- May 30, 2024
- Catagory cybersecurity
Cybersecurity is an Executive Management Concern
Cybersecurity hasn’t been just an IT management issue for a long time, but executive management can’t afford to sit on the sidelines when data breaches continue to threaten the reputation and financial stability of the organization.
The executive management of many small and medium-sized businesses (SMBs) often make the mistake of thinking the organization isn’t of interest to threat actors, when in fact their cybersecurity risk is just as significant as large enterprises. They assume their IT teams have put in place the necessary technology and resources to protect the organization, and that the cloud-based applications they run are completely secured by the vendors and service providers.
Cybersecurity is also a line item in a budget, and executive management may feel as though they cannot justify the necessary spending given the pressure to manage wages, shareholder expectations and other costs while keeping the prices of their own products and services competitive.
It can also be difficult for executive management to understand the return-on-investment (ROI) of strategic cybersecurity spending, but the upfront and ongoing costs of robust security are cheaper than the financial consequences of a data breach.
The disruption caused by a cybersecurity incident will cost your business money because it invariably leads to the inability to operate at full capacity – your business can be completely unable to serve customers for not only hours, but days or longer.
This inability to serve customers not only leads to a loss of business and revenue due to the disruption itself, but also due to loss of reputation, which is damaged in the eyes of customer and suppliers. Depending on your regulatory obligations and your industry, you may face audits, investigations and even fines, which are far more expensive than investing in strong cybersecurity.
Executive management must stay in the loop and understand where the organization stands when it comes to its security posture. They must demand regular assessments, so they have confidence in what cybersecurity defences are working well, which ones need improvement, and which ones are non-existent.
By having clear visibility into the cybersecurity strategy of the organization, executive management can understand how investments can be made to improve security and how they align with business uptime objectives and regulatory compliance obligations.
Developing your own internal cybersecurity risk assessment will allow you to tailor it to the realities of your business, but you should consider aligning with well-established cybersecurity frameworks and the seek the input of outside experts. A managed security services provider can help assess your current state of security and help you implement protection and response strategies will give everyone peace of mind, including executive management.
- December 15, 2022
- Catagory cybersecurity
How Cybersecurity is Shaping Up for 2023
Remote work during the pandemic and the current dynamic of hybrid workplaces has had a strong impact on how you must manage cybersecurity. Remote work isn’t going away, while other longstanding trends as well as new realities will affect cybersecurity in 2023.
Ransomware remains a major threat
Expect ransomware attacks to continue to be a factor in your cybersecurity planning, as threat actors move from encrypting files to targeting third-party cloud providers while continuing to use aggressive, high-pressure tactics to extort victims, including data-encrypting malware and more novel infiltration approaches.
Global geopolitics will affect your business
The ongoing conflict in Europe will mean some of those ransomware threats will come from Russia. Overall, 2023 is going to begin with a great deal of uncertainly and tension, with more state-sponsored threat actors looking to destabilize global economies and specific industry sectors such as logistics and shipping, energy, semiconductors, and financial services.
Zero Trust adoption will grow
With more workloads being moved to the cloud, a Zero Trust approach to security will become more compelling and necessary in 2023, transforming how you secure your infrastructure, including network penetration testing.
Automation will increase, too
It’s near impossible for organizations of any size regardless of budget to keep up with the volume of threats, which means 2023 will see even more automated cybersecurity, enabled by artificial intelligence (AI) and machine learning. The downside is the bad guys can leverage automation and AI, too, which means organizations will need to take a more active approach to cybersecurity.
Watch out for bots
Speaking of automated bad guys, be prepared for more bot activity in 2023, which can automate and expand attacks as perpetrators rent out IP addresses to make it difficult to track them.
Your own IT is a threat
Between shadow IT and the proliferation of endpoints either due to remote work or internet of things (IoT), there’s no shortage of attack surfaces for threat actors in 2023. If your endpoints aren’t properly configured and you’re not keeping a handle on shadow IT, your cybersecurity posture will be drastically weakened.
You people can still be a problem
Even with all the right technology in place, the biggest threat cybersecurity in 2023 will continue to be your own people, whether it’s by accident or due to insider threats from unhappy or former employees. Training combined with a Zero Trust approach will mitigate risk to your business.
