it and extorting financial payments to attain the decryption keys. But there are five things you can do straight away – or avoid doing – to mitigate security risks, whatever their nature.

Five principles for a solid security foundation

1. Reduce complexity

The first principle is to reduce complexity. While the IT environment is becoming increasingly complex, cybercriminals are getting better at identifying and targeting intrinsic weaknesses. According to an IDC survey*, nearly 40% of IT security, line of business, and data management specialists cited the rising sophistication of attacks and the increasing complexity of managing and supporting security products as significant challenges.

To counter this, it’s advisable to look for security solutions that reduce complexity. For example, ones that don’t just protect one infrastructure element or type of device, in one way, but those that deliver better outcomes and better value by doing more. Choosing a security information and event management system (SIEM) that is deployed in the public cloud so that it gathers intelligence across all cloud and on-premise environments, not just locally. And choosing solutions that don’t just protect your server infrastructure, but all devices. Not only that, but solutions that perform more than one of the security functions that you need, such as antivirus and anti-malware protection and data backup.

Attackers benefit from complexity. With the increasing attack surface across on-premise infrastructure, cloud infrastructure (public, private and multi-cloud), and endpoint devices, the number of potential vulnerabilities is growing. Continued cloud adoption and data migration projects have enterprises of all sizes reassessing their security strategies after uncovering gaps in coverage. IDC survey data suggests that bolstering data security and mitigating cloud risks will require not just technology but people and process changes.

2. Avoid complacency

Secondly, don’t be complacent. In terms of cybersecurity, ignorance is bliss – until you have a breach. “It will never happen to us.” “We’ve never had a cybersecurity incident.” “We have invested in security to protect our network, so we’ve got it covered.” Sound familiar? Sadly, these are all-too-common famous last words from organisations that have since suffered adversely from a security breach.

It will help if you treat security as a journey, not something that you can tick off your list once you buy a next-generation firewall or a new backup solution. Continually reviewing your attack surface is key, why not request a Security Healthcheck from Daisy to help understand where to focus?

3. Security is everyone’s responsibility

Another must is avoiding a ‘slopey shoulders’ staff mentality. Absolutely everyone in your organisation needs to be aware of the risks. Be it opening emails from unfamiliar senders, leaving laptops in cars, sharing passwords, using weak passwords, storing data in places that are not secure, using unauthorised applications, etc. There are many ways employees can cause a major security incident, albeit (largely) unintentionally. It is well worthwhile taking the time to work on training and awareness so that your security policies are clear and followed by everybody.

4. Make security the focus

Admit it, security can become a bit of an afterthought when you are sourcing new solutions to meet the requirements of your various business functions. But it’s mitigating risk that’s the goal here, and so it needs to be a central part of any IT decision making. For example, when you are looking to buy a new solution or refreshing or upgrading existing IT, security considerations should help to shape your decisions. And don’t forget that when you’re working with third-party providers, you need a clear understanding (and documentation) of where the responsibilities between you start and stop. It’s the difference between retrofitting security into your infrastructure or taking a proactive “security-first” approach.

5. You need a holistic approach

And you can’t be single-minded about security either. There is no one, single security solution that will keep you safe. In fact, any number of best-of-breed solutions across every facet of a perfect security strategy will still not give you immunity from a cyber breach.

It is common for organisations to focus all resources on a defensive strategy and shoring up defences to keep bad actors at bay. However, it is just as important to understand your threat landscape and proactively address potential attacks and to plan for mitigating the impact of a breach when you have one.

The best advice is to follow the core functions of the National Institute of Standards and Technology (NIST) cybersecurity framework and implement solutions across these functions and in line with your risk management strategy. We simplify these into discovery, prevention and response. The timely discovery of cybersecurity events will ensure that any anomalies are detected, and their potential impact is understood. It will also confirm the efficacy of any protective measures. Prevention is important to help limit or contain the impact of a potential cybersecurity event. And as we have already explained, no-one is immune to a cyber breach. Hence, it helps to have an appropriate response ready to shut it down effectively and crucially, to enable you to continue to run the business securely while you manage the breach. This is not something that can be done easily when you have a breach – you need to have an appropriate strategy already in place.

How is the industry changing?

COVID-19 has accelerated the movement towards flexible working that had already started following more organic change in business models and technology. For most organisations, this means that their security surface has spread to the point where previous security solutions for protecting a corporate environment are no longer effective. In turn, this means that security providers need to provide solutions that meet the new challenges and reduce complexity.

But changes to the way we work also change dependencies, vulnerabilities and risks, so business continuity plans need to be rewritten to reflect this and information security becomes a more prominent function in the resilience spectrum.

Cybersecurity has been an IT discipline for more than two decades, but a wider approach will support your business more effectively. For larger organisations, it means converging the likes of information security, IT management, risk management and business continuity. Smaller organisations may not have separate functions for all of these areas, but the important thing is to have one single, unified strategy. Not only will this deliver more visibility and control, but it will also drive better performance outcomes for ‘business as usual’ and better recovery outcomes for a recovery situation.

Don’t forget that you are not alone. We are all in this together and solution providers like Daisy, have a wealth of experience and expertise in helping organisations improve their security posture. Organisations without a dedicated security team can benefit greatly from consultancy and managed services to deliver the additional support wherever it’s required.

Summary of the five principles for a solid security foundation that you can think about straight away:

  • Reduce complexity
  • Don’t be complacent
  • Avoid a “slopey-shoulder” staff mentality
  • Don’t treat security as an afterthought
  • Don’t be single-minded about security
* Data Services for Hybrid Cloud Survey