Security remains a consistent and ever-present challenge to the organisation today. The statistics that follow in its wake are certainly enough to keep any decision-maker awake at night. In 2020, Verizon’s Data Breach Investigations Report found that 94% of malware arrived by email, that social engineering remained the leading cause of reported incidents, and that phishing remains a winner for the hackers.
Dell’s survey found that 63% of companies had said their data was potentially compromised over the past year due to a hardware or silicon-level security breach, and Kaspersky’s antivirus platform discovered more than 24 thousand unique malicious objects in 2019. And all these are outside of the threat vectors introduced by the global pandemic. According to Jonathan Tullett, Research Manager for IT Services, International Data Corporation (IDC) South Africa, it has become close to impossible to secure the completely remote workforce with specifically targeted threats and increased online vulnerabilities.
“The disintegration of the perimeter due to remote working is one of the biggest security challenges facing the organisation today,” he explains. “COVID-19-related phishing, a remote workforce, rushed online solutions, limited cloud security – these factors have all contributed to a complicated environment for the business.”
Cybercrime has been a force to contend with for years, but it is becoming more intelligent, better executed, and funded, and more targeted by the day. To fully prepare the organisation for the threat actors that consistently pose a risk to system and information, security needs to focus on the full chain of security, from detection to remediation. This turns security from a brittle process that is blamed when it breaks, to a resilient and flexible posture that can truly perform. Security by design, embedded into every aspect of the process, product, service, and business.
“Manage identities, users, applications, infrastructure, privileged identities, API endpoints, customers, partners and all other parts of the chain correctly – they are all identities, and they all need to be managed,” adds Tullett. “Monitor your infrastructure for anomalies, examine for large volumes of data in motion, establish protocols that can identify issues. These are factors that every organisation should consider when it comes to security best practice today.”
To be successful and digital, the organisation must innovate, automate, integrate, and have security as a priority. These are the pillars that hold the organisation firmly in place as it faces the complexities and mercurial vanities of cybercriminals and security weaknesses. These four are inextricably linked to one another – one cannot be done without impacting the others. The business cannot be secure without integrating and automating tools, and it cannot automate without security the elements that are being automated. It is an ouroboros that ensures each part of the business is optimised and capable and that each part does not operate in a silo that is prone to risk.
“Education is also key,” says Tullett. “This cannot be understated. Educate people so that they understand how their behaviours introduce risk and how their mistakes can bypass even the most sophisticated system. Educate business units so they understand why it is important to collaborate and to ensure that people adhere to the company security policy. And educate every person in the business so they understand why the rules are in place and how this protects them as much as it does the business.”
For Tullett, the next most practical step is to outsource security operations. Security-as-a-Service puts all the skills and expertise required to ensure that a business is secure by design into the business without having to source the people, skills, and the expertise. The market is short on talent, so bring it in from external sources that have a comprehensive grip on the cybersecurity landscape and the threats it presents.
“Don’t balance security and productivity,” concludes Tullett. “COVID-19 showed the business that interruptions in productivity are a direct business risk and security is part of that risk portfolio. Do not skimp on security, and the security team should not lose sight of the fact that it is a cog in the risk machine. Managed security services have become an essential foundation for security in 2020, as have behavioural analytics, identity management, and education.”