What won’t change in 2023 is that cybersecurity isn’t something most organizations can handle on their own, so if you haven’t already, make it the year you see how a managed service provider can help evaluate and shore up your security posture.
- August 31, 2022
- Catagory cybersecurity
Insurance not a substitute for good cybersecurity
You don’t use auto insurance as an excuse to drive recklessly, so why would you cut corners on cybersecurity because you have ransomware insurance?
With ransomware attacks doubling in 2021 compared to the previous year – due in large part to the massive shift to remote work – the average cost of a data breach grew to record levels by more than 10% in 2021 as threat actors took advantage of a broader attack surface that resulted from a hybrid work environment.
Much of the costs of these breaches were covered by insurance, including ransom payments, but cybersecurity insurance providers are becoming more selective with their coverage as payouts have increased – qualification processes are more rigorous and the threshold for a payout is getting higher.
If you were depending on cybersecurity insurance without a data protection strategy, you need to seriously rethink how you implement security in your organization.
As ransomware attacks rise, so do premiums
For starters, the number of ransomware attacks is only going to get higher as more and more threat actors with a wide array of experience and expertise look to make money off data breaches – cybersecurity insurance is not going to be enough to save your business.
It’s not that you should cancel your insurance – you should be prepared to pay more – but you must also have people, processes, and technology in place to secure your business and sensitive customer data. Making an insurance claim should be a last resort – no matter how much you pay for it, it won’t bring your data back if you fall victim to a successful attack.
You really don’t want to be paying the ransom, even though many companies go that route – that only emboldens the bad guys to keep at it. Some insurance companies are no longer even covering ransomware payouts. If cybersecurity insurance premiums are going up and not covering what they used to, it’s time to implement better security practices – prevention is much more affordable in the long run.
Your MSP can help you up your security game
Cybersecurity awareness should be something that touches everyone in your organization, including the understanding that a data breach costs the business money – and your insurance provider expects you to raise your game to take a more proactive stance with security.
Even if you’ve put the effort into your cybersecurity, keeping it current and staying on top of all the threats can be daunting. With so many systems, endpoints and users, visibility is you biggest challenge, and understanding the threats, attack surfaces and vulnerabilities requires a great deal of time and resources, including skilled people.
That’s why you should turn to your managed service provider for guidance – they’ve got to contend with rising insurance premiums too and know that prevention is better than getting the cost of a ransomware attack covered. They already have visibility into your infrastructure and can help you put all the people, processes, and technology in place so you can qualify for cybersecurity insurance but hopefully never have to use it.
As we wrap up the first quarter of the year, some trends are emerging around cybersecurity that affect businesses of all sizes.
Not surprisingly, these trends are being driven by the impact of the pandemic, as remote work continues, and organizations look to establish a new normal of flexible work hours and hybrid teams.
Cybersecurity is getting more expensive
The cost of securing the organization is going up, and so is the cost of not having robust security. According to a report released last year, the global average cost of a data breach surpassed 4 million U.S. dollars. These costs are attributable to lost revenue and lost customers, fines for non-compliance, and even ransomware payouts. For larger organizations, it’s the cost of doing business, but for smaller ones, it can mean the end. Investing in cybersecurity is also expensive, but it’s an investment that pays off in the long run.
People are the deciding factor
Social engineering remains a preferred tactic of bad actors when it comes to gaining access to systems, stealing data, and disrupting systems. Ransomware continues to be one of the most popular types of attacks, and remote work has made it easier for threat actors to target vulnerable users. This means training employees with sufficient security awareness is more critical than ever so they can spot a phishing email and understand the need to adhere to security policies. Given that passwords remain integral to managing access, there’s an increase in adoption of biometrics to add an additional layer of security to turn people into their own password by using their individual characteristics to facilitate access.
The bad guys are getting smarter
Threat actors see the benefit of honing their skills because it makes them more successful, especially when the motivation is money. Whether it’s remote work or other circumstances, they’re always looking for new avenues with vulnerabilities they can exploit. As organizations adopt new ways of working, including flexible hours and workspaces for employees, cybercriminals are going to look for windows where they can access data and disrupt systems.
One trend that’s been clear since before the pandemic is that security can not be just an issue for IT to manage. If organizations are to implement effective cybersecurity, they need the support of the C-suite who can lead by example and provide budgetary support with and understanding that cybersecurity impacts the bottom line.
