Whatever industry you are in, regardless of business size, holistic cybersecurity must be considered a top priority and an integral part of the digital transformation journey. Most organizations are aware of the need to allocate resources to protect themselves from information security breaches, data loss, fraud, and financial loss and have focused on building up the technical aspects of their IT security strategy through adoption of various technology tools and products.
Global spending on information security products anda services is expected to grow to $93 billion this year (2018) according to Gartner forecasts. However, technology solutions alone are simply not enough to stop pervasive threats. A holistic approach to cybersecurity is necessary to effectively tackle cyber threats.
Organizations that operate solely on the belief that security merely starts and ends with a set of purchased security technology tools are still leaving themselves vulnerable to threats and attacks. If a cybersecurity program deals only with technology and does not address elements like organization, culture, or the human factor it cannot effectively address cybersecurity
To obtain a robust security posture, organizations needs more than just an array of multi-layered security products and solutions in place; They need to consider people and processes in addition to the technology.
No Industry Is Immune
While some industries are at greater risk than others, no industry is immune to cyber threats and attacks. The top five most attacked industries in 2016, as reported in the IBM X-Force Threat Intelligence Index 2017, were the financial services sector, the information and communications technology sector, manufacturing, retail, and healthcare.
Comparing the top five most-targeted industries over the four years from 2013 to 2016, cybercriminals tend to follow the money, which is consistent with the financial services sector taking number one position for three out of the four years.
However, regardless of the industry, every organization has the potential to be under attack. Security strategies and tactics must be holistic in their approach and must continually evolve and adapt to keep threats at bay in the ever-changing threat landscape.
|1. Finance and Insurance||1. Finance and Insurance||1. Healthcare||1. Financial Services|
|2. Manufacturing||2. Information and Communication||2. Manufacturing||Information and Communications Technology|
|3. Information and Communication||3. Manufacturing||3. Financial Services||3. Manufacturing|
|4. Retail and Wholesale||4. Retail and Wholesale||4. Government||4. Retail|
|5. Health and Social Services||5. Energy and Utilities||5. Transportation||5. Healthcare|
Technology Alone Is Not Enough
Companies simply cannot afford to treat cyber security as an afterthought or solely through a single lens. The costs of a breach are too great to ignore with the average total cost of a data breach amounting to $3.62 million, according to a recent report by the Ponemon Institute, The 2017 Cost of Data Breach Study: Global Overview study.
Any organization that believes their cybersecurity needs are covered because they have selected and adopted solutions that they can ìset-and-forgetî may be in for a nasty surprise down the road.
Regardless of whether an organization has the top technical security products, hackers can use either their proximity or psychology and social engineering to bypass technology and use insiders to carry out their attacks.
The Holistic Approach to Cybersecurity
Organizations that adopt a comprehensive approach to cyber security are more readily able to successfully prevent, mitigate, and remediate attacks than those that do not. Such an approach incorporates people, processes, and technology. It considers not only the technical, but the human, social, cultural, and governance factors that are relevant to the detection, prevention, and correction of cybersecurity vulnerabilities.
A solid cybersecurity posture can be achieved through a combination of multi-layered and integrated security solutions, end user education and awareness supported by processes, security best practices, governance, and a culture of security as a shared responsibility.
There has been an explosion of cybersecurity vendors offering a myriad of security tools, products, services, and solutions. The demand for effective security products from reputable vendors is clearly growing and there is no denying that technology is an integral foundation of a strong cyber defense strategy.
In addition to practicing good basic security hygiene, organizations should deploy multiple layers of protection and the selected security tools need to be well-integrated into the overall security architecture. The technology should be manageable, as a secure environment is one that is visible, understandable, and well managed.
Simply having the security products and tools provided by reputable vendors in place is not enough. Most enterprises respond to growing cyber threats by buying more security tools, are increasingly finding themselves overwhelmed. The disadvantage of having many solutions is the need to manage all of them.
The more vendors and products a company adopts, the harder it is to optimally use them, let alone keep up with and understand each security product, its relevance and effectiveness. Security teams need to understand what’s going on within their specific network and know what they need to protect their business.
The technology should be integrated, and multiple technology solutions should provide end-to-end cybersecurity to help improve incident detection, prevention, and response, and to streamline security operations to stop threats before they reach clients.
An integrated, holistic cybersecurity approach considers the human, cultural, and social factors in an organization.
Regardless of how advanced and effective security technology tools are, successful deployment and implementation of the technology is not possible without competent people, and support processes within the context of an overarching cybersecurity strategy. Technology alone is not the solution. People and processes are just as important.
