To secure IT assets, believe nothing and trust no one

COVID-19 has changed the nature of the corporate threat landscape. Although remote working and multi-channel access are not new concepts, their complexity and volume are growing exponentially. Users with a myriad of devices are accessing corporate systems hosted on a mixture of private data centers and public and private clouds from multiple locations. The attack surface has grown and oversight reduced increasing the risk of social engineering. Organizations must adapt their cybersecurity approach to prevent serious breaches.

Once upon a time, corporate systems were all housed in the same data center, with staff accessing them from known office locations. In the last 12 years however, we have seen a huge increase in remote working, according to a survey carried out by Global Workplace Analytics—there was a 157% increase between 2005 and 2017. There has also been a considerable change in how providers deliver software. Both these factors have complicated cybersecurity posture that organizations need to maintain. For some providers, this risk is not new, but for others as a result of COVID-19 pivot plans, it’s a brave new world and their old perimeter security mentality—keep the bad guys out and the good guys in—is no longer appropriate. In fact, it hasn’t been appropriate for a while, but it always takes a good crisis to wake people up.

Verizon’s 2020 Data Breach Investigations report provided some timely insight into the threats corporations face; CEOs should take its findings seriously and pay attention when their CISOs sound the alarm bell

The report is based on over 30,000 security incidents, of which almost 4,000 were confirmed breaches. An “incident” is a security event that compromises the integrity, confidentiality, or availability of an information asset. A “breach” is an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. The report helps paint a picture of the sources and the targets of cyberattacks.

Cyberattacks originate from many different sources, and attackers’ motivations differ. To further complicate things, bad actors can use several different attack vectors (methods of attack) during a coordinated attack; for example, they can use a phishing email (based on social engineering) to place malware on a network and gain access to user credentials, which then allows a data breach of a poorly secured network. The modern business comprises people, processes, and technology; to secure it, coordinate your threat mitigation around these components.

People are the weakest link when it comes to an organization’s security exposure. However, skilled human beings are essential to the running of all businesses, regardless of shareholders’ demands to strip the workforce to a bare minimum to meet some outdated ideology that people-cost is a bad cost. Investing in good people and training them is the starting point for an effective corporate security posture. According to the report, 22% of attacks involved phishing, and errors were the causal events in 22% of breaches i.e. misconfiguration, meaning humans played a significant role in opening the door to an attack. Regular training is essential to combat this. With people working harder over longer hours, mistakes are inevitable; therefore, regular training to reinforce the risks and their mitigating actions is mandatory, whether your business is regulated or not.

Is your ISMS gathering dust? It’s time to brush it off and make sure it reflects your present-day situation, not that of 10 years ago

The information security management system (ISMS) is the cornerstone of an organization’s position for dealing with information security. The ISMS is the document that describes how an organization manages people, policies, controls, and systems to control corporate data, and it is a living document. Management needs to review it regularly to ensure threat mitigation policies are up to date with the current threat landscape and that controls are effective and in action. According to the survey, 17% of breaches are because of user errors, which is double the rate from last year’s report. A poorly implemented data loss-prevention system or incorrect data classification increases the risk of sensitive corporate data entering the public domain and causing reputational and financial damage.

70% of breaches were carried out by external actors, 86% were financially motivated, and 37% used or stole credentials

With the ever-growing complexity of the corporate network, securing technology vulnerabilities is the hardest problem to solve. Adopting a zero-trust architecture for your corporate infrastructure will help to reduce your exposure. The goal is to reduce trust in your network and increase trust in individual connections to your systems. With multi-factor authentication and advanced attribute analysis, it is possible to fingerprint a user within your network (internal and external) to ensure you know exactly who is accessing what and verify they are allowed to do so. Should a bad actor get access to your blue (DMZ) or green (internal network) zones, their ability to execute a horizontal attack, for example, jumping off the compromised node to a higher value target, is greatly reduced. In a recent Microsoft webinar about its security offerings, Microsoft stated that some financial organizations are so far advanced with their requirements for attribute fingerprinting that the technological plumbing is not even available yet to support their requirements.

The Bottom Line: Never trust. Always verify.

As our reliance on digital services increases exponentially, it is imperative that these services and the organizations providing them have the highest levels of threat mitigation in place. Working toward a connection-trusting architecture rather than a network-trusting one is a must. In this new ultra-competitive digital marketplace, customer experience and security are king. The competition will quickly overtake any organization failing on either front.