- December 10, 2020
- Catagory cybersecurity
Not all business information is sensitive data
The trick to protecting sensitive data is understanding not all business information must be protected.
Even organizations that understand the need for robust information security spend heavily on software and hardware without measuring its return on investment (ROI), only to still fail at safeguarding the most sensitive information that’s the lifeblood of their business because they failed to define what it is before apply security controls.
If you want to adequately protect your most valuable data, you must understand which business information is most critical to your bottom line.
Not all data is equal
It’s seems counter-intuitive, but the reason information security often fails to protect sensitive data is the mistaken belief that all information must be protected equally. Even before the pandemic and remote work became the norm, distributed workers, branch offices, mobile devices, and the evolving Internet of Things (IoT) meant organizations have had to become smarter about how they secure sensitive data. Now it’s more important than ever to make the business case for information security.
The business case isn’t a request for a bigger information security or more technology. Rather, it’s about identifying sensitive data, understanding its value, and being clear about what’s necessary to protect it. You need to operationalize a change in mindset that delivers ROI and protects the sensitive data that powers your business. However, it can be difficult for organizations to step back and understand what data is the most valuable when it’s growing exponentially.
One thing is for certain, however: Trying to protect every single bit of data equally isn’t cost effective.
Sensitive data must be defined to be protected
If organizations are to marshal their information security resources effectively, they must narrow their scope and define what constitutes sensitive information. While the definition can be guided by compliance and regulator obligations, it’s just as important to figure what data constitutes as a critical asset to the business.
Just as a fleet of trucks are critical assets for a transportation company, every business today has stored information that is critical to daily operations—that’s the sensitive data that must be protected. Otherwise, there are financial repercussions in the form of lost competitive advantage and fines for non-compliance, both of which lead to lost revenue, as do settlements from litigation and damaged reputations.
While compliance obligations and privacy legislation do dictate that some information be prioritized by information security strategies, they’re just the beginning. A healthcare organization that may have all their patient data effectively secured but not have all their research data protected—it’s just as valuable as it may support patent application or attract grant money, and has the potential to generate revenue. Personally Identifiable Information (PII) is always an obvious candidate for protection because compliance and regulatory frameworks deem it as sensitive, but intellectual property or data that’s essential to running your business is just as critical.
Treat sensitive data like a business asset
If you want get ROI from your information security spending, you need to think differently. You must understand your data on a deeper level so you can assign a value to it. There’s plenty of information residing in your organization that won’t cripple your organization if it’s lost. But your sensitive data must be assigned appropriate valuations that will be the of a business case for information security spending.
Getting an ROI on your information security spending is about anticipating incidents that haven’t happened yet, much like an insurance company considers the likelihood of natural disasters. To determine sensitive data and its value, you must weigh the cost of the protections you put in place with the financial impact of any breach and its likely frequency.
The simplest approach its to categorize data in three ways: data can be shared freely; sensitive data that can be shared with certain audiences in specific ways, and data that must remain confidential to the organization and never shared. The process of segmented and prioritizing data enables to apply the appropriate information security controls, so you understand the complete lifecycle of all data and adequately protect it based on the repercussions of losing it.
Treating sensitive data like a business asset enables you to make the case for information security so ROI can be effectively measured so can protect these valuable assets as you would any other important investment.
- October 29, 2020
- Catagory cybersecurity
Improving security for remote workers should be a priority for IT teams
Improving security for remote workers will hopefully be an inevitable consequence of the Covid-19 pandemic, and despite the inherent challenges, it should be a priority for IT teams.
Recent reports by Cisco looking at the future of secure remote work and consumer privacy found that IT buyers had been caught off-guard by the sudden shift of employees working from home, but are now speeding up adoption of technologies to support remote work. A majority of the 3,000 IT decision makers surveyed by Cisco rate cybersecurity as extremely or more important than it had been before the beginning of pandemic.
Guaranteeing access, securely
The biggest challenge for all IT teams regardless of an organization’s size has been improving security for remote workers, although providing the necessary access to the applications and data they needed came first. It comes at a time when the average consumer also values security and privacy as a social and economic issue, according to Cisco.
