Making Sure Your Business Is Cyber Smart

Being cyber smart, the theme of this year’s Cybersecurity Awareness Month, is not unachievable, but it certainly requires investment of both time and money. 

Every business and every individual has a role to play in keeping our data safe from the hands of hackers. We spoke to some cybersecurity experts to get some top tips on how and why we must work both together and with technology to ensure we keep the cyber criminals at bay. 

Where To Invest Your IT Budget 

There are three key areas that the experts we chatted with believe need to be revaluated. The first comes as no surprise: technology. That’s because “opportunistic cybercriminals continue to take advantage of the evolving digital environments that individuals, governments, and organisations have embraced,” according to Chris Huggett, SVP EMEA, Sungard Availability Services

Raymond Pompon, Director, F5 Labs, added that “web application exploits are the biggest cybersecurity risk facing organisations today. In fact, recent research has shown 56% of the biggest cybersecurity incidents over the past five years were related to web application security issues, constituting 42% of all financial losses recorded for these extreme events. The pandemic has also thrown significant challenges at our defences and now, as employees shift to hybrid working models, another layer of complexity is added to the mix.”

In light of this landscape, Huggett believes “Cybersecurity Awareness Month should act as a timely reminder to organisations, both big and small, to review their security processes. In their hunt for ‘big game’ enterprises, threat actors are holding third-party vendors hostage to reach their ultimate targets. Organisations need a holistic view of their entire infrastructure to make sure that every touch point is secure.”

This can, of course, be challenging at a time when businesses are doing their best to make a comeback from the pandemic, but Rob Treacey, Head of Security, Professional Services, EMEA at Rackspace Technology, says “organisations should be looking to spend between 15-20% of their budget on cybersecurity.” That’s compared to the “7-15% of their IT budgets [that is currently being spent] on cyber security.” Treacey advises that “the best way to decide what you spend is to figure out what percentage of your budget is proportionate to the information assets you are protecting. If a breach within your organisation would result in irreparable reputational damage, significant customer loss or regulatory non-compliance, then you probably require a healthy security budget to prevent any of those consequences from becoming a reality.”

One of the biggest priorities to review when deciding where to spend cybersecurity budget, according to David Higgins, EMEA Technical Director, CyberArk, are “innovations like machine learning, [which] are making organisations more cyber smart because they eliminate excess login requests.” He warned that “cyber criminals know [our] dirty little password secrets and target weak passwords as an easy way to steal information and even get rich quickly, often via common methods like phishing and impersonation. That’s why 80% of hacking-related breaches can be linked to stolen or brute-forced credentials.” 

Gareth Jehu, CTO, Com Laude believes that cyber security practices around domain names are another thing that can often be overlooked. He advises, “one of the first places to start is implementing an up-to-date TLS encryption protocol. This protects the confidentiality and integrity of data in transit and authenticates the parties that are exchanging information. Adopting a robust domain lock solution such as Registry or Super Lock can also provide protection by implementing a domain specific approval handshake for any modification to domain name settings such as name servers. An organisation should also manage its domain assets carefully, ensuring it has appropriate and active SSL certificate coverage. Mismanagement of these certificates can lead to erroneous expiration, opening the door to disruption of critical services”

Prioritising Training & Awareness

The second element to reviewing a business’ cyber practises comes down to its people. Mark Belgrove, Head of Cyber Consultancy, Exponential-e, told us that “most businesses, despite having access to advanced protections and the best threat intelligence on offer, remain vulnerable to one key factor: human error. It is a constant vulnerability that can never be fully eradicated. The remote working whirlwind brought on by the pandemic, and the use of corporate devices on less secure home networks, often for personal use, means human error has left organisations vulnerable to even more threats in the last 18 months too.”

The problem stems down to the fact that, “while most organisations want to increase security awareness among their employees, the stark reality is that many don’t know where to begin,” explained Erez Yalon, Head of Security Research at Checkmarx. He added that “fundamentally, implementing a shared cybersecurity responsibility boils down to two tactics; increasing awareness, and providing training. Without awareness, change can’t happen. It’s the first step in helping notice a problem exists, hasn’t been addressed, and that action is needed. Staff must be made aware of their security responsibilities and there needs to be concrete alignment across departments to create a comprehensive and cohesive security program. To further this, ongoing training programs must be implemented as a priority. Often, such training sessions can be tedious, and so organisations should conduct bitesize, interactive lessons, not extensive monotonous ones.”

Jonathan Smee, Information Security Consultant & Technical coach at Grayce, echoes this message, highlighting that “there is a widening skills gap in IT security, with research from Department for Digital, Culture, Media & Sport (DCMS) stating that two-thirds (64%) of cyber firms have faced problems with technical cyber security skills gaps, either among existing staff or among job applicants.” Smee believes “organisations should therefore look to provide continuous learning opportunities and adequate training to keep their employees up to date with the latest cyber threat trends.”

