Cybersecurity needs to grow-up
- 08 October, 2018 09:44
Start-up companies need to grow and mature as a business to succeed. Cybersecurity practices in organisations are like the perennial teen, they can be ignored at times but expected to respond when needed. Organisations often struggle in making cybersecurity related decisions and sometimes the implementation of security plans present businesses with questions they’d rather not answer or investment costs they’d rather not have.
The cybersecurity landscape is continuously evolving. Like a game of chess, you make one defensive move and threat actors respond. Attackers will focus on points of vulnerability and new technologies or platforms that are ripe for exploitation. Like a wolf pack, attacks are becoming more coordinated and targeted. The solution is not to layer security strategy upon security strategy, hoping a hive mentality will halt the incoming threat. No, organisations need a cybersecurity program that is mature, that can stand up to the wolves and effectively minimise risk.
Organisations require cybersecurity that keeps them resilient from cyber threats, because no business is invulnerable. During the past 12 months, 67 per cent of Australian organisations were impacted by a security threat. Furthermore, based on incidents investigated by Secureworks in 2017, the top recommendations that could have prevented the breaches are all fundamental security practices. These data suggest that Australian organisations are more likely than not to suffer a security threat. The term cybersecurity resiliency is, therefore, a better term to describe the level of security maturity organisations should seek to achieve.
By planning, understanding their business landscape, and implementing the right level of security for its environment, businesses can develop their cybersecurity program into a mature, effective tool.
Determine the organisation’s inherent risk profile
Cyber-attacks are a risk to all businesses. They have become larger, more targeted, and more likely to cause serious damage to organisations. Cyber-attacks can impact the standard operations of a business, affect reputation and have a financial impact. Therefore, organisations must develop a strategic and overarching view of their inherent risk profile, and identify key risk areas that need to be patched. Organisations will then be able to develop security capabilities that minimise these risks most effectively.
Technology does not mean maturity
Too many organisations think of a good cybersecurity program as a kit of technology solutions, often done to help meet compliance requirements. Investing in technology solutions does not mean that all potential security gaps have been addressed. You have fire alarms and other security sensors in your home, but is there response training and periodic testing to ensure they work?
An effective cybersecurity program requires repeatable proactive actions. Investing in security tools can be beneficial, but only if the IT team are able to use them to prevent, monitor, detect and respond to cyber threats.
Avoid a checklist approach
Established industry frameworks provide great starting points to cybersecurity execution. Frameworks like the NIST Cybersecurity Framework and ISO27001 can lead organisations to take a checklist approach to security, but could leave organisations investing in solutions and processes in isolation with limited visibility of what they are protecting or what they are protecting against.
Security maturity is about having the right level of security for an organisation’s environment. The output from cybersecurity programs should be suitable for the level of risk that the organisation faces and the type of business it operates. Organisations should leverage the framework, adopt it in its entirety, and factor in their unique business risk profile and industry benchmarks.
In order to thrive and succeed, businesses need to consider market trends, address emerging risks, leverage new technologies, and evolve their strategies. But just as applications and businesses are improving and innovating every day, so are threat actors. The emerging technologies that enable business innovation also enable new malware, attack vectors and techniques.
As a nation who loves sports, we find sporting teams are constantly revising their strategies, bringing in new players to fill gaps and plug flaws. Organisations need to consider a similar approach with cybersecurity, continuing to reassess their strategy, and identifying the next area of risk that needs mitigating.
Think about the future
It is no longer enough for cybersecurity to be an afterthought. To be truly mature with security, cybersecurity and privacy must be built into all organisational activities. Integrating security early in the development process (“security by design”) and including it in user training helps to create a culture of security where everyone treats data and services in line with their true value. More technology is not the most efficient approach for organisations looking to reduce their risk of cyber-attacks. Organisations need a coordinated approach across all the business layers to reduce inefficiency and complexity, maximise investments, and reduce risk exposure.
We are all familiar with the term maturity in some way – we talk about a company with mature business processes or a mature individual as someone with experience, knowledge, and proactive thinking. Cybersecurity practices need to mature as well from a people, process and technology standpoint. Companies that have achieved security maturity understand that cybersecurity is a necessity. Leaving holes open now will be detrimental in the future. Cybersecurity needs to grow up, and organisations have a role to play in guiding it to maturity.