However, the company’s own research found there was a lot of work to be done toward improving security for remote workers by IT teams as just over half were somewhat prepared for the accelerated transition earlier this year. Endpoints, including those owned by organization, were cited as being the most difficult to protect, according to the Cisco survey, followed by customer information and cloud systems with the ability to securely control access to the enterprise network being the biggest challenge.
Improving security for remote workers will no doubt continue to be an priority for IT teams, even post-pandemic, as some employees will continue to want the flexibility of working from home and organizations see continued benefits, including cost savings on office space, by not having everyone in a traditional office environment.
Digital transformation can lead to a more secure cloud infrastructure
While IT teams are likely to see some budget increases that will specifically support improving security for remote workers, there are many initiatives that can help improve overall cybersecurity posture for organizations that are already common steps in a digital transformation journey.
If you haven’t already, you should establish a cloud security strategy that’s part of a broader transition cloud infrastructure transition. This will indirectly go toward enhancing security for remote workers while allowing IT teams to have to worry less about on-premises systems that were unprepared for the sudden shift to remote work. While putting more applications and data the cloud come with their own cybersecurity challenges, they can scale better than on-premises solutions and provide the necessary flexibility for supporting a remote workforce.
The transition to the cloud should also include embracing new tools to stay secure, recognizing that IT teams still have some responsibility for securing cloud applications and data, even as the service provider has a role in securing systems, too. IT teams need visibility into cloud infrastructure as well as their on-premises deployments in a single interface.
At the same time, IT teams should consider what experts are calling “zero-trust security strategies.” A zero-trust approach assumes all users and endpoints could present a threat to the organization, so they must be able to prove they are trusted if they are to gain access to the enterprise network, applications and data.
You can be small and secure
For smaller organizations, improving security for remote workers is just as essential but can be challenge for their IT teams. A managed services provider with experience helping small and medium-sized business with their technology infrastructure can play a key role in accelerating their adoption of solutions that can support remote workers with robust security.
Sanjeev Spolia is CEO of Supra ITS
- October 15, 2020
- Catagory cybersecurity
Cybersecurity Awareness is Everyone’s Responsibility, Especially in the Remote Work Era
The shift to remote work means cybersecurity awareness across your organization is more important than ever for maintaining ongoing business operations and regulatory compliance.
Even before the pandemic, most organizations had become rather porous in nature from a network security perspective thanks to the Bring Your Own Device (BYOD) movement, adoption of cloud computing, distributed locations, and an already increasingly mobile workforce. But while security technology has emerged to keep up with these trends, it’s not a silver bullet. Every employee needs a heighten level of cybersecurity awareness.
Remote work means that how an employee manages their device at their home office can have an impact on the organization’s entire network. Their cybersecurity awareness means understanding their workstation is an endpoint that must be configured properly as to contribute to the overall security posture of the organization.
Training is critical to maximize cybersecurity awareness amongst your employees, especially remote workers. But it’s easy to lose their attention if training isn’t clear and engaging. If you’re doing regular phishing tests for your employees, try to have a sense of humour with the email content you’re creating as part of the test, for example, but also make sure employees understand the lesson without being made to feel stupid.
Cybersecurity awareness training should be done regularly as part of regular operations, and at least quarterly, rather than being big annual event, because threats to the organization are ongoing as hackers automate their processes to optimize their chance of success. You should also involve the executive team in your training, so everyone understands that cybersecurity awareness is critical to the success of the business. You might have the CEO do a short video, which is easy to share with remote workers.
The training shouldn’t be solely the responsibility of the security team, either. Lines of business leaders should help to spearhead cybersecurity awareness, and it should be a part of your remote work strategy.
It’s important to remember that cybersecurity awareness isn’t only about protecting against threat actors, malware and ransomware, and malicious data theft. Employees need to understand that good security also helps the organization stay compliant with government privacy legislation and meet regulatory obligations that apply to their industry. Data breaches not only have the potential to cripple business operations and negatively affect customers, but also lead to financial and legal penalties that can profoundly affect the long-term health of the organization.
Most people have adapted to remote work for the past seven months, but because organizations are more distributed than ever, there’s a potential for cybersecurity awareness efforts to lapse, even as be bad people around the world continue to take advantage of the new work-from-home reality. Those doing remote work as part of a connected organization must continue to be vigilant about security as part of their daily work habits.
Sanjeev Spolia is CEO of Supra ITS.