Creating and rolling out an effective cyber security strategy

With cyber attacks continuing to evolve and occur more frequently, infiltrating companies big and small, establishing and rolling out a security strategy that encompasses office and remote working is paramount. This means ensuring that security initiatives go beyond the traditional, office-based infrastructure and takes remote endpoints into account.

What’s more, organisations should also keep in mind that prevention alone is not enough; according to IBM, the average breach detection and containment times currently sits in the region of 280 days. In this time, it’s easy for cyber attackers to gain a foothold in an environment and quickly cause damage.

“When developing a cyber security strategy, traditionally enterprises have focused on the threat prevention with little attention given to detection and often none to response,” said Martin Riley, director of managed security services at Bridewell Consulting.

“However, the problem with this approach is that it fails to match the increasing complexity and sprawl of enterprise architecture, driven largely by cloud adoption.

“It’s imperative that modern cyber security strategies shift from prevention to response. This means not only ensuring that the right cyber security policies and procedures are in place, but also managed detection and response (MDR) to ensure companies are prepared should the worst happen.”

This article explores how a cyber security strategy that’s effective for office-based, remote and hybrid workforces can be rolled out throughout the organisation.

Communication and collaboration

It’s vital that all departments, not just the security team, are on the same page when it comes to keeping company infrastructure secure. The likely continuation of remote working for at least some of the working week calls for clear and frequent communication over email, video call meetings and other remote communication methods.

“An organisation must first understand its systems, the cyber security it already has in place and where there are gaps that could be targeted – both from a compliance perspective but also to understand the specific needs of the organisation, as no two cyber security strategies will be the same,” said Colin Blumenthal, managing director at Complete I.T., a part of Sharp.

“Multiple people across the organisation will need to be involved in building the cyber security strategy alongside the CISO – from finance to marketing, you need to take into consideration the systems used across the business and the different ways your teams work.

“Once a strategy is created it needs to be communicated to the wider business, ensuring buy-in and understanding. Everyone plays a role in cyber security, especially as employees are often the weakest link in your defence against cyber crime.”

How to break down team and department silos for digital transformation

Six leading technology experts explores how organisations can break down team and department silos for digital transformation success. Read here

Evaluate risks and utilise findings

Another key aspect of cyber security to consider is risk evaluation. Any potential vulnerabilities within the network needs to be found and mitigated quickly, without disrupting operations.

Kevin Reed, CISO at Acronis, explained: “In my experience, many companies are doing “compliance-focused security” – with their security programmes aiming to “check boxes” in order to achieve compliance. Yet, such organisations stay horribly insecure.

“I believe security strategy has to be based on the real risks evaluation. There are a few ways to do that, but in my experience, the best way to assess the real risks is to conduct pen-testing and incorporate findings from those directly into your security programme – both tactically, fixing the immediate vulnerabilities discovered and strategically, thinking about how those vulnerabilities came into existence in the first place and what could be done systematically to eliminate them.

“Once you’ve fixed what you’ve found, iterate. Do it until you think you’ve matured your incident response. Then start conducting red team exercises to see how can your team respond to a real attack, and again, continue to iterate – probably, forever.”

Look beyond the first line of defence

For any cyber security strategy to be truly successful in the long-term, multiple lines of defence need to be in place. With the perimeters of networks evolving overall due to a shift to remote working, data needs to be protected accordingly, taking possible insider threats, stolen passwords and other factors into account.

“The elements for an effective cyber security strategy run both broad and deep, but it’s important to ensure that we look beyond just the initial perimeter and first line of defence,” said Rashid Ali, enterprise solutions manager at WALLIX.

“Many organisations start here, but security needs to also go beyond this, looking at how to secure the interior — considering insider threats and a second line of defence should an attack get through.

“Whether it’s through a firewall breach, a stolen password, or a brute-force attack, a comprehensive and therefore effective security strategy should act to also protect the interior network — limiting any data loss or damage and maintaining continuity.

“A well-rounded cyber security strategy looks at how to incorporate this into every level and element of the business — from protecting the network, through to defending and mitigating against any impact.”

The time is right for passwordless authentication

Paul Norbury, CEO of SecureDrives, discusses why the concept of passwordless authentication could be the way forward for organisations. Read here

Limit access to mission-critical infrastructure

Notable incidents such as breaches within the networks of SolarWinds and Microsoft have shown that companies must go beyond basic patching and checks if they are to avoid exploitation. With threat actors becoming more creative, access to mission-critical infrastructure needs to be limited.

David Higgins, technical director EMEA at CyberArk, explained: “The bottom line is that many organisations are simply failing at security 101. They don’t have the basics covered, whether that’s patching, implementing regular system updates, or tightening controls over privileged accounts and administrator credentials. These fundamentals should form the basis of every cyber security strategy, but the basics will only go so far.

“Attackers are relentless in seeking vulnerabilities and loopholes that they can exploit, and they often enjoy success from exploiting privileged credentials. Typically, this involves them illegally procuring the credentials of privileged users, infiltrating networks, moving laterally across them, conducting reconnaissance, and then exfiltrating highly sensitive and critical data.

“Adopting strong privileged access management is a must. This helps prevent lateral movement, contain an attack and limit damage.

“Attackers will always succeed from time to time, but their efforts should never be allowed to prevent businesses from running. Every security strategy should aim to limit attackers’ chances of success, and that means locking down access to mission-critical systems, applications and data from the outset.”

Microsoft Exchange attacks highlight the wider issue: email is outdated

Following recent cyber attacks on the Microsoft Exchange, Amandine Le Pape, co-founder and chief operating officer of Element, discusses why email has become outdated. Read here

Prioritise according to risk and value

With so many types of data present in company networks, Chris Waynforth, area vice-president at Imperva, believes that an effective security strategy sets priorities according to risk and value.

To achieve this, Waynforth suggests the following steps: “First, organisations need to avoid the trap of over-prioritising the security of unstructured data. It might seem that this presents more of a risk factor than structured data and that cloud services are secure-by-design, but that isn’t necessarily the case.

“A data security strategy has to consider all data and prioritise according to the actual risk. It means auditing data to understand exactly where it is stored and the level of risk it presents to the organisation – including dormant databases inside the corporate network, and new databases in the cloud.

“Next, the organisation should only keep what’s necessary: data that has limited or no value as an asset, but high liability, should be deleted. Access to any remaining data should be strictly controlled: database administrators, software developers or marketing specialists don’t need access to the same data, and widening access increases the risk of leakage.

“Finally, data needs to be monitored in a way that the organisation can identify and prevent data leaks, whether deliberate or accidental. These are the bare bones of an effective data security strategy, but they’re essential for effective cyber protection.”

The next frontier for risk tech should be in the cloud

Matt Kunkel, CEO at LogicGate, looks at the next frontier for risk tech as legacy governance, risk and compliance becