- May 14, 2024
- Catagory IT management
Human Factors Threaten SMB Cybersecurity Efforts
Small and medium-sized businesses may be spending more on cybersecurity, but human factors still pose a significant threat.
A recent survey by password manager provider LastPass found that although SMBs have become proactive with security investments, a survey of more than 600 business and IT security leaders from companies with fewer than 3,000 employees found that human factors continue to make them vulnerable to attacks by cybercriminals.
The LastPass survey found there was a gap between how SMB leaders were tackling cybersecurity and employee behaviours.
The good news is that SMB executives have increased their attention and investment when it comes to cybersecurity. The LastPass survey found that 90% of IT leaders and 80% of non-IT leaders reported an increased focus on cybersecurity measures over the past year, with 82% of businesses boosting their cybersecurity budgets.
The bad news is there’s a disconnect between executives and their employees. Most executives and IT leaders said they feel confident about their cybersecurity measures, with only 30% of leaders believing their company faces a high risk of cybersecurity threats.
However, among the rank and file, only 78% of non-IT leaders believe employees understand the security expectations of their jobs, the survey found. More troublesome is that 1 out of 5 non-IT leaders admits to circumventing security policies, while 1 in 10 IT security leaders admits to circumventing security policies.
The LastPass survey suggests that despite increased investment in cybersecurity, their efforts are being undone by employee behavior. To get the most from their security budget, SMBs need to be mindful of the human factors that make the organization more vulnerable to an attack and subsequent data breach.
Small steps go a long way, and LastPass makes five key recommendations to encourage employee behavior that mitigates human factors that might put the organization at increased risk:
Ramp up cybersecurity education: SMBs should develop clear communication strategies and regular training sessions for all employees so they understand their role in maintaining robust cybersecurity, and every part of the organization must understand and commit to security policies.
Create incentives: SMBs should have stronger incentives for security compliance, balanced by stricter consequences for violations as well as policies for when it’s acceptable to bypass security measures to get work done. A culture of for reporting violations must also be fostered.
Embrace threat intelligence: SMB leaders must be able to identify and protect valuable and critical business information and know where the threats are coming from by investing in a threat intelligence-led security program.
Mandate password managers: Password management requires critical attention, according to the survey, so password managers combined with continuous education on password security are essential.
Brace for AI threats: Phishing attacks, cloud vulnerabilities, and the potential for business data loss due to ransomware attacks or malware are getting help from AI, so it’s important to fight fire with fire and adopt AI-driven security tools that provide advanced threat detection and response capabilities.
Cybersecurity is a continuum, and SMBs can’t be complacent even with increased investment. Human factors must be continually addressed through education, policy, and technology adoption.
More security tools don’t automatically mean your business is fully protected – blowing the budget on cybersecurity will have diminishing returns. You need to spend smarter, especially if your budget is constrained.
In addition to having the right technology, you need to have proper framework to guide your security investments. These frameworks include how you manage user onboarding, remote access to your network and who’s allowed to spin up new applications in the cloud. Having accurate and transparent guidelines for how employees work will enable to be precise with your security investments.
You must also understand your organization’s attack surfaces – operating systems, device types including employee laptops and smartphones, cloud technologies, browsers and email clients will all determine how you spend your budget for security. They are all vectors for threat actors to exploit.
It’s critical that you must implement effective controls to protect applications and data and a method of ensuring they are functioning consistently and effectively. Most of all, you must look for opportunities to automate because one of the biggest line items in your security budget is people.
Consider all points of access
Your controls for protecting applications and data should be ready to confront ransomware, malware, distributed denial-of-service (DDOS) attacks, internal threats due to disgruntled employees and human error, bearing in mind that each vulnerability is a doorway that opens wider access to your IT infrastructure. These controls must be ready to deal with a dynamic landscape as threat actors are constantly changing their tactics and techniques and consider every access point an opportunity.
Even if you’ve fully leveraging cloud technologies to run your business, you can’t depend fully on your cloud service provider to secure your applications and data – you need to understand where their responsibilities end and yours begin. If you’ve not moved to the cloud, doing so can help you get more for your security budget.
Prepare for a breach
Even if you’re confident that you’ve enabled all the proper controls, your security budget should account for a data breach – you need to assume that a threat actor might gain initial access and be ready to mitigate and learn from the attack.
One way to ready yourself for a breach is to fully understand what’s normal for your organization. It’s easier to spot malicious activity when you have a baseline for what is standard operating procedure. Having the right endpoint detection and response (EDR) tools go a long way to providing the necessary visibility to proactively protect your data and applications. You must also remember that each system comes with its own settings and best practices that contribute to your overall security.
Automation pays off
Given everything you must monitor and control and assuming it’s just a matter of when not if a breach occurs, you must automate wherever possible if you’re to attain maximum protection and resiliency within a constrained security budget. Even if the sky was the limit, the competition for cybersecurity talent is fierce.
