Cybersecurity success still depends on getting the basics right
CYBERSECURITY is a big concern for most businesses, especially because of the regulatory scrutiny it attracts and the loss of consumer confidence it results in.
And although hackers have got smarter over time, and the tools they use have become more sophisticated, it seems as though a majority of organizations are only targeted because they’re vulnerable.
“The problems affecting businesses haven’t really changed in the last five years, but organizations still struggle to address them,” Wall Street Journal (WSJ) Pro Cybersecurity Research Director Rob Sloan told Tech Wire Asia.
According to Sloan, the number one challenge for any business is implementing the basics effectively.
Get good at patching vulnerabilities and hunting malware
Take the deployment of software patches, for example. The WSJ Pro expert advises companies to deploy software patches quickly to reduce the window of opportunity for criminals to compromise systems.
That means, the team must ensure they have the tools and the systems in place to identify vulnerabilities in the software they use and patch the bugs most likely to be exploitable.
“There is no excuse for suffering a security incident that is wholly avoidable. Once a patch is available it is a race against time to close the security gap before the bad guys get there first.”
Another fundamental area that cybersecurity professionals need to focus on, Sloan suggests, is malware detection.
Improving malware detection and response capabilities on networks that continue to grow in size and complexity is a growing pain for most businesses, and with organizations developing use cases for sensors and IoT, the problem is only going to become more complicated.
“Defenders have a larger attack-surface to protect and securing the myriad devices attached to the network is a near-impossible challenge.”
A recent IDC study on IoT deployments in Australia and New Zealand corroborate Sloan’s findings. The report pointed out that organizations ready to go big with IoT are limited by their ability to tackle the cybersecurity challenge, which is what hinders them from scaling up their proof of concepts and pilot programs.
“Of those companies with active IoT pilot projects, 75 percent are planning on expanding their trial systems into full-scale scale solutions. But they can’t easily do that until security concerns are addressed,” said IDC ANZ Practice Manager Monica Collier.
Effective cybersecurity needs more talent
Accenture says cybercrime could cost companies US$5.2 trillion over the next five years — and it is the smaller businesses that need to be more careful.
“A lack of skilled employees coupled with security solutions designed and priced for large enterprises means small businesses are unable to protect themselves, which is a particular problem for businesses that form critical parts of the supply chain.”
A cybersecurity workforce study by ISC2 recently found that the cybersecurity workforce gap has increased to more than 2.93 million globally, of which the APAC is experiencing the highest shortage at 2.14 million.
In the event of an attack, it is the smaller companies that are unable to effectively respond and the financial impact is such that they can easily go out of business.
“The shortage of the skills businesses require to protect their data from cybercriminals is reaching a crisis level.”
Estimates of the number of unfilled jobs range from two to three million now with an expected increase in demand over the coming years.
According to Sloan, the victims of the shortage are not consultancies or large enterprises in the financial services or tech sector who can afford to pay the highest salaries and attract talent from overseas, but small to medium-sized businesses and government departments.
Addressing the immediate problem is critical to increasing the workforce gap.
Cross-training and upskilling existing staff to bolster the cybersecurity resources is one way to help, but to make a serious impact in the millions of empty jobs governments must promote the profession and work with schools and universities to ensure a supply of appropriately skilled graduates.
Encouraging gender and ethnic diversity in the workforce through inspiring women and under-represented groups to specialize in cybersecurity can also bring a diversity of thought on how to solve key challenges.
Forward-looking organizations should also aim for neuro-diversity and seek to engage workers with the aptitude for technical work.
“One such program in Australia, Dandelion, has placed young people with Autism into cybersecurity jobs in the Department of Defence and into multi-national banks,” pointed out Sloan, who will be speaking about these steps in greater detail at the Management Events Cyber Security Xchange 2019 in Kuala Lumpur this month.
Employee awareness key to cybersecurity too
One of the most fundamental things when it comes to cybersecurity is building awareness about protocols across the organizations.
However, at the senior executive and board level, Sloan finds that there is still a lack of ongoing awareness about cybersecurity – and other technology subjects such as artificial intelligence – that leads to underinvestment in countermeasures.
“The blame lies in part with the inability of security leaders to effectively communicate the challenges and share meaningful security metrics that highlight progress and residual risk.”
Sloan says that companies make the mistake of running their awareness programs from the security department, which is often why there’s too much of a focus on technical details — which puts off employees and is hence ineffective in raising awareness.
“For truly effective security awareness programs capable of changing the culture of a company to become more cyber-aware, organizations require full-time, dedicated resources with skills in marketing and communications.”
Awareness must be tailored for certain job roles, especially executives, and others in the organization that face a higher risk of being targeted.
Overall, in order to get cybersecurity right — organizations must first lockdown on the fundamentals before exploring cutting-edge solutions.