Surviving and Adapting Today’s Cyber Threats
In the technology and innovation arenas, the last decade will be remembered for a myriad of reasons. Among these reasons is the multitude of data breaches on government agencies and privacy companies. In 2015, for example, the United States Office of Personal Management was hacked twice leading to the theft of over 22.1 million workers’ sensitive data (Nakashima, 2015). In the previous year, Sony suffered an attack that compromised millions of user accounts (Peterson, 2014), and another hack on eBay saw over 233 million users’ data stolen (Action Fraud, 2014). Amid the looming COVID-19 pandemic, a huge section of workers and companies have resolved to remote working, the trend of breaches shows that hackers have evolved to become better organized, more sophisticated, and increasingly opportunistic. Organizational leaders now face a question of when, and not if their company will be breached. This predicament prompts leaders to proactively come up with ways through which they can shield their organization from security breaches.
Effecting a Cultural Shift
In the current fast-changing technological landscape, companies must erect complimentary processes and policies which balance responding to incidents, detecting compromises, and protecting critical assets. Such culture-related policies and processes are vital in enabling the company to tackle evolving threats, adopt new technologies, maintain operations, and survive attacks (Hughes, 2021). They also help limit the damage in the aftermath of a breach. A leader must therefore create a culture in which every employee — from top executives, all the way to lowest-tier employees — report to work feeling accountable for the security of the company’s critical data and assets. This isn’t the traditional command-and-control type of culture. Rather, it is a cultural approach that empowers employees to identify and then respond to security incidents as and when they occur (McGee, 2012). In designing such a culture, a set of shared values and expectations are formed. Such values must then be infused into every department in the company to ensure that they act in support of the desired outcomes (Centre for the Protection of National Infrastructure (NCPI), 2021). For example, firms must do everything in their power to keep their digital ecosystem in check, by employing systems such as multi-factor authentication for email, two-factor authentication for the corporate network, and so forth. By actively implementing these and other similar practices and processes, an organization can effectively create a “cyber-resilient culture.”
Developing Clear and Holistic Strategies
With today’s highly volatile cybersecurity landscape posing greater threats to corporate and individual safety than ever before, leaders and companies are challenged to devise innovative strategies to mitigate these ever-evolving threats. Leaders must formulate comprehensive and overarching strategies that concisely outline the institution’s wholesome approach to the variety of cyber threats facing it (Dhillon, 2016). This strategy should then be mapped out in relation to the physical and technical infrastructure of the organization (Ibid). The strategy also needs to be built around the organization’s critical assets (e.g., intellectual property), business risks, and the dependencies on any one of the aforementioned in the organization. The strategy must then precisely map out every step of the organization’s response, and how and/or when it will move to mitigate a threat should it be identified It is in this way that a comprehensive approach to cybersecurity can be developed and applied effectively. The strategy should be specific enough to allow the company to understand how to respond in real-time and to guide ongoing planning and implementation (Federal Trade Commission, 2021). When it comes to developing such a strategy, organizations should draw on practical case studies, observations of competitors, and other experiences that best illustrate the nature of threats to that particular industry. It is in this way that a comprehensive approach to cybersecurity can be developed and applied effectively to contain or guard against potential threats.
Establishing Clear Governance
Organizational leaders must define who is responsible for what during cybersecurity-related excursions. Such a definition creates clear responsibilities for an outlined response strategy. Clear governance also allows every employee, regardless of role or department, to know where and when they are allowed and/or required to exercise their authority relative to cybersecurity-related incidences (Bobbert & Mulder, 2015). The benefit of defining responsibilities is that it allows employees to understand how and when their actions are relevant in terms of contributing to the company’s cybersecurity-related functions (CPNI, 2017). Additionally, clear governance enables employees to know that if they fail to do their job, it is likely that they will be held accountable. More importantly, it also makes clear that cybersecurity is not the responsibility of one department or individual, but rather of the entire organization. This clear division of duties and responsibilities can also help organizational leaders make clear decisions towards the best method of response to potential threats while creating clear-cut directions for employees. Finally, clear governance fosters a sense of engagement among employees, ensuring that they feel engaged and are encouraged to be active members of the company’s cybersecurity defense (Poppensieker & Riemenschnitter, 2019). As such, clear governance helps outline responsibilities and employee expectations which ensures all parties involved know what part they play towards protecting the company against the adverse effects of security breaches.
