Welcome to Access Point
TenFour's source for the IT industry insight CIOs, CTOs & CSOs need to lead their enterprises into the future.
1. Develop a comprehensive cybersecurity strategy.
In a recent survey from management consulting firm A.T. Kearny of 400 executive and board members around the world, cybersecurity is ranked as their number one concern for the third year in a row. But despite the admission that nearly 85% of their businesses have experienced a breach in the last three years, only 39% of those surveyed have developed and implemented a comprehensive cybersecurity strategy. The stakes are too high to linger among the remaining 60%.
Instead of addressing cybersecurity risks on a case-by-case basis as they are discovered, businesses should take a top-down, holistic approach to the challenge, focusing on the people involved as well as the technology. The most sophisticated cybersecurity software counts for nothing if an email phishing scam or ransomware attack finds a victim willing to download a malicious file. From the CIO or CTO to the newest hire, it's vital every member of an organization be trained to understand potential threats to the business and that more sophisticated attacks could rely on social engineering as often as brute force technologies. To maintain a culture of knowledge and prevention it can even be worthwhile to test employees from time to time with mock attacks and scams, managed by either a third party specialist or internal experts.
2. Require multi-factor authentication.
Multi-factor authentication (MFA) is not a new technology, but in a digital world of ever more sophisticated security-breaching techniques and tools it's more important now than ever. According to a recent Verizon report, almost 95% of web-based application breaches were enabled by weak or stolen credentials, usually obtained via phishing schemes or keylogging. Of course a strong, consistently updated, and unique password is a vital first step toward security, but it's always better to "measure twice and cut once."
Because MFA usually requires at least two pieces of information to authenticate a login attempt—a password and access to an individual's personal device or email for an instance-based code or token—it's much more likely that the user is who they say they are. And by incorporating behavioral data, location information, and more to verify remote access, IT departments are able to more easily differentiate genuine and fraudulent login attempts. The best part of MFA? The cost of implementing the service is usually cheap and the training required is minimal. Most employees are likely familiar with MFA in other digital experiences, such as mobile banking, so it should be easy for most in the organization to comply with this quick and simple upgrade.
3. Embed preventative measures in every component of your IT infrastructure.
With the ubiquity of Internet of Things-enabled infrastructure components and machinery comes increased risk of malware infection at every level of your IT infrastructure. It's not enough to hope passwords protect your wireless access points, or the familiarity of IP phones and telepresence equipment. Every component that comprises your IT infrastructure should be incorporated into your cybersecurity strategy and equipped with preventative measures. Ideally each component is incorporated into an observation system that allows administrators to gain a complete view of the IT infrastructure's health and behavior.
This becomes especially important as more industrial and commercial operations become more interconnected and the surface attack areas continue to expand. Always-on connections to Cloud services, social media credentials, increased remote access, and the like: they all enable a multitude of new attack vectors via devices and components that are traditionally overlooked. For instance, if a remote worker has access to industrial machinery, it's vital that beyond the preliminary precautions of creating a VPN connection and enabling MFA for the remote connection, the machinery is able to protect itself with controller software equipped to determine who has access to its programming and what kinds of changes are allowed.
4. Minimize and encrypt the customer data you collect.
Although collecting a wealth of customer data can help create better experiences and increase profits, the less data you have on hand, the less data can be compromised in a breach. Beyond the basics, such as name, mailing and email addresses, it's usually harmless to collect user preferences and some basic demographic information. But when it comes to credit card details, is that information you need to store yourself or could you leave the responsibility to another service better suited to the task?
GDPR outlines an array of restrictions and recommended behaviors, but its primary focus is the security of customer data; how it's being collected, how it's being stored, and how it can be deleted should a customer want the collector to do so. The regulation may not explicitly state that businesses must encrypt customer data, but most interpretations conclude that it encourages almost to the point of requiring. By encrypting all customer data from the start you make it far more difficult for any bad actors to abuse the information, even if they manage to breach your security.
5. Test for weaknesses before someone else does.
It can be alluring to imagine that even if you've thoroughly planned your cybersecurity strategy and taken precautions, attacks only happen to other, more attractive companies. But no matter the size or prestige of your company, if you conduct business online you are to some extent a data company and must count yourself a target. As such it's vital that you understand your cybersecurity apparatus' weaknesses, from the outside in, and the only way to do so is through penetration testing.
Although bringing a third-party firm in to assault and assess your cybersecurity can be expensive—anywhere from tens to hundreds of thousands of dollars—it costs far more to suffer a data breach, with recent estimates putting the average cost to business at $3.8 million on average. For many small- to medium-sized businesses, a significant breach can mean erosion of brand reputation and possibly death of the company. But responsibility doesn't rest solely with those conducting the pen test. In addition to implementing the recommended fixes, IT has a responsibility to perform the same vital pen test function from within, working to break new products and services as often as supporting them.
6. Recruit or repurpose IT staff wisely.
It's no secret that around the world there's a tremendous cybersecurity skills shortage. Between the rapidity with which the field has evolved, the specialized knowledge involved, and the universal need among businesses for cybersecurity expertise, the industry is stretched thin. One estimate from a recent ISC2 "Cybersecurity Workforce Study" put the number of vacancies globally at nearly 3 million. A surge of people entering the profession is expected in the coming years—especially among female candidates, who currently account for only 14% of cybersecurity positions—but even with an influx of young professionals, the lack of expertise may prove a liability.
In the interim CIOs have an opportunity to repurpose and retrain their IT department candidates best suited to cybersecurity responsibilities. Numerous classes and courses have been developed in recent years to give IT professionals the experience they need to get started in the field, augmenting their knowledge of an organization with the technical knowledge needed to protect its most valuable digital assets.
7. Make cybersecurity a major part of business planning.
As mentioned above, spending on cybersecurity is at an all-time high and is expected to increase year over year for the foreseeable future. This expense, plus the potential costs of cybercrime, compound to have a serious impact on any organization's bottom line. It's vital that cybersecurity be a major point of discussion when it comes to budget allocations, revenue projections, and business strategy.
The strength of a digital business venture could very well depend on the strength of an organization's cybersecurity apparatus, so ideally the executives involved in managing digital health should be involved in the highest level conversations, similar to a CEO, CFO, and the like. Beyond the technical expertise these executives can provide to product development with regards to exploitable flaws and vulnerabilities, they can analyze and explain the financial impact of potential incidents and help plan ahead.
It can often feel like IT teams are rushing to catch up; to keep the lights on and respond to every emergency with the same intensity. But by developing and following a cybersecurity plan that takes into account the ideas listed above CIOs are a few steps closer to developing a cybersecurity strategy better equipped to minimize the risks.
Like what you read? Stay current on TenFour's IT industry insight by subscribing to the Access Point blog via the link above, or connecting with us on LinkedIn, Twitter, and Facebook.by Author
To learn more about TenFour's services, check out our Customer Journey page, or reach out to us at firstname.lastname@example.org.