For many organizations, the past 18 months have meant unprecedented levels of investment in digital transformation. It helped them to support mass remote-working, protect bottom lines and engage more closely with customers at a time of colossal business uncertainty. But now that the dust has settled, those same organizations are coming to terms with the security and technical debt of these investments. A new study warns that it could take firms two years on average and millions of pounds each to fix the vulnerabilities that these digital projects have created.
With threat actors circling, there’s an urgent need to start these efforts now, guided by best practices across people, processes and technology.
Dangers of the Smart Home
The digital transformation over the past year and a half has taken many forms. But one common thread is the expansion of the corporate attack surface through new cloud infrastructure, apps and services, and home working systems. The latter could include anything from remote virtual desktop solutions to allowing remote workers to use personal devices to access corporate data and networks.
Unfortunately, when employee-owned kits are sanctioned for corporate use, new risks can emerge. It becomes challenging for IT teams to manage and update these assets, creating visibility and control gaps that threat actors are only too ready to take advantage of. The smart home represents a broader concern. Any network is only as secure as its weakest link. So if home workers’ networks feature unpatched routers and IoT devices protected only by default passwords, these could offer attackers a stepping stone to get to corporate systems. A study from earlier this year found that millions of households could be at risk of compromise because they’re running outdated and unpatched routers.
The dramatic increase in SaaS applications has also increased enterprise risk, as rapid adoption often led to security best practices being ignored. In the future, organizations need to understand better exactly what assets they own, where they are, who has access, and how well they’re protected. Then it’s a case of applying best practice policy according to risk appetite. This could mean restricting network access to pre-vetted and patched devices, rolling out endpoint management tools to maintain proper security posture, and mandating two-factor authentication and strong passwords for all cloud accounts.
The Employee as Weakest Link and Strongest Ally
Human error is a critical driver of cybersecurity risk. Employees can be an unwitting but severe threat, whether it’s misconfigured cloud storage, weak passwords or clicking through on phishing links. But they’re also arguably the most effective tool to maintain an elevated security posture. That makes continuous outreach, engagement and training an essential part of any security strategy. Having a proactive and educated workforce makes maintaining suitable protocols and adopting new practices far easier, even against the backdrop of an ever-evolving threat landscape.
When you’re integrating new systems into an existing estate, visibility is once again key. Understand how to keep them up-to-date, what’s stored there, who has access, and how they access it. Streamlined access controls via a centralized Single Sign-On platform are a good idea, as are the adoption of password managers and 2FA as standard. Next, be sure to monitor the estate continuously to gain instant alerts on suspicious activity. The challenge is that your organization will likely have multiple monitoring and alerting solutions in place, making alert overload a real issue for analysts. Incorporating a centralized monitoring platform is essential; otherwise, potential breach incidents will be lost “in the noise.”
Be More Strategic
The ultimate goal for IT and security leaders is to get the board to care. This will free up vital funding for initiatives and help you to build a security-centric organization. But this is easier said than done, especially when technology and business leaders often speak different languages. Initiatives like MITRE ATT&CK can help here by creating a lingua franca for describing attack methods that bridge various tools and can be understood by non-technical staff. Tangible metrics are also essential to help business leaders justify spending and understand how investments reduce cyber risk.
With senior management on board, it’s time to bake security into everything you do as an organization – from staff training to the development of new products and services. Security-by-design and by default will take time to achieve. But businesses who get there first will be far better set for success in the post-pandemic era.