6 minute read
Delivering an Effective Cybersecurity Strategy
Delivering an Effective
STRATEGY
Cybersecurity continues to be a major challenge for companies across the UK with as many as four in ten businesses (39%) reporting cyber security breaches or attacks in the last 12 months. Whilst many have struggled with security issues for decades, the COVID-19 pandemic has compounded such problems. The shift to remote working has made company devices and critical business activity vulnerable to unsecure home networks which exist outside of the scope of traditional security operations teams. This has resulted in many IT teams struggling to safeguard their data and adjust their security practices over the last year. Whilst many saw the pandemic as a catalytic moment for digital transformation, there’s no reason why the same can’t be said for cybersecurity. However if companies are going to revolutionise their security practices, they must rethink the way security is communicated across the business. Here are three vital components that make up an effective cybersecurity strategy in 2021.
Sync cybersecurity with strategic goals
A successful cybersecurity strategy should be in sync with a company’s strategic goals and must avoid hindering business performance or productivity. Historically, cybersecurity measures have made it harder for employees to carry out their day-to-day operations, with restrictions in place that strangle operational effectiveness. However, if cybersecurity measures restrict workflow this will lead to frustration among employees and limit the amount of staff adhering to necessary security procedures and even driving them to circumvent security controls.
Cybersecurity must also act as an enabler to the overriding strategic aims of the business, rather than setting the agenda itself. Rather than focusing on security first, start outlining the digital objectives of the company and then layer these with security measures that safeguard company data and information. In other words, companies should start with what they wish to achieve and then the security measures will become clear afterwards.
Furthermore, serious problems can arise when information security teams aren’t included in the design of solutions. Without continued communication and collaboration, information security teams can be blindsided with potential security risks that they have no choice but to isolate and secure. This creates the reputation that the information security team is the ‘big bad wolf’, rejecting digital initiatives and arbitrarily enforcing roadblocks that hinder progress. In reality, if information security
is integrated into the design and planning stages of digital initiatives throughout, this can foster a better working relationship so that when initiatives are launched they already have the security features required to get the green light.
If this level of collaboration is maintained, then over time digital teams will also become more aware of how to make initiatives secure from the outset. This process requires a cultural reset by which an entire company recognises that information security objectives are shared with the business objectives of the wider organisation, and are required to protect against regulatory, financial and reputational risks inherent to operating technology.
Sharpen up training
Cross-collaboration and harmonising security procedures with digital initiatives and strategic objectives is just the first step. Upholding a high standard of cybersecurity relies heavily on the successful communication of such procedures. Not every employee needs to be an expert in cybersecurity best practices, but the better prepared each and every staff member is, the less likely they’ll risk exposing company data to cyber criminals and hackers.
Internal cybersecurity training is the fundamental bridge between a company’s team of security experts and the wider workforce. It’s therefore crucial not to get it wrong. Security training is more effective if it is short, concise, interactive and fun. A succinct 25 minute training session every quarter is going to be much more impactful than a long, five hour session every year.
It’s also important to avoid ‘blanket’ security training and embrace tailored sessions specific to certain job roles. This is best achieved by adopting various tiers of security training that offer individuals the information they need in order to keep company data safe. In addition, training must be communicated through gentle reminders with tangible incentives.
Furthermore, information security teams will put their colleagues in the best possible position by ensuring the most secure approach is also the ‘easiest’ approach. This will mean everyone selects the ‘path of the least resistance’ and therefore adhere to security by default. Adopting this structure will act as a safety net alongside the regular training sessions put in place. teams aren’t attuned to the needs of the organisation, prioritising collaboration helps to combat this perception and lower the risk of shadow IT. In fact, embracing an open-source approach that breeds a culture of collaboration will serve companies well in their quest for good cybersecurity.
Adopt a collaborative approach to shadow IT
It is now much harder for IT teams to track which software staff are utilising when the entire company is operating from remote, disparate locations. The trick to countering this issue though is to start saying “yes” rather than defaulting to “no”. Making a concerted effort to understand why teams have deployed unapproved tech fosters a more collaborative culture, and once you have this understanding you can drive towards the win-win situation to help them in the area that they are trying to help themselves. The ‘Trust but Verify’ model is a great example of cross-collaboration between teams. It means that information security teams train end users and trust them to do the right thing but deploy automation to verify that the work they are doing complies with relevant policies. This empow-
Maintaining due diligence when it comes to ers end users to remain autonomous and make decisions cybersecurity training will ensure employees quickly whilst still knowing remain as vigilant as possible to the threats of there is a verification model cybercrime, such as phishing and ransomware that will protect their company attacks. Yet there will inevitably always be a from any potential mistakes. risk, often in the form of shadow IT. This has been a recurring problem for companies in reSecurity teams exist as an extension of the business cent years, however it’s certainly now of greater and enable productivity, rathconcern because the risk of exposure through er than hinder it. This shift in shadow IT has risen several notches due to the mindset relies on the successrise of remote working over the last year. ful communication of best practices, effective training and the merging of cybersecurity initiatives with the wider strategic goals at the heart of the business. If companies can implement these measures successfully then 2021 can become a catalytic moment for cybersecurity, just as it was for digital transformation 12 months ago.
By being more open and honest, companies are encouraging employees to come to their IT department with requests for help in implementing secure solutions rather than making the initial problem far worse. Most complications around shadow IT come from the perception that IT
Richard Slater, Head of Managed Services at Amido
Source:
1
https://www.gov.uk/government/statistics/cyber-securitybreaches-survey-2021/cyber-security-breaches-survey-2021