Security: Getting the fundamentals right
It seems these days that at every turn, we’re reminded that cybersecurity needs to be front of mind. Whether it’s in our private or our working lives, not to mention the increasingly large grey area in between, security is everywhere.
At least, it should be…
There’s very little these days that doesn’t involve an exchange of information, and that information is valuable and worth protecting. We need to be making sure that the right information is used by the right people, at the right time. Otherwise – touch wood – it can cause significant disruption and potentially great harm. This goes for everything from our banking details and credentials to our social media and content streaming passwords. Even our phone numbers.
Now, we’re not going to dwell on personal security too much in this series of articles, but arguably, the change to more flexible working locations and models for many people has brought us to a point where the lines between work and “not work” is very hard to distinguish. And as we move seamlessly between work activities and personal ones, we’re less likely to switch our behavior from one mode to another. In this blended mode, it’s more likely that we slip, and make a mistake that can have unforeseen consequences. Most of these consequences will usually lie with the business in the form of financial impact and brand confidence, meaning that the burden of preventing the breach in the first place through supporting its people lies with the organisation.
Many security commentators say (and we agree) that good security comes about by addressing a combination of three fundamentals:
When looking at where to start and how to design the right security program, the most important consideration is the overall business need. A consultative approach is required, as working in isolation from the business will likely lead to an ill-fitting solution.
Ultimately, it’s the business strategy and objectives which define its Process, and in turn, give rise to the requirements of People and Technology. At this point, as we review how those People and Technology interact – we start to see information and data being generated. Risks emerge as to where the information is stored, how it’s accessed, used, and transmitted from system to system, and place to place. These risks are collated and ranked, with decisions made as to how each should be addressed. This risk matrix will likely form the basis for developing an information security and cybersecurity program.
Let’s look at each of these elements:
- People are arguably our most important asset; however, they can also have the biggest bearing on an organisation’s security.
With People being what we are (unpredictable, undisciplined, and sometimes unsure of what is the right thing to do), it’s critical to focus on better equipping them when it comes to security. Improve the way People interact with each other, their customers, and their systems – providing instruction, training, and tools that allow us to make the right decisions when faced with potential risks. This is more than just security awareness training though – it extends to how we manage the authentication and identification of people, systems, and applications.
Industry experts suggest that up to 85% of breaches involve a human element. Therefore, if we’re looking at addressing the biggest risk area first – this seems like the obvious starting point.
- Develop Processes to create sort of digital pathways on which we know we'll be safe if we follow the right directions. By developing either automated process flows, or at least easily followed and well documented processes such as those required by security frameworks and standards, we can help deliver consistent outcomes. This applies to activities undertaken by all people, not just the IT and cyber teams.
- Implement Technology and controls to help with the above and catch unexpected events when either our people make a mistake, or a genuine attacker may be attempting to wreak havoc more directly. These controls need to apply at all levels of the technology stack, as each layer is potentially a target for attack and intrusion or breach. This starts with people and works through devices, applications, networks (internal, external, and in-between), testing programs, and finally a security monitoring and incident response and management program – considering the information being used and transferred at each stage, and how best to secure it.
For organisations that are considering how to evolve their security strategy so it better supports their business, people, and customers, partnering with a third-party security specialist can be invaluable. Most providers will begin with an audit to review the above in concert and in isolation, taking into account the specific requirements an organisation has along with the environment it operates within – be it mandatory through legislation or standards compliance, industry best-practice, and alignment, or a general desire to improve its cybersecurity posture, making sure that only the right people have access to the right data, at the right time.