Putting The Focus On Your Software

The final element we must consider, according to Rick McElroy, principal cybersecurity strategist, VMware and Bill Mason, Senior Project Manager, Distributed, is the foundation on which most of our businesses are now built – software – and the people that build it. 

Mason explains that “with the mass transition to remote and hybrid working comes a growing reliance on software to keep us connected and productive, no matter where we’re working from. But as organisations continue to integrate new tools to future proof themselves, they need to consider the security implications. Businesses should be thinking about track and trace – but not as we know it. What this means in the context of distributed workforces is tracking any potential vulnerabilities that are incorporated into third party and open-source libraries when developing software, as well as scanning code and fixing all security issues that are identified to a requisite level.” He adds, “cybersecurity is complex, and one of the best pieces of advice I have received is to ensure that your developers are following appropriate standards. They exist for a reason. They make developers’ lives easier because they give them a framework for reference.”

In McElroy’s opinion, “a lack of common goals between security, IT and developers has long been an issue, one being exacerbated by the potential complexity of today’s multi-cloud, modern app world. Teams are working in silos, and this is having a detrimental impact on a business’ security and its ability to meet objectives.” He believes, one of the biggest problems is that “security is being considered a barrier to developers and IT. We need to move from this towards a scenario where security as a technology is thought of differently. It is there to support the brand, build trust, and optimise app delivery for developers. It’s there to eliminate the false choice between innovation vs. control. This culture shift will enable stronger collaboration between security, developer and IT teams.” 

Keeping Up With The Fast Paced Cyber World

Ultimately hackers will always be one step ahead – constantly coming up with new and innovative ways to disrupt the cyber world and get access to our data. The best we can do to keep up is put cybersecurity higher up the priority list and take note of the insights from experts like this. Only then will you have the best chance of winning the cyber war. 

Dark ReadIng:         DCMS:        F5 Labs:      Grayce:        Distributed

You Might Also Read:

Data Is Your Most Valuable Asset. How Are You Protecting Yours?:

 

« New Report: Average SIEM Deployment Is Over 6 Months
US Cyber Security ‘Kindergarten’ Compared To China »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

HDI

HDI

HDI is the worldwide professional association and certification body for the technical service and support industry.

IT Association of Slovakia (ITAS)

IT Association of Slovakia (ITAS)

ITAS is a professional association of domestic and foreign companies operating in the field of information and communication technologies

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

RBCCPS is an interdisciplinary research and academic centre within the Indian Institute of Science focused on research in cyber-physical systems.

PECB

PECB

PECB is a certification body for persons, management systems, and products on a wide range of international standards in a range of areas including Information Security and Risk Management.

Telesoft Technologies

Telesoft Technologies

Telesoft Technologies is a global provider of cyber security, telecom and government infrastructure products and services.

Datplan

Datplan

Datplan offers a software solution that gives an overview of 8 key cyber risk areas, their threats, and risk management steps.

JobStreet.com

JobStreet.com

JobStreet is one of Asia’s leading online employment marketplaces in Malaysia, Philippines, Singapore, Indonesia and Vietnam.

InfoSec Conferences

InfoSec Conferences

InfoSec Conferences is an online directory of infosec conferences. We list every single Information Security conference, event and seminar within every niche in Cybersecurity.

Dashlane

Dashlane

Dashlane puts all your passwords, payments, and personal info in one place that only you control. So you can use them instantly. Securely. Exactly when you need them.

Shearwater Group

Shearwater Group

Shearwater Group is an award-winning organisational resilience group that provides cyber security, advisory and managed security services to help secure businesses in a connected global economy.

blueAllianceIT

blueAllianceIT

blueAlliance IT is an investment and growth platform that unites local MSP and IT companies around the nation, helping them to grow and operate competitively.

Wazuh

Wazuh

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Apono

Apono

Apono enables DevOps and security teams to manage access to sensitive cloud assets and data repositories in a frictionless and compliant way.

at-yet (@-yet)

at-yet (@-yet)

at-yet are an interdisciplinary team of experts. We are all about achieving results, whatever the situation – an acute incident, risk minimisation, safeguarding or data protection.

CovertSwarm

CovertSwarm

Since 2020 CovertSwarm have been radically redefining how enterprise security risks are discovered. We outpace the cyber threats faced by our clients using a constant cyber attack methodology.

Haiku

Haiku

Haiku stands at the forefront of cybersecurity upskilling, leveraging video games to immerse you in a flow state for accelerated, enduring learning.