Cyber Security

It’s Time to Take A Business-Driven Approach to Managing Digital Risk

The current state of cybersecurity is unlike anything that’s come before. The pace of digital transformation has rendered the notion of traditional threat perimeters obsolete, and with each new advancement in technology comes a new route for hackers to exploit. Now, every third-party supplier, partner and service used by an organisation in a bid to keep pace with the competition, is a potential entry point for attackers.

Many IT teams are facing an uphill battle. Trends like remote working and the gig economy mean user populations are more dispersed and dynamic than ever. When this is combined with limited security resources, an increasingly sophisticated threat landscape and hyper-connected infrastructure that can amplify a seemingly minor threat into a major outage, we find ourselves facing a digital risk storm. Today, enterprises need to take a business-driven approach to weather this storm and make their organisations as secure and resilient as possible.

Coordinating a business-driven response

What are businesses supposed to do in the face of such a challenge? Should they stop digital transformation journeys in their tracks? The fact is that innovation is no longer optional; businesses must digitally transform to survive in an increasingly competitive and globalised economy. However, while no one wants to put the brakes on digital transformation, organisations must take measures to manage the risks that have been created by the explosion of data, users, devices, digital channels and third-party applications. Integral to this will be recognising that security is no longer just a technology issue, but rather a business-level issue that is as important to the company’s C-suite and board as it is to its security analysts. As such, organisations need to align the efforts of the security team to the wider priorities of the business.

Ultimately, it’s unrealistic to think that we can eradicate cyber-attacks or data breaches altogether. Instead, the priority should be to become a much tougher target for hackers and minimise the impact cyberattacks can have on business operations. In other words, by anticipating the possibility and impact of a breach, organisations can prepare and respond accordingly. As such, organisations should take the following steps:

1. Devise your ‘Plan B’

The first step for a business when implementing a security strategy is to plan for an inevitable disruption to business processes, systems or facilities, and ensure that the security of the most critical systems is prioritised. In order to identify these critical assets, organisations must take a risk-based approach to understanding their data and systems in order to separate the essential from the non-essential; the specific areas that matter most to the business must be prioritised.

Continuity or recovery plans should be made available for all critical business processes and their supporting systems, ensuring businesses won’t be crippled and experience a massive outage as a result of a cyberattack. For example, a recent string of high-profile ransomware attacks highlight that even well-understood cyber threats can have a crippling effect if organisations don’t have concrete plans in place for dealing with them. Ransomware has been around since the 1980s and yet cyber attackers are still successfully using it to disrupt even the largest enterprises’ operations, sometimes for weeks at a time.

2. Account for the human element

Humans will always be the Achilles heel of security. Verizon’s 2019 DBIR found that 94 percent of detected malware was delivered via email; all it takes is for one employee to click on a malicious link. Considering the increasing sophistication of phishing techniques, this isn’t exactly an unlikely scenario. Even aside from email, employees may put off updating their passwords, log onto their company’s network from unsecured networks or just be unaware of basic security practices; all of these provide potential entry points for hackers.

As such, businesses must test and measure the human vulnerability of their organisation and adopt solutions to authenticate users seeking access to critical assets. By implementing Identity Access Management (IAM) controls that grant and restrict access based on roles and responsibilities and observe if user behaviour changes, businesses can reduce risk around their critical assets. 

Providing training to raise user awareness of security remains essential. However, awareness isn’t just about training, it’s about communication. It’s vital that everyone is speaking the same language and so security must be talked about in a business context. A sales director may not understand warnings of “SQL vulnerabilities”, but they will understand the importance of “preventing a breach of customer data that may put the company at risk of fines and reputational damage”. Relating security incidents to how they will affect the business will help ensure that all branches of the company are on the same page, especially during an incident, when timing and decision making will be critical.

3. Maintain the ‘nuts and bolts’

Finally, organisations must employ a cycle of upgrade and maintenance to reduce their attack surface. Failure to patch, update and upgrade, especially moving away from unsupported operating systems, can lead to successful attacks that irreparably damage an organisation’s reputation. It’s always tempting to focus on implementing the latest and greatest cybersecurity tools and systems, but organisations mustn’t lose sight of their foundational systems.

It’s also vital that organisations stay on top of backing up their data, especially in light of rising numbers of ransomware attacks, which have resulted in many government bodies having to pay millions to retrieve lost data. Backing up data is critical as it can allow organisations to retrieve essential data and keep the business running.

Cybersecurity pipe dream?

Sure, a truly “unhackable world” may just be the stuff of dreams. However, admitting defeat cannot be the response. Instead, businesses must understand their key assets, and take clear, manageable steps – including educating staff and keeping systems up to date – to ensure that these business-critical systems are secured and built for continuity. If all organisations work towards achieving this, a safer world is within grasp.

By Chris Miller, Regional Director, UK & Ireland at RSA Security