Businesses today are much more concerned about cybersecurity than they were 10 years ago – and with good reason. Threats and attacks have increased in their potency and pervasiveness while our connected world and an exponentially growing number of devices, and COVID-19’s enforced shift to remote working, have complicated the threat landscape.
In this environment, what role do holistic ecosystems – secure connections between data, systems and people – play, now and in the future?
Cybercrime is big business. It has a low barrier to entry since criminals no longer need to be computer savvy to run profitable ransomware operations. Like their targets, they can now buy off-the-shelf tools and outsource operations to specialists.
Further, the lack of preparedness on the part of companies, the advent of hard-to-trace cryptocurrencies and the willingness of victims and insurers to pay multimillion-pound ransoms have combined to create an irresistible incentive for criminals.
As companies move into a new era of hybrid work, existing cybersecurity protections lose their effectiveness, as they focus on protecting people and assets concentrated in offices. Hybrid working creates a distributed network perimeter that poses new risks and needs new solutions to allow employees to work safely anywhere.
This shift in how we work has really ramped up the importance of holistic security ecosystems because cyber breaches can have serious consequences. In the short term, they can bring a company to its knees, interrupting core revenue streams for extended periods of time.
In May 2021, for example, the Colonial Pipeline attack forced the company to pay $4.4m in bitcoin ransom – of which only $2.3m was retrieved – while the encryption attack on JBS cost $11m to resolve. Even for companies that don’t become an ‘outlier,’ attacks can be expensive.
Beyond the financial implications, breaches pose reputational threats. The erosion of trust by customers, regulators and the market can have more subtle, long-lasting and crippling effects on a business, as we’ve seen happen with many companies that have received Information Commissioner’s Office (ICO) fines for breaches since 2018.
"Hybrid working creates a distributed network perimeter that poses new risks and needs new solutions to allow employees to work safely anywhere"
We must harness technology to meet the cybercrime challenge, but that’s only one facet of the holistic ecosystem approach. With flexible working becoming the norm, employees are increasingly vulnerable to threat actors – for example, through phishing attacks – so we need to equip staff with the necessary tools and give them safeguard perimeters as a last line of defense and to mitigate the impact should a breach occur.
At Endava, our approach to the software development process is called ‘Secure Development.’ In it, we add additional activities and steps (such as threat modeling and vulnerability scanning) to our normal software lifecycle activities to bolster our systems and ensure they’re resilient and resistant to attack. This is often in conjunction with a DevOps approach to delivery, integrating security activity into the cross-functional team, resulting in so-called ‘DevSecOps.’
Critically, educating people is even more critical. As cybersecurity defenses become more sophisticated and difficult to defeat, attackers increasingly use psychology to get employees to ‘open the door’ for them. That’s because, in many ways, hacking the human psyche is easier and more effective than attacking systems. Therefore, teaching employees to recognize and resist ‘social engineering’ should be at the heart of any security program. Developing that ‘human firewall’ empowers people to act as the first line of defense in any security breaches. For us, that means everyone is required to complete Security Awareness training both at onboarding and on an annual basis.
So, how should companies develop their security strategies to meet today’s challenges and those of tomorrow?
With hybrid and remote working now a permanent feature for many or even most companies, all future security must be designed around it. Existing systems based around offices and other fixed sites are no longer enough and should be updated or complemented.
But more than that, new holistic approaches need to be developed and adopted. As we’ve said, technological systems are advanced enough that criminals are increasingly targeting human vulnerabilities through attacks that get people to unwittingly ‘open the back door.’ As a result, any cybersecurity initiative that emphasizes technology above human training is destined to leave an organization vulnerable to attack.
To succeed, building that ‘human firewall’ is absolutely critical to long-term resilience to cybercrime. The human component in our defenses must feature just as prominently as technology, with well-designed training and education for everyone with access to our systems.
That’s what we mean when we talk about a holistic security ecosystem – a strategic approach that successfully develops both technological and human components as part of a single program.