Over the last few years, companies have focused their attention on building a strong perimeter to counteract the security threats that exist today. But things have already begun to move on. Many organisations have been left behind in today's hybrid world, in which users benefit from both on-site and cloud access to company data through multiple devices.
Inevitably, cyber criminals have instead focused their intentions on gaining access to networks by exploiting the weakest link. Many firms are strategically unprepared for this situation and haven't integrated security into their corporate culture. Staff, therefore, often don't think about this.
The response to security challenges today is generally tactical, and often a reaction to the latest high-profile incidents that steal headlines. This isn't going to strengthen defences in reality, as a general rule, and can lead to the weak deployment of security measures - or even paralysis while firms decide what action to take.
In this scenario, channel players can step in to act as a trusted advisor, and help guide companies through their security challenges with the right advice and systems.
1. Make a Plan
A considered plan, projected over a number of years, is the best place to start. This demands a long-term view as it's unlikely for organisations to deploy all the protections and safeguards they need within a single year, for either logistical or budgetary reasons.
The most valuable assets should be identified and then a decision taken over how to protect them, and in what order, rather than just opting for a plan that tries to protect everything at once.
2. Penetration testing
Finding out where the security weaknesses lie within an organisation is an essential step. Firms don't often view their assets from the perspective of an attacker, and this is especially true if some of these assets and logins are based in the cloud.
3. Change cyber habits
Internal threats may include a lack of education among staff, particularly when it comes to the risks involved with email, such as clicking on links. Without adequate cyber hygiene, companies are shockingly likely to experience fraud, and hacking, among other threats. If management doesn't stress how important secure behaviour is, and reinforce it regularly, the message they give out is that it doesn't matter that much.
There are numerous platforms that can train staff in cyber hygiene and cyber security, and provide assistance through online training, testing (including phishing testing) and remediation.
4. Two-factor authentication (2FA)
2FA is an inexpensive, clearly visible, and effective means of tackling a number of threat areas, with a wide range of suppliers with effective systems to offer. Yet, surprisingly, 2FA is still only used by a handful of companies.
For many, a hybrid IT environment including a number of on site and/or multiple off-site managed cloud apps, is the norm. Improperly securing access to data here can pose a serious failing.
5. Identity management
This is another potential strand of threat for many firms, and covers areas such as managing password security, and closing down an account when an employee leaves. While this may sound simple, in many cases this isn't managed well at all, and exposes many firms to unforeseen breaches.
6. Patching
Ensuring that important security updates from vendors are patched regularly, and in a timely manner, is another basic step your firm need to get right. There was once a time when security perimeter solutions, which are typically updated pretty quickly by suppliers, protected the underlying infrastructure. But the shift to hybrid environments marked the end of those days, especially with many devices now deployed outside the security perimeter.
7. Privileged access management
If companies don't manage privileged access, they are vulnerable to the highest privileges deployed in an organisation seized on and exploited by an attacker. This not only typically makes any prospective damage greater, but also renders an attack more difficult to identify.
Ian Kilpatrick is executive vice-president for cybersecurity at Nuvias Group