Embracing a Zero Trust Mindset
With every advancement in cybersecurity control measures, hackers develop new strategies and become increasingly creative necessitating organizational leaders to embrace models that view everything surrounding their network as hostile. Depending on the prevalent context, such a Zero Trust architecture is built on specific policies that prompt continuous verifications (Hughes, 2021). To ensure that all customers, workers, and partners are protected, organizations must be willing to accept that not all entities can be trusted. Organizations need to be suspicious of even the most trusted partners. This type of architecture necessitates a digital environment where every device or application used must be reviewed and verified before it is allowed to run on the network (Hudson & Reyes, 2021). Only then can network defenders gain some confidence in their defenses. By adopting such an infrastructure, organization leaders can concentrate their time and efforts on developing and protecting the network from malicious forces. In doing so, they can also work in tandem with the other departments to ensure that all vulnerabilities are sufficiently addressed and that all involved parties are communicating effectively (Hudson & Reyes, 2021). To fully embrace a Zero Trust architecture, various guidelines should be adhered to, such as:
- Treating every endpoint is as potentially malicious (pawned or not); Companies should approach an organization’s devices as though they are software vulnerabilities.
- Ensuring every endpoint can provide in-depth logs for two reasons; (A) to ensure that those who gain access into the network can be verified that they entered the network through legitimate methods, and (B) to ensure that there is no inappropriate information is left behind by users.
- Deploying behavioral analytics to continuously collect and analyze data regarding network activity and threat actors is essential in the continuous update of security response processes.
- Investing in tools that provide actionable threat intelligence and hyperactive threat intelligence feeds.
In totality, a Zero Trust mindset helps organizational leaders maintain high vigilance on all devices accessing their company’s network making it easier to identify malicious actors trying to access the network thus protecting the company from a security breach.
Conducting Security Audits
In light of the adverse effects a cybersecurity breach may have on a company’s reputation, finances, and various legal repercussions, organizational leaders are realizing the need of employing cyber-threat specialists to professionally assess their firm’s network(s). Security audit that cyber-threat specialists help assess an organization’s operational risks. Their work is primarily focused on identifying any weak links that can put the organization at risk. A well-crafted security audit helps with generating a baseline of the organization’s cyber-security processes (Herath & Herath, 2014). Companies can then take corrective steps to strengthen their defenses thus protecting their assets by enforcing proactive security measures based on the gathered information provided by security audits. These cyber-threat specialists are highly skilled in identifying and categorizing software used within a network, its dependencies, the risks associated with each software component, and what type of devices and applications can be used within the network (Ibid). Desirably skilled security auditors are highly aware of the vulnerabilities and risks associated with each software component within the network and how an attacker may exploit them. Companies can then leverage the expertise of these professionals to resolve such vulnerabilities before the security breach becomes a reality. Companies can then leverage the expertise of these professionals to resolve such vulnerabilities before the security breach becomes a reality. At the same time, in the unfortunate case that a security breach occurs, cyber-threat specialists would be equipped with a comprehensive plan on how to identify the root cause of the security breach, arrest further damage, and perform remedial measures to ensure that the organization is protected from such an attack in the future. As a result, companies can ensure that their network is as secure as possible.
Investing in Firewall and Anti-Virus Software
It is now common practice for organizations to erect up-to-date antivirus software on company devices and firewalls on company networks and websites as their first line of defense. The main purpose of installing antivirus software on company computers is to identify and remediate malware infections to the computer system or server. It is also recommended that organizations may also install a multi-layered firewall or proxy software on the company network to block the malicious activity of intruders who attempt to infiltrate the company network (Lee et al., 2021). In this case, firewalls are used to monitor incoming and outgoing traffic from the company’s network. Their purpose is to isolate and filter all the traffic to the company’s network and prevent malicious activity from harming or compromising the company’s network and the data therein. In the event of a breach, the firewall or proxy helps to contain and segregate malicious activity from reaching various unaffected parts of the network where a multi-layered firewall may help create a security wall between infected and non-infected parts of the network, thus potentially arresting the malicious actor(s) (Ibid). An investment in firewall and anti-virus software or service can potentially save an organization from any financial and legal consequences that could potentially arise from an attack on their network. It should be noted that installing anti-virus software is an additional administrative and technical step that should be ideally implemented in the company’s security policy and procedure manual.
Deploying Encryption and Off-Site Servers
Experts emphasize that organizations should preferably store their data in highly secure off-site data centers with any organizational communication being encrypted. Encryption protects sensitive information. In the event of a data breach, any encrypted data may be unintelligible to the hacker without the proper key to decrypt it. Encryption thus ensures data remains secure despite a security breach by providing an effective barrier against information access. Encryption also ensures that the attacker can’t use it as a loophole in accessing company information. Additionally, with the advent of cloud data storage, there is no need for company data to be stored on-premises. This also makes the data more secure from cyberattacks by reducing data security risks and liability. Companies can leverage the convenience and benefits that such cloud services offer by offloading their data storage and management to companies that specialize in storing, managing, and securing data (Sanderson, 2011). Cloud storage providers such as Amazon Web Services, Microsoft Azure, and Google Cloud offer such services, which allow companies to take advantage of advanced services like data encryption, compliance, and cyberattack protection. Storing encrypted data on off-site serves increases the security breach barrier two-fold helping the company to better protect its stakeholders’ sensitive information.
