The remote-work revolution happened overnight, without warning. It forced companies everywhere to take a hard look at just how secure they really are, and many have found themselves feeling (rightfully) quite exposed. Enterprises adapted overnight to a remote work reality that continues to be in constant flux as health guidelines change, lockdowns start and stop, and employees grapple with a new style of digital work.
Although many offices will reopen on the other side of the pandemic, the tide is now too strong to be reversed and businesses can expect that remote work will be a much larger part of the future. Making your company cyber-secure is no longer as simple as locking down the physical assets (desktop computers, laptops, iPads, etc.) in your building. The problem is now distributed and even more multifaceted than before. As the recent data breach involving SolarWinds proved all too clearly, businesses also need to secure their digital data assets whether they’re stored in the Cloud or within the corporate network.
With so many new points of access and such a shift in how employees connect to company resources, the risk exposure of enterprises is significantly larger and different in nature. Cybersecurity has always been about risk management — and in today’s volatile world, minimizing risk can be the difference between a non-event and a business-changing misfortune. Here are five basic rules to minimize enterprise cyber-risk in the new world of work.
1. Establish a Digital Intelligence (DI) infrastructure
We define Digital Intelligence (DI) as the data collected and preserved from digital sources and data types (smartphones, computers, and the Cloud) and the process by which agencies access, manage, and obtain insights from this data to more efficiently run their investigations. Now that the world of work has become much more remote overnight, it is imperative that enterprises prioritize DI — from monitoring to alert to incident response and everything in between. Malicious cyberattackers are taking advantage of the upheaval driven by the global pandemic, and Interpol has warned of “a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure.” Enterprises must be aware that this is an especially dangerous time for cyber-risk and that without the proper forethought, they are subjecting themselves to even more risk.
2. Reassess what is important to protect
While it may sound obvious, a common problem in protecting against cyber risk is the question of what exactly is at risk. What are your company’s “crown jewels” that should be the most protected? Are resources being spent where they should be to protect what’s important? The other side of coin to consider, of course, is whether resources are being wasted when security and risk-reducing measures are being applied where they are not necessarily needed.
Make no mistake: enterprises should never ignore any basic security measures. The nature of cyberattacks means that any foothold an attacker can gain, like access to a single e-mail account, could mean they can eventually work their way into something much more valuable. Every enterprise should be clear about where exactly their most dire risks are. Whether it is customer data, proprietary technology, or something else completely, the company’s security measures should be calibrated to protect it and ensure resources are being deployed appropriately.
3. Commit to a cultural change when it comes to cyber-risk
It is surprisingly common for security breaches, like e-mail phishing attacks, to go unreported. Employees may feel embarrassed to have fallen for the trick and not want to “expose themselves” to criticism. Other times, employees who have been compromised don’t know who to report to, or if it’s even worth reporting. For many other types of cyberattacks, employees may see something “fishy” going on but don’t have a clear protocol for what to do next. These are all cultural problems that affect security risk, and cultural change must start from the top.
This is where the role of a chief security officer (or chief information security officer (CISO), or any of its equivalents) takes center stage. As a senior exec, beyond what the job demands on a technical level, CISOs also have a responsibility to create a culture that regards security and cyber-risk management in the right way. It should be evident that management is on the same side as employees: if someone falls for a phishing attack, it should be clear they can report the incident without fear of reprisal, and it must be equally clear who they should be reporting to. If a security exec cannot foster this type of open, trusting, and allied culture internally, they open themselves to even more risk externally.
4. Educate, educate, educate
Education goes hand-in-hand with a healthy culture. Enterprises shouldn’t expect employees to protect themselves against something they know nothing about. Just as it’s important to train employees on good business practices and process, they should be made aware of the specific threats and risks a company faces. Going back to earlier points, they should understand what the “crown jewels” are (if appropriate) and how and where to report issues affecting security. This education should start at onboarding and continue throughout employment. It’s a foundational part of decreasing cyber risk at an organization. Knowledge is power and a workforce well-educated on cyber risk is simply better equipped and less likely to fall victim to phishing schemes.
5. Acquire the tools and talent to learn from when things go wrong
Even enterprises with the best intentions, education, culture, and technology need specialized tools for monitoring, preventing, and responding to cyberattacks. Unfortunately, the reality is that cyber incidents are a matter of “when,” not “if.” And when something goes wrong and an enterprise is compromised, they should already have the tools, talent, and expertise in place to respond. This means putting a stop to whatever is occurring, fixing any holes in the fence, and thoughtfully analyzing about what happened and why. Many companies, including Cellebrite, offer tools or even suites of tools that can handle just about any step in this process.
However, these tools and resources cannot be an afterthought. Much like the old proverb about planting trees, the best time to build a solid DI infrastructure, with all the tools and the expertise to use those tools, is yesterday. The second best time is today.
Risk from cyberattacks is only growing, and with a world in a state of continuous chaos, malicious actors are pouring out of the woodwork to take advantage. Enterprises need to shore up against risk to an extent they have never had to before. But the enterprise that makes these preparations and risk mitigation steps today will only be stronger when tomorrow’s challenges arrive.