A 'culture of security' can harden a company's defenses
Of all the seismic changes which COVID-19 has ushered in for businesses and individuals alike, none looms as large as the economic downturn we are already experiencing as a result of the pandemic.
It was reported that the U.S. economy is likely to shrink 4.6% in 2020, with projections looking equally as grim on a global scale.
Security teams need to start planning for the new economic climate in which they will be operating. It seems entirely likely organizations will see their bottom lines affected by this downturn and internal teams — including security — will see their budgets slashed, meaning hiring or even retaining staff can become more difficult. So how can security teams prepare for the scarcity of resources, both human and financial, they are likely to see in the forthcoming months and years?
If budgetary restraints are likely with the need to prioritize certain areas of security function over others, it’s important to thoroughly understand which areas are likely to yield the best results in order to get the most out of already underappreciated budgets.
There is a strong argument to be made for end user awareness training as the keystone of a security program. It remains comparatively low-cost and with high rewards. Anywhere from 75%-95% of all breaches can be tied back to some kind of human error: Whether this is a phishing attack, inserting questionable media into a machine or opening malware encased in a document, users are a huge gap in an organization’s security posture. This can all be remedied in an extremely cost-effective manner by utilizing a training scheme that teaches everyone in an organization that security is not just the remit of the IT or security departments, but that everyone has a stake in it.
Another area of focus which is likely to help organizations through this phase is initiating a thorough external testing of your environment. Such penetration tests help you understand the methods of attack that will leave you vulnerable. Unless a threat actor is targeting your organization rigorously and specifically, it is highly unlikely they are going to attempt any kind of social engineering techniques, such as business email compromise (BEC) scams. It is very likely that cybercriminals will attempt to mount an external attack that aims to compromise your network. If you have limited budget, and you are assuming that you aren’t being targeted specifically, a quarterly pen test will tell you via a kill-chain methodology the kind of tactics to expect from threat actors, and how to mitigate these risks.
One of the biggest mistakes a company can make, particularly when facing the budgetary constraints we are likely to see post-COVID-19, is simply throwing technological solutions at a problem. It is worryingly common to see organizations spending money on technology which they are not implementing or leveraging. Companies will even spend money hiring the developer of their technology to undertake the implementation, but these publishers can only go so far. At a certain point, the customer needs to maintain, customize and regularly update their technology in order to ensure it is working as it should be in their unique environment.
One of the trickiest things to consider is that buying products is not in itself a solution: CISOS who simply go on a product-buying spree also need to do their homework to understand some of the crossover and overlap which may be present in their suite of tools. This is a manual process, and one which is undoubtedly time-consuming, but the cost effectiveness it could present is significant. It could simply involve upgrading an existing tool instead of investing in a brand new one, saving money on the tool itself, as well as the implementation cost and time investment associated with engaging with new solutions.
The concluding message for enterprises worrying about the bottom lines of their organizations, and the subsequent effects this might have on their security posture is this: Security is not simply a financial concern. The companies who do the best at cybersecurity are the ones who understand that throwing expensive tools at a problem is not the way to build security into the cultural DNA of a company. If you can foster an understanding within the whole organization of security as a holistic and existential concern for every department and level of the business, then the budgets will trim themselves naturally, and the whole business will reap the rewards. After all, security is a culture, not a product.