Cybersecurity awareness is something that we take seriously, but we focus on it yearlong, not just one month. One area that our organisation excels in is to make cybersecurity training a mandatory training course for all employees, so they understand the basics of identifying threats.
This month (October) is the 20th annual Cybersecurity Awareness Month, organized by the Cybersecurity and Infrastructure Security Agency to draw attention to ways you can defend yourself and your business from online threats.
Ultimately, cybercrime is all about data either to steal it, expose it, or prevent you from using it. Data is the whole reason that cybercrime exists. This is why data security, in particular, is top of mind for CEOs, CIOs, CISOs, and even the board of directors for your organization.
- CEOs are concerned about how data theft could affect the running of their business.
- CISOs are focused on internal cybersecurity operations and the various mechanisms they need to deploy for cyber defenses.
- CIOs are interested in the security posture of corporate assets as well as the security practices of third-party organizations that the business interacts with–vendors, partners, service providers, etc.).
Everyone is trying to answer three questions: what is my critical data, where does that critical data live, and who has what access to that data?
Because data theft and ransomware attacks could have such a material effect on the company, even the board paying attention to cyberthreats. Should it be breached, the company’s reputation could be damaged, its stock price could drop, and it could very much affect its ability to maintain or grow its market share.
But here’s the thing, your senior executives might do a great job choosing, investing in, and implementing processes and technologies that bolster your security stance and cyber resilience. However, cybersecurity is also the responsibility of every employee at every organizational level. Organizations must take into account that excellent technology-based defenses aren’t worth much without addressing the fact that it takes just one employee to slip up and put the entire organization at risk.
The question then becomes: How do you ensure the security of the actions of every single employee, 24 hours a day, seven days a week?
The answer is you can’t.
In many ways, cybercriminals play a numbers game. Imagine all the laptops, virtual machines, and appliances running in your environment adding up to tens of thousands of connected devices running day in and day out. Say, sometimes you miss patching a system. Or a patch attempt fails. Or your inventory isn’t completely up to date. It comes down to the laws of large numbers. If you miss one-tenth of 1% of 100,000 devices, that still gives cybercriminals plenty of opportunities to break into your company.
Given all this, what can organizations do? Simple. Limit the blast radius with zero trust. What zero trust means: Just because an employee is given a credential does not mean that you’re going to give them unfettered access to your entire IT environment. Instead, you are going to challenge them every single time they try to access a resource that isn’t appropriate for their role.
Organizations that implement zero trust have a better chance of defending themselves against cyberattacks because a single compromised credential is not going to give a criminal the keys to the kingdom.
No question, zero trust is complicated to implement and will be more costly as well as more cumbersome for users, but it limits the blast radius.
Employee training can be very effective, but you have to put it in context; for example, generic phishing training doesn’t have that much of an impact. Show employees a real case – when someone fell for a phishing scam – along with actual ramifications, and they’ll remember and act accordingly. With that kind of real-world context, training is much more effective. Just take it from our customers at Shropshire Council.
That’s why, although Cybersecurity Awareness Month is commendable, the world needs a great deal more than a single month to focus on cybersecurity. We need to bake it into the behaviour of every single person in every organization, every single day. We need to in still in our people that when you get up to walk away from your computer, you make sure to lock it. When you’re sitting on an airplane, use a screen guard so other passengers can’t shoulder surf and see what you’re doing. And always badge into every room in the office without letting tailgaters follow you in, even if you know them.