Protecting the humans in the business makes business sense: Aussie cybersec today
The five most common cybercrimes perpetrated in Australia are aimed at people, rather than systems, according to the ACSC (Australian Cyber Security Centre).
For seasoned cybersecurity professionals, that comes as no shock. While protecting businesses’ perimeter and increasingly, the cloud services most organisations use daily, it’s unfortunately people that are the weakest link in any cybersecurity chain.
The ACSC monitors cyber threats 24/7/365, alerting citizens and businesses what the dangers are, as they appear, and offers guidance on how best to protect against them. For sure, raising awareness of security issues should be an integrated part of every organisation’s day-to-day processes, but at the end of the day, repeatedly telling people to be more careful is only going to have limited effects.
And even some of those who are cybersecurity-aware have clicked a link or two they shouldn’t have, or downloaded a piece of malware at some stage during their careers. Humans make mistakes; it’s only… well, human.
So if we sidestep for now the effectiveness, or otherwise, of drilling staff in cyber hygiene (humans also get bored, unfortunately, of hearing the same message day in, day out), what else can Australian organisations of any size do to protect their people better? And by proxy, better protect the organisation itself?
Protecting people & the perimeter, and keeping the sweet side of government agencies is part of the credo of a new generation of cybersecurity vendors operating across the APAC, in Australia, and all over the globe too. Primary among these, we feel Evidian (the Identity and Access Management software suite from Atos) is well-placed to change the way IT departments think about security, and is helping realign many organisations’ security posture for the better.
Here’s how things are taking shape in 2020:
# 1 | Don’t forget the perimeter
This first step should perhaps be best put in brackets, or listed further down the list, but it is worth restating that businesses shouldn’t take their eye off the ball with regards to looking at their “traditional” means of cyber protection.
Firewalls, intrusion detection systems, network monitors, logfile analysis, etc., should all continue to be part of any cybersecurity department’s daily workload.
What’s probably more relevant for most, however, is the protection around cloud-based services. Web application firewalls, encryption at rest for remote applications and services, web application firewalls (WAFs), and so on, all need consideration as part of the overall security picture and ensuring safe access and use is of high importance (and that importance is growing as we sign up to, and embed more cloud services into everyday working practices).
# 2 | Authenticate users, and authenticate well
Secure access to apps and services — mentioned in passing above — is the cornerstone for any organisation keeping its people and its systems safe. Most working days begin with people establishing their identity with different systems, from the laptop that’s just been woken up, to the online services hosted thousands of miles away that are an integrated part of most companies and departments.
The ACSC’s first piece of advice it gives (see page nine of the report) is to turn on two-factor authentication (2FA).
As a term, 2FA is sometimes used as a synonym for MFA (multifactor authentication), but regardless, security teams need to think about the balance that needs to be struck between the number of authentication methods that will be required (and what those methods are), and the specific method types.
Any cybersecurity professional will know that their users want an easy and fast time to access apps and services. But given the sheer number of times most people have to log into apps and services each day, asking them to jump through too many security hoops, too many times, is a shortcut to people finding clever ways around what they’re being forced to do.
Depending on your industry vertical, there are several options for multi-factor authentication, including smart cards, fingerprint readers, or even a smart band. That level of physical protection not only decreases security risks significantly, but because every authentication is logged, there’s little chance of successful credential theft (or credential sharing between employees), thus compromising the business.
The actual balance that’s required day-to-day depends, of course, on your organisation, its necessary levels of security, and how much investment is being considered. But there are ways that companies and organisations can make life both safer, and not too onerous, for the humans we’re trying to protect. The next item follows neatly on…
# 3 | Proper authentication and access management
Like many industries, cybersecurity is fond of its acronyms. Identity and access management (IAM) and single sign-on (SSO) are two such that are worth mentioning here.
IAM covers the overarching technologies with which organisations can control access and privilege settings. It’s a bedrock in developing a zero-trust environment in which all enterprise functions can take place securely. Single sign-on provides a secure way around sign-on “fatigue” that can happen when users are asked to authenticate themselves two or three ways with every app (local or cloud-based) they want to use.
Sign on once, but make sure the user is who they claim to be (beyond reasonable doubt) and then use that knowledge to grant access to multiple services.
Next steps: your homework assignments
The various methods by which companies can create SSO solutions and the different ways, for instance, that are available for human employees to prove their identity, are subjects too large to be covered quickly in this article. But investigating these technologies is massively worthwhile because as well as protecting the business, there are further wins for organisations.
Seemingly always mentioned last in the technology press, but of increasing importance is data governance. Ensuring the ways that data is protected hit the shifting requirements of local (and international) governments is as important as protecting intellectual property — failure to do either is probably equally costly.
There’s also the increase in productivity. This pertains to the balance between security and ease of access mentioned above. Keeping staff working, but working safely can be achieved, but it needs the right technology.
And, of course, there’s the issue of overall security! Any victim of identity theft, online fraud, phishing or any of the crimes described in the ACSC report will know the consequences of what happened to them. And by proxy, what happens to people happens to the businesses that they work in.
To benefit from a complimentary license on Evidian simply follow the link here. Valid till mid May 2020.