James Tucker, Head of Field CISO, International at the cyber firm Zscaler, discusses why businesses must maintain good cyber hygiene to improve resilience.
Cyber resilience is at the top of today’s business agenda for many organizations as they try to align with new legislation, such as DORA and NIS2, that is coming in across Europe. No matter how many solutions they put in place or how hard they might try, however, no business can be 100 per cent cyber resilient at all times. That could be because employees are finding ways around security checks in order to make their day-to-day activities simpler, or perhaps because the organization has a high-level of technical debt and is finding it nearly impossible to build a framework around its entire legacy infrastructure. No matter what situation an organization might be in, the aim for the c-suite and security teams must be to maintain as high a level of cyber hygiene as possible. But what constitutes ‘good’ cyber hygiene and how can businesses avoid the common pitfalls when implementing any new cybersecurity approach?
The two main obstacles to good cyber hygiene and resilience are the lack of a consistent security framework and a lack of transparency from IT teams as to the actuals dangers that an organization faces on a daily basis. Many organizations are reactive to issues and have a mix of strategies and technologies in place that have built up over years of accretion. Due to this, they may ‘feel’ prepared, but are usually unaware of the gaps in their framework, and have no formal methods of testing readiness and resiliency. The CISO and the security team are seen to be sitting within IT and are often not involved in strategic planning for the business. This has to change for organizations to get on the front foot with their cyber preparedness – the alignment of the security function with the business’ strategic goals is no longer negotiable.
Or, an organization may have a consistent framework, but it is poorly communicated due to internal factors, like the size of the business or territorialism. This results in complexities that mean certain security measures can take weeks to implement or – perhaps worse – that employees struggle to understand their role in cyber resilience. If you speak to any security team, they will say that employees are most often the biggest attack surface for companies, with many breaches stemming from employee error. Now, with technologies like generative AI giving hackers the ability to individually target thousands of employees in a short period of time and in a more personalized way, that attack surface is only going to get bigger. If employees don’t understand the importance of cyber hygiene and why it should matter to them personally, they will most likely ignore the ‘boring’ IT training and continue to fall into traps, putting their organization at risk of breaking legislation.
Engaging employees and simplifying processes
The key to solving this issue lies in contextual training and the balance between the art and science of awareness training. Cybersecurity teams need to make the potential dangers real and be more trans-parent on what is actually happening within the organization – what were some of the recent near misses, for example? What parallels can be drawn with high-profile media breaches? And then in-forming employees how to identify and report the issues to the relevant IT member. Having business champions to continually amplify the voice of cybersecurity is also important to show that it is an issue for all employees and needs to be taken seriously.
Another level of security businesses should implement to limit potential employee errors is adopting a zero trust approach to any internal or external access. This involves migration from traditional routed networking access where, after initial authentication, users get virtually unlimited freedom to move around an organization’s systems, to more granular, identity-centric access where authorised users only have controlled and inspected admission to the systems they are entitled to. Modern zero trust implementations also often come hand in hand with deception and sandboxing capabilities, which lure attackers into traps and then enable security analysts to quickly identify and mitigate any system breach before actual damage is done.
Finally, user security best practices can be positively reinforced by good system efficiency and high productivity. Users who suffer from poor IT system performance and must deal with badly designed applications are more likely to take careless action by clicking a phishing link or using non-approved software or devices. That’s why good user experience should be a foundation for any cyber security strategy and not an afterthought. Cybersecurity must facilitate business activities instead of standing in the way of getting work done.
Conclusion
The fact of the matter is that compliance should never be easy. If complying with legislation is as simple as checking-off a couple of small security tick boxes, that legislation doesn’t deserve to exist. In order for companies to adhere to the latest legislations, they don’t just need to understand their technical portfolio and build a security framework around it – but also ensure all members of the organization understand why that framework matters and their role in reinforcing it. Security teams need to help the wider organization understand that cyber hygiene is the same concept as a surgeon washing their hands before surgery. It may not seem like much effort or as important as the precision surgery, but without a clean environment the chances of death or further problems increases ten-fold. The same can be said for cybersecurity.
Cyber hygiene should be an imperative for business leaders in 2024 with CISOs brought into the heart of business strategy in order to align security functions and business outcomes. Otherwise, organizations are going to swiftly find themselves at the mercy of legislators, both financially and, in some cases, even threatened with jail time. The next level of cyber preparedness demands a clear security framework, uplift of employee cyber awareness, and needs to have measurable outcomes aligned with business objectives.