Organizational leaders must proactively find ways to keep organizational data secure. This paper shows that there exists no on-fits-all solution to data security. This fact is a testament to the many security breaches that companies have suffered over the years. As new methods of curbing cybersecurity vulnerabilities arise, malicious actors, become more creative, and organized to exploit more vulnerabilities. Data security is thus not only the responsibility of the organization and its leaders but one that must be exercised by all who interact with a company’s networks. However, the organization is still required to take proactive steps towards thwarting and mitigating security breaches. Such steps include the creation of concise and wholesome strategies, establishing clear governance, embracing a Zero Trust mindset, conducting security audits, investing in firewall and anti-virus software, and using encryption and off-site data storage facilities. While such steps are intrinsically helpful, the ever-changing technological landscape requires organizations to continue exploring new technologies and investigating their networks to identify potential vulnerabilities before malicious actors spot them.
Action Fraud. (2014, May 22). Millions of eBay users told to change their password after hack. Action Fraud. https://www.actionfraud.police.uk/news/millions-of-ebay-users-told-to-change-their-password-after-hack#:~:text=233%20million%20eBay%20users%20were,in%20a%20major%20cyber%20attack.&text=Cyberattackers%20compromised%20a%20small%20number,corporate%20network%2C%20the%20company%20said.
Bobbert, Y., & Mulder, H. (2015). Governance Practices and Critical Success Factors Suitable for Business Information Security. 2015 International Conference on Computational Intelligence and Communication Networks (CICN), 1097–1104. IEEE Xplore. https://doi.org/10.1109/cicn.2015.216
Centre for the Protection of National Infrastructure (NCPI). (2021, March 30). Security culture. NCPI. https://www.cpni.gov.uk/security-culture
CPNI. (2017, September 14). Good Governance. CPNI. https://www.cpni.gov.uk/content/good-governance
Dhillon, G. (2016). The Changing Faces of Cybersecurity Governance; What to Do Before and After a Cybersecurity Breach? In The Kogod Cybersecurity Governance Center (KCGC). The American University. https://www.american.edu/kogod/research/cybergov/upload/what-to-do.pdf
Federal Trade Commission. (2021, February). Data Breach Response: A Guide for Business. Federal Trade Commission. https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business
Herath, H. S. B., & Herath, T. C. (2014). IT security auditing: A performance evaluation decision model. Decision Support Systems, 57, 54–63. Science Direct. https://doi.org/10.1016/j.dss.2013.07.010
Hudson, M., & Reyes, M. (2021, February 25). Why Zero Trust is the right mindset for the defense and intelligence industry. Microsoft Industry Blogs; Microsoft. https://cloudblogs.microsoft.com/industry-blog/government/2021/02/25/why-zero-trust-is-the-right-mindset-for-the-defense-and-intelligence-industry/
Hughes, M. (2021, April 15). Make Your Organization More Resilient to Cyber Attacks. Harvard Business Review. https://hbr.org/sponsored/2021/04/make-your-organization-more-resilient-to-cyber-attacks
Li, H., Yoo, S., & Kettinger, W. J. (2021). The Roles of IT Strategies and Security Investments in Reducing Organizational Security Breaches. Journal of Management Information Systems, 38(1), 222–245. Taylor & Francis Online. https://doi.org/10.1080/07421222.2021.1870390
McGee, M. K. (2012, December 18). How a Breach Led to Change in Culture. Careers Info Security; Information Security Media Group, Corp. https://www.careersinfosecurity.asia/interviews/how-breach-led-to-change-in-culture-i-1738
Nakashima, E. (2015, July 10). Hacks of OPM databases compromised 22.1 million people, federal authorities say. Washington Post; The Washington Post. https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/
Peterson, A. (2014, December 19). The Sony Pictures hack explained. Washington Post; The Washington Post. https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/
Poppensieker, T., & Riemenschnitter, R. (2019). A new posture for cybersecurity in a networked world. In McKinsey (pp. 18–26). McKinsey & Company. https://www.mckinsey.com/~/media/McKinsey/McKinsey%20Solutions/Cyber%20Solutions/Perspectives%20on%20transforming%20cybersecurity/Transforming%20cybersecurity_March2019.ashx
Sanderson, R. (2011). A secure data protection strategy. Network Security, 2011(3), 10–12. Science Direct. https://doi.org/10.1016/s1353-4858(11)70025-3