Today’s organizations are investing more and more in tools to increase flexibility, support teams and profit from the increased flexibility that technology provides them. However, they do not invest enough in the security and education needed to get the most out of these technologies without risking their organizational information assets or those of their supply chain partners up and down the chain.
It has always been a disappointment to me that whenever I talk about the risk that technology poses to business, the assumption is made that I am by definition against technology – nothing could be further from the truth. However, I believe that there is no way to abdicate the responsibility of the organization when it comes to ensuring the security or protection of technology data.
Experience has taught me that when organizations focus on technology to solve a number of problems properly, they do not direct almost enough resources to protect themselves from unintended consequences or from ill-informed users of this technology, in many cases not even training users for its basic use, not to mention safe and secure use.
Now that we have built more and more technologies that allow us to connect more easily and simply, the threats I am talking about have quickly adapted and taken advantage of them. Too often, there is a reactive response that is then required, with organizations undertaking reverse engineering risk mitigation once the risks become apparent and often after data breaches have occurred.
If we look at the latest available data from the Office of the Commissioner for Information (ICO), we can see that almost three quarters of the violations in the third quarter of 2021 are caused by incidents that are not in cyberspace, such as sending an email to the wrong person. Of the remaining 25%, the first five reasons include phishing (no surprises), ransomware (again, no shock), and incorrect software or hardware configuration. This speaks of rapid implementation, common policies and changes in the work environment and tools. In short, lack of sound risk management.
We know that third-party infringement has grabbed headlines over the last few years. Not only is this not showing signs of change, but as we continue to work in remote and hybrid styles, the results of poor technology deployment and poor security risk management potentially put more organizations at risk from each other. And we know all too well how quickly relationships between supply chain partners are being exploited these days.
In other words, there is a lot more at stake now than your own organization when it comes to poor security. About 51% of organizations have been violated due to a third party in the last 12 months, and 75% of this is due to those third countries that have too many privileged access.
Organizations need to be much more integrated and their risk management needs to be much better informed. Too few risk assessments start with detailed, well-informed threat assessmentwhich means that the treatment of risk is often wrong.
Assuming that an effective and well-informed risk assessment is performed for each business area where a new platform or technology is being considered, then the way each team or area should use this tool must be identified, defined by the business and once coordinated and facilitated by security.
Mike Gillespie, Advent IM
Ensuring a balance between the experience and the capabilities of users in relation to the need for security and then tied to the level of security means that there will be no need for users to circumvent overly strict security measures that prevent them from using it properly for their role. It will be appropriate and proportionate to their role, not a common level of security for all.
It is vital to ensure that IT security teams are consulted as part of each procurement and subsequent implementation. They should also be part of the education and training that should be provided as part of consumer orientation.
People – their behavior, attitudes and beliefs – are essential for good security. As such, technology education is only part of the solution and organizations need to mobilize their true experts to help them with greater education, awareness and training – people in communication, marketing and PR tend to understand much better what motivates people and what they are likely to be successful at changing behavior, so use them.
Where appropriate and achievable, are networks with different security needs or different levels of sensitivity separated? If the worst happens and a bad actor finds his way into your network, will they be able to get through it easily and quickly? Making sure that the areas are divided means that this will be more difficult and you can layer your security more appropriately in sensitive areas and around those that have privileged access to assets.
Nothing makes an organization better prepared than good intelligence. Since most of our breakthroughs come from within, or at least are facilitated from within, then why is so much of our horizon scanning and intelligence gathering focused on the outside?
Good quality, no guilt, near-pass reporting is invaluable as an intelligence tool. This will allow you to identify early warnings and indicators of subtle behavioral changes, policy deviations or poor security practices that are slipping back, and will allow education to be targeted to erase it in its infancy.
At the end of the day, you can call it information security, information security or cybersecurity. Whatever floats in your boat. But whatever you call it, never, ever forget about people, people.