It’s Cybersecurity Month so treat yourself to this guest post by Quentyn Taylor.
It is now a matter of when, and not if, businesses will experience a cyber-attack. As the importance of IT data processing and volume of confidential business data grows, IT leaders are under increasing pressure to safeguard business-critical operations and protect their reputations.
To address the constant threat of cybercrime, IT decision makers (ITDMs) are having to focus more time on managing information security than ever before, with Canon research (Information Management research report) showing that as many as half (50%) of ITDMs now report this as their most time-consuming task – up from 44% in 2021.
While emerging technologies such as AI can certainly help and be part of a company’s cybersecurity proposition, it’s not the ultimate solution. It is instead crucial that security leaders continue to remain vigilant to the basics – as it is only by placing good every day security practices at the heart of their cyber strategy, and embedding them within company culture, that they can meet the persistent threats facing businesses today.
To get started establishing good cyber hygiene, businesses must address four key
steps:
1: Mastering the basics
The most effective defences, and sometimes the hardest to get right, are the security basics. New emerging technologies, while promising, should never be used as a substitute for a strong cyber foundation.
As the number of devices and locations information is being accessed increases, thanks to hybrid working, maintaining the basics are even more important as ITDMs visibility over the network is reduced. It is common to find companies without an understanding of what services and servers they have exposed to the Internet.
Without consistently enforcing security basics such as multi factor authentication (MFA), regularly updating software and patches, businesses will be at significantly increased risk of a breach.
It may seem simple, but most recent high-level attacks have happened not as a result of sophisticated methods leveraging AI, but rather, malicious actors able to get access through what looked like a minor issue. For example, the password spray method, checking if users are using the same password on multiple systems, can help hackers to identify weak links, such as legacy accounts that do not have MFA. The exploitation of one small vulnerability in some cases can lead threat actors to gain access to a business’s entire corporate system.
In the age of AI, IT leaders cannot forget these basic information security features, that can result in successful breaches even in cases where more complex and sophisticated defences are in place.
Employees also have a part to play, as the first line of defence. Businesses need to ensure frequent, clear communication around cybersecurity basics – especially in hybrid working scenarios, where the distance between the office and actual workplace can inspire security apathy in remote workers or result in more complex security strategies needing to be in place as visibility becomes a greater challenge.
2: Knowing your risk profile
Knowing where, what, and how much data you store is crucial to identifying vulnerabilities and restoring operations in the event of a security incident. As all businesses are likely to suffer an attack, this knowledge is vital to responding at speed, protecting data and systems and safeguarding business critical operations. Without a basic understanding of the data at risk, businesses will not be able to effectively respond.
Likewise, an access management strategy should be in place at all times. Maintaining up-to-date records around who can access documents is an ongoing challenge faced by ITDMs. But often, it is these human elements which can alert security professionals in the event of a breach.
Businesses should begin by enabling MFA and working to zero-trust principles, introducing centralised logins, and enabling access to be cross-referenced and integrated with physical authenticity checks.
3: Understanding the role of emerging technology
While every year we hear of new, large-scale and successful cyberattacks, the truth is that very few are actually ‘new’. Despite the adoption of emerging technologies by businesses and threat actors alike, cyber criminals are still ultimately relying on proven methods to breach systems and steal valuable business data.
AI tools have the potential to become a weapon in cybercriminals’ arsenals. Inexpensive AI can generate convincing phishing emails and even realistic voiceovers for calls, enhancing the effectiveness of scams. However, whilst this potential exists, many criminals are not yet exploiting it as they don’t need to. The current techniques work perfectly well and so AI is not yet being used by significant numbers of threat actors.
While AI enhances the sophistication of cyberattacks, the underlying vulnerabilities remain the same. These attacks often exploit well-known security weaknesses. This underscores the importance of maintaining strong cybersecurity hygiene as a fundamental defence. As businesses continue to facilitate hybrid working, the ongoing reliance on digital communication channels makes the potential threat of AI enhanced phishing attacks particularly acute.
Educating staff around the use of emerging technologies to create phishing links in staff emails, or to target inadequately patched software, can be a good first step to protecting business infrastructure from these attacks.
In the future, emerging technologies like automation and AI can enhance cybersecurity by streamlining processes and strengthening defences. However, the fundamentals of cybersecurity will remain crucial for a robust strategy.
4: Creating a culture of openness
In the event of a security breach, many people report feelings of shame. Businesses also worry for their reputations – fearing the consequences of a data breach negatively impact their standing amongst partners and customers.
This can inevitably lead to a culture of secrecy, where successful attacks are suffered, and dealt with, in the dark. But relying on silence only benefits one section of society, and those are the attackers themselves.
Adopting a zero-blame culture where employees are rewarded for reporting issues as early as they possibly can, without fear of reprisal, enables business to quickly respond to attacks and has been shown to significantly improve the efficacy of an awareness programme. Likewise, when an organisation suffers an attack, a culture of openness should allow them to share their learnings and allow others to further protect themselves.
Preparing for an attack, ensuring a response
Threat actors will find and exploit any vulnerabilities to gain access to an organisation’s systems – from any time, at any level. That’s why establishing the basics of cyber resilience is so important. Acting fast to patch issues can prevent attackers from accessing systems using known weak spots. Educating staff can reduce the likelihood of human error which could introduce malware into business systems. And an up-to-date access management strategy can help to identify suspicious activity before data is lost.
The most effective way you can prepare for an attack and ensure an effective response is to simulate and run tabletop exercises with your senior leadership team and IT teams to take them through what will happen in a cyber-attack. To paraphrase the first paragraph of this article “it’s not a matter of if, it’s a matter of when” – therefore preparing for the inevitable attack and making sure that you have all of the tools and processes in place before the attack occurs is the direction that companies should adopt.
These are not complex security requirements; they are the basics. But in the age of AI and emerging technologies, it is important that we don’t lose sight of the fact that fortifying security basics and ensuring good cyber hygiene can actually protect organisations from the majority of attacks.
About the writer:
Quentyn Taylor is the Senior Director – Information Security, Product Security and Global Response at Canon for Europe, Middle East and Africa
What’s your take? Cancel reply