Cybersecurity is a human-centric field. After all, cyberattacks are planned and executed by a person and most attacks target a person for access. As such, human behavior is key to plugging security gaps. People in the organization can either be the weakest link in the security chain or can be the key to strengthening the overall cybersecurity posture of the business.
Skilled IT and Security Professionals
To successfully deploy cybersecurity strategies and programs, expert security professionals are needed.
Building a strong cyber defense strategy means having a team of well-trained and certified people who are skilled in technology. Not only do security professionals need to understand advanced threat vectors and be able to recognize, respond to and mitigate threats to information assets and associated infrastructure, they need to do so in the context of the social environment of people, enterprises, and related processes.
IT and security professions need to know much more than just a set of baseline security practices. Cybersecurity demands specialist security skills, intelligence-led risk assessments, and state-of-the-art forensic analysis skills. Ideal candidates are well-rounded and have a solid foundation in networking, operating systems, web technologies, and incident response, and an understanding of the threat landscape and risk management.
While larger enterprises may have a dedicated team of adequately skilled and qualified IT experts and security professionals, the same cannot be said of most small and medium businesses. Organizations seeking to add cybersecurity professionals to their team are challenged with finding qualified professionals.
Skilled security professionals are in high demand and there are over 1 million jobs unfilled with this number is expected to climb to 3.5 million by 2021. There is a cybersecurity workforce shortage with a zero-unemployment rate in this field.
Organizations that do not have the adequate in-house security expertise need to find alternative ways to bridge the cybersecurity skills gap.
Lack of awareness is of concern for small and medium businesses, who often lack dedicated IT security teams, and share cybersecurity responsibilities among IT and non-IT workers, Kaspersky Lab noted in the report. Smaller and mid-sided businesses tend to be most vulnerable to threats such as ransomware, since they lack the staff and financial resources to secure their IT infrastructure.
People can either be the greatest asset or the biggest threat to your security, depending on their level of education and awareness. With employees responsible for 46% of IT security incidents each year, according to a Kaspersky Lab survey, they remaining a top security risk factor within organizations.
This highlights the importance of educating employees as a proactive security measure to prevent putting the organization at risk. Employee education is critical, and this applies to organizations and businesses of all sizes and types, across every industry.
While not everyone can be a cybersecurity expert, all employees should understand basic cyber hygiene practices, such as password selection, user access rights, installing updates, how to identify a potential phishing email, and company security processes and protocols etc.
Understanding the essentials of cyber security, and having a basic knowledge of what to look out for can empower users to be vigilant and better prepared to protect themselves and the organization from potential threats and attacks.
Employees are the key to strengthening an organization’s security posture and enterprises should leverage staff training and awareness education to boost their cybersecurity efforts.
Training and awareness should be conducted at a level appropriate to their role, responsibilities and risk profile and training should be supported with realistic and enforceable policies and focus should be on creating a security-focused culture that runs throughout the entire organization, where everyone shares the responsibility for security.
The growth of social media, cloud, mobile technology, and big data has provided more ways to pass along protected information. In many instances, breaches occur not from external parties, but from insiders. Insider threats pose a big security risk and the resulting dangers from insider attacks can easily equal or surpass those from external attacks.
Insiders can be malicious insiders or inadvertent actors and they can be employees, trusted third-party contract workers, consultants, and even business partners and service providers.
Essentially, an insider is anyone who has physical or remote access to a companyís assets. Insiders not only have this access, they may also be aware of your weaknesses and thus exploit them more effectively than an outside agent might be able to. A strong cybersecurity program must include capabilities to predict both external and internal threats.
Rather than being a threat, when users are equipped with the right tools, support and culture, people can be the strongest and most valuable element of a holistic security defense.
Malicious insiders can be disgruntled employees who take deliberate actions to harm the organization. For example, they could be disgruntled employees who leave the company but still have access, privileges or create back doors before leaving to take advantage of their insider knowledge. They could use their access to attack valuable resources or sell information for financial gain. Analyzing behavioral patterns is a way to identify abnormal and malicious intent.
The inadvertent insiders or actors are those who do not mean harm but fall prey to social engineering schemes that grant access to outside attackers. Because people are at the heart of any business, cybercriminals use psychology to influence and exploit human behavior to achieve their attack missions. They rely on insiders unwittingly doing something they shouldn’t do, such as contravening IT security policy/procedures.
A lack of awareness, human error, administrative mistakes, or careless behavior can lead to employees aiding hackers by giving out sensitive passwords, losing back-up information or devices, or inadvertently releasing sensitive information, or falling for a phishing scheme.
