Joseph Carson at ThycoticCentrify closes 2021’s Cybersecurity Awareness Month with an explanation of the requirements of a “cybersecurity first” strategy
As we close out the 2021 Cybersecurity Awareness Month, the theme for the last week of October is “Cybersecurity First.” This concept is an interesting one, so it’s important to break down its meaning. It lays down the premise for a ‘cybersecurity by default’ approach, where all business activity is naturally underpinned by it.
When we think about the purpose of cyber-security, we think of protection and defence for businesses and people against those individuals and groups intent on damage and harm. If we take away the business and people, then security has no purpose. It must therefore all come hand in hand, and we must take this concept forward with us as an ongoing policy.
In order to establish a ‘cyber-security by default’ practice, there are two important factors that must be met: keeping cyber simple, and in the background. Essentially, cyber-security must be accessible for all individuals, but also remain that invisible but acknowledged force-field around a business even as its physical perimeter disappears.
Safe but simple
Our digital society has made cyber-security a world-wide problem, impacting every single individual who ventures into the cyber plains. And given that a significant portion of the population does not have specialist training around this area, cyber must be made accessible for all.
If businesses ignore employee limitations and deploy high-end complex security solutions, then workers will soon find ways around it which would undermine the entire intention. It would be like having a brand-new Ferrari in the drive without the key. Simply showing employees that there is a shiny new company asset won’t fix the solution if they can’t actually use it.
In some cases, cyber-security has become unnecessarily complicated, meaning help desks have been created as an interface between this complexity and the users. This adds further steps for workers trying to interact with security, which will ultimately put them off trying again. It’s important to remember that whilst all employees must have some level of awareness, they should not be expected to become cyber experts overnight. Businesses therefore should not be delegating all responsibility to those without specialist training. At the end of the day, everyone has their own job to do.
Instead, a greater focus is needed on making security controls more transparent and ensuring these solutions only interact with users when absolutely necessary. Not only will this make deviations from cyber policies less likely, but it will also encourage greater enthusiasm from employees if they feel like they can actually contribute, rather than feel out of their depth.
Out of sight but never out of mind
In an ideal scenario, cyber-security plays the role of facilitator for business operations in a safe and secure environment. And in order for this to take hold, we need to step back as an industry and realise that adopting a strict ‘cyber first’ approach isn’t always necessarily the best way forward. Cyber-security should support and align with business needs, so really the two go hand in hand.
Smooth and successful business operations are what keep companies afloat. If cybersecurity policies begin to interfere with this priority, then the whole system will fail. Instead, it should become a discrete safety net – everyone knows it’s there and they can use it easily, but it isn’t being pushed in their faces.
Again, this aligns with the ‘cybe-rsecurity by default’ approach. To achieve this, businesses can build security into products and processes, as well as provide training as part of employee onboarding and arming workers with all the tools they need.
For example, teams can move passwords into the background by using a password manager, rather than a browser. Browser security is often turned off by default, which can leave thousands of credentials open to attackers. In fact, nearly two-thirds of companies have over 1,000 sensitive files open to every employee, and therefore any attacker who breaches the network.
How do we move from cyber awareness to cyber action?
Business operations and cyber-security must exist symbiotically. It is not enough to prioritise one over the other. Cyber-security Awareness Month is an important acknowledgment and will hopefully trigger real change within organisations – meaning people will start to take a proactive approach when it comes to their security.
Gone are the days when IT teams would be crammed away in a separate room from the rest of the company. Now, these experts must be ingrained within the teams so that cyber-security is literally built into the very fabric of an organisation. There is no room for silos in the modern security landscape, and everyone has a part to play. IT and security professionals are responsible for identifying the best practices to keep businesses safe – such as multi-factor authentication or privilege access management – and making sure these applications are accessible for everyone.
Integrating cyber-security into every aspect of business, without allowing it to interfere with daily operations, is the surest way a company can guarantee future success. Our rapidly changing world means neither can survive without the other, and all business practices must be adapted to accommodate this need.
Joseph Carson is Chief Security Scientist at ThycoticCentrify
Main image courtesy of iStockPhoto.com