You can’t detect, manage, mitigate, remediate, and maintain an adequate security posture without automation. You must be able to update software, firmware, and patches automatically as much as possible while also track the behavior of every asset over time so you can maintain their security consistently as employees come and go and passwords are changed.
You can best get the most of your security budget through automation by doing it in concert with your broader IT systems, especially those already set up to track your assets. Cloud-based technologies can also aid in mapping and scoring your security budget.
If you’re a smaller organization, you should consider turning to a managed service provider to help with you automate as well as evaluate your security frameworks and tools. They can take on many aspects of data and application protection, help you redeploy your staff most effectively and get you the biggest bang for your security budget.
- February 14, 2023
- Catagory IT management
There’s No Security Without Visibility
If you don’t have visibility into your IT infrastructure, you can’t have confidence in your overall security.
This is especially true for those in the manufacturing and energy sectors that have a great deal of operational technology (OT) and industrial control systems (ICS), as their security can impact the broader organization through its integration with more conventional IT systems.
An annual report released by Dragos outlined the visibility challenges faced by ICS/OT networks when it comes to identifying vulnerabilities ICS/OT devices as ransomware attacks on firms with ICS/OT infrastructure increase. These attacks demonstrate how industrial firms have their own set variables when it comes to security and establishing visibility across all systems, especially as the industrial internet of things (IoT) becomes more ubiquitous.
But even outside industrial systems, visibility is critical for robust security, especially as remote work continues and many businesses settle into a hybrid approach. Whether it’s an ICS/OT device in an industrial setting, a IoT sensor for agricultural applications or a laptop for a road warrior leading your sales initiatives, you must be able to see these devices on your network and understand their vulnerabilities.
No matter why your digital footprint is expanding, security visibility becomes increasingly difficult when you must keep track of home office, on-premises and cloud-based endpoints. Your attack surfaces are proliferating, and you must be able to see all of them – you can’t get the visibility you need to identify the gaps in your security programs and controls without the right tools and best practices.
And there’s many elements you must be able to see and control:
- Endpoints of all sorts are your weakest links as they exchange data over a variety of network connections
- Because it’s so easy for business users to spin up whatever cloud-based services they think will help meet their objectives, you run the risk of shadow IT that’s connecting to your infrastructure without proper governance
- Even before remote work became the norm, remote offices meant a more distributed workforce, which is more difficult to monitor than ever thanks to home offices and mobile devices
- Cloud services can allow you to delegate security to the provider of a service, but it’s still a shared responsibility
These are just some of the key elements of your IT infrastructure that require visibility if they are to be fully secured, and it’s helpful if you break down visibility into three broad categories if you’re to attain it organization-wide.
Operational visibility includes operational compliance and operational processes, as well as user visibility so you understand who has access to data and why, including applications. People come and go and responsibilities change, so you must have best practices for onboarding and off-boarding employees as well as device lifecycle management. A zero-trust approach to security can help to improve user visibility.
Technical visibility has become more difficult with more distributed workforces and IT environments – you must understand all the threats and vulnerabilities that might affect your systems, connections and devices, whether it’s a laptop, server, smartphone or narrow-purpose IoT device.
Your organizational visibility determines your awareness to any threats to your brand, reputation, and intellectual property. This level of visibility requires not only security tools but also best practices and processes.
At the end of the day, however, visibility is all about knowing where your data is so you can protect it – it’s the lifeblood of your business. A managed service provider can help you make the right links between visibility and security so you can build a true picture of your IT infrastructure across every system and endpoint.
- September 15, 2022
- Catagory IT management
Are you ready to support the hybrid office?
If you’ve got employees coming back to the office while still allowing staff to work from home, you’ve created a hybrid office environment that can create challenges when onboarding staff, providing ongoing support, and securing a vast array of endpoints.
In some ways, having everyone work remote is more straightforward – when you have employees coming and going from the office, the environment becomes even more dynamic because the definition of hybrid work can vary depending on how you manage it and company policy. Consider the different scenarios:
- The “at-will and remote-first” approach means employees are empowered to prioritize working remotely
- An “office-first” policy falls at the other end of the spectrum and resets the organization to pre-pandemic norms
- “Split weeks” mean days are assigned as either remote or office-based according to a schedule while certain employees might be assigned to be in the office on a week-by-week basis
- Some organizations are designating who must be in the office and who can work from home on a team-by-team basis
No matter what you choose, a hybrid work environment reinforces the need for a cloud-first approach for business applications and robust cybersecurity. You also need to support collaboration for remote workers and those who opt to be back in the office – and everything in between. A hybrid approach may also mean people no longer have assigned workspaces – hotdesking adds complexity to workstation support and endpoint security, which should always be a high priority. Employees who are on the move risk bringing threats to the office with them.
The emergence of the hybrid office comes at a time when threat actors are upping the ante and exploiting as many attack surfaces as they can – it’s can be difficult for your IT team to keep on top of everything and it takes time away from more strategic initiatives such as digital transformation.
Even before the pandemic and shift to remote work, your IT team was under a lot of pressure to secure infrastructure and protect customer data. If you haven’t already turned to your managed service provider (MSP) to help you bolster cybersecurity, a hybrid work environment should be your tipping point. They can take charge of many security tasks that can otherwise bog down your IT staff, such as overseeing antivirus software and firewalls, and even identity management for all workers, no matter where they decide to work.
If your MSP is helping you with a cloud-first approach, they’re able to monitor your end-to-end infrastructure, including every workstation in the office or at an employee’s home office. They can take charge of onboarding employees so they can access business applications from anywhere and deliver security training services.
Getting a handle on what the hybrid work environment means for your business and relevant IT requirements is an excellent opportunity to expand your relationship with your MSP. Not only can they securely provision and manage the services you need, but also help you better understand your workforce in this new, dynamic landscape so you can enhance service delivery to your customers and maximize employee productivity.
- July 25, 2019
- Catagory digital transformation
Achieve IT Agility Through Automation and Strategic Outsourcing
IT agility is a key element of successful digital transformation, and it means having the right people doing the right job. It may also mean not hiring a person, but a service provider instead.
Knowing when you should hire a full-time employee or when you should outsource an IT function requires a clear understanding of your IT strategy, what roles you have filled and what positions you’re missing. Most importantly, IT agility means recognizing that while some job titles haven’t changed, the work these people do day to day has changed over the years, and digital transformation will continue to influence the evolution of the IT department.
Digital transformation has redefined roles
Managing IT is a different job than it was decade ago, and digital transformation continues to spark changes to job descriptions, as well as the responsibilities of the entire IT team.
It’s no longer enough to keep the engine running. IT agility demands that you be more strategic and align with the organization’s overall business strategy while facing heavier workloads. In the late ’90s, a system administrator spent most of the their time supporting computer hardware and telecommunications for desktop users, but today a big part of the job is maintaining multiple endpoints, including user, access, and device policies, while also monitoring many physical and virtual environments, many of which are hosted in the cloud.
IT managers, meanwhile, are now tasked to do more than just develop and manage applications. They must also keep tabs on technologies around the corner that might deliver business value and justify their inclusion in the IT budget, as well as demonstrate how they can create competitive advantage. IT managers must also be more security focused than ever, and likely working with an IT security team, or even a Chief Security Officer (CISO).
And let’s not forget the CIO, a role that’s been on the rise the past 20 years and is probably the best example of how IT teams and jobs have evolved since the turn of the century. CIOs—and CISOs, as well—are spending more time in the C-suite, and their job has gone far beyond just keeping the lights on.
Support IT agility with automation
No matter what you’re called—CIO, CTO or IT director—your role is more dynamic and challenging than ever. You’re probably having to do more with less, including tackling a digital transformation agenda as well as keeping the organization secure.
Digital transformation involves some strategic thinking, but it also means you’re looking at how you can migrate away from legacy infrastructure to new technology systems that will be flexible and scalable over the longer term. It also means involves fostering cultural change.
To deliver value to the organization and keep it secure, IT leaders and their teams must be more agile. Developing IT agility means making the most of your staff and making sure they’re focused on strategic activities—not bogged down by repetitive tasks that can be automated. Automation enables you to get more done without adding to your headcount and can also give you some clarity as to what people need to be doing and what skills are needed to get the work done.
Having the right IT skills is a perennial problem, and a lack of skills, especially around security, puts an organization at risk. Filling the skills gap is a priority for any leader as it’s necessary for meeting their digital transformation goals as well as maintaining compliance in increasingly regulated business environments thanks to legislation such as the General Data Protection Regulation (GDPR).
Ideally, IT agility feeds itself—as you become more agile and identify where you need to improve, your team becomes more empowered to tackle new problems and come up with creative solutions.
The competitive advantage of “people on demand”
Beyond automating things people shouldn’t be and addressing the skills gaps in your IT team, you need to think about what might be done outside of the organization more cost-effectively.
Given your strategic goals including your digital transformation efforts, do you really want your IT staff trouble shooting end user problems? Do you want your IT people worried about keeping toners in copiers or the printers from being hacked? Can you afford to pay a premium to keep a database administrator on staff when they may be idle half the week?
Just as you’re able to scale up computing on demand via the cloud, you can complement your in-house team with part-time talent on-demand to achieve the IT agility necessary to push your digital transformation agenda forward.
Sanjeev Spolia is CEO of Supra ITS.