IT Security Policies and Processes
To support your staff in keeping your information secure, there should be adequate policies and procedures that provide guidance and direction to support appropriate action and informed decision making. Testing of procedures and awareness training to establish how effective they have been, for example, through realistic rehearsals and simulation exercises, or via technical penetration testing
As conditions and threats change shape, systems and policies need to be updated accordingly to avoid major service disruptions and significant financial losses. Of course, this means that systems, policies, processes, and procedures need to be established to begin with.
It is no good having policies and procedures in place if staff are unaware of them as this lack of awareness about company security rules could open businesses up to cyberthreats.
Worryingly, most employees appear to be unaware of their organizationís information security policies and rules in place, with 88% of employees having no clue about their organization’s IT security policies. According to Kaspersky Lab, 2018, only 12% of employees claim to be fully aware of their organization’s IT security policies and rules.
While it is encouraging that most organizations have established security policies, it is concerning that 24% of employees said they believe their organization does not have any established security policies (Kaspersky Lab, 2018).
Once IT security policies and procedures have been established, staff should be made aware of them, and they should be enacted if they are to be effective in helping to decrease the cost of a breach and minimize lost productivity. Such policies should include backup policies, fast recovery processes, network access and user policies, network segmentation practices among others.
Employees should know exactly how to act in response to a breach and procedures should be practiced and rehearsed before they are needed to be used to limit damage, or protect against data loss.
A Pro-Security Culture: Security as A Shared Responsibility
Business risks can be reduced by improving user behavior and having a culture of shared responsibility for security. The key to addressing the human aspects of security is fostering a vigilant and security-minded culture, where employees are encouraged to follow procedures. Management should emphasize that information security and data privacy is the responsibility of all staff and the pro-security attitude should come from the top down.
Employee education goes a long way to helping users understand potential threats and their duties and responsibilities to follow processes and procedures to protect themselves and the organization. Organizations that make efforts to instill a culture of care where every employee has a duty to report and respond to any potential or real threats and attacks can greatly improve their cybersecurity posture.
Unfortunately, just less than 50% of people consider cybersecurity to be a shared responsibility, according to the Kaspersky Lab survey.
Companies should seek to create a workforce culture that can help them prepare for cybersecurity incidences. A culture of reporting, responsiveness, and openness rather than a culture of fear and blame and shame, can help organizations respond to any potential threats with speed and transparency to mitigate the issue and limit damage.
Collaboration and Continuous Learning
To complement a solid security foundation, organizations should continue to collaborate and continue to learn best practices and share findings and insights with fellow colleagues, industry and community associates. The more informed staff are, the faster they can react to security threats and attacks.
Taking a holistic approach to cybersecurity should be cross-collaborative rather than siloed and should encompass cross-disciplinary competencies in dealing with data security issues.
A Focus on Governance
Businesses need to take an overarching view rather than a scattered, solution-centric one. By using a governance framework, organizations can holistically transform their cybersecurity strategies. The foundation of a cybersecurity program addresses IT risk management and cybersecurity governance at the enterprise level, allowing organizations to identify risks, threats and vulnerabilities that can impact critical business processes.
Appropriate IT/cybersecurity governance is a key enabler of successful protection. IT/Cybersecurity governance is both preventive and corrective and covers the preparations and precautions taken against cyber threats and attacks, and determines the processes and procedures needed to deal with incidents that occur.
Ascension Global Technology’s Approach to Cybersecurity
The best opportunity for efficient, effective, and sustained cybersecurity in the workplace is based on a holistic approach, which balances people, processes, and technology. To meet today’s complex cybersecurity challenges, organizations must broaden the scope of cybersecurity beyond technology tools to encompass people and processes in an integrated manner.
By looking at enterprise security holistically and developing a culture of cyber awareness, companies will be better prepared for the challenges to come.
If your organization needs to expand its cyber defense strategy, Ascension Global Technology provides a solid foundation for comprehensive protection of your systems. We offer security products, solutions, and project management services with full life-cycle support.
There is no such thing as a one-size fits all cybersecurity program or strategy. As unique as your business is, so too will be your approach to cybersecurity solutions.
If your organization would like an assessment on its current security posture or you require assistance with identifying and address security gaps, Ascension Global Technology can help you with a comprehensive, customized holistic cybersecurity strategy using a holistic approach.
Not all enterprise-class cybersecurity vendors offer industry experience, support for IT initiatives and a commitment to streamlining security operations. We work only with best-in-class vendors that also offer superior knowledge and support. Contact AGT today to find out how we can help you achieve a holistic cybersecurity posture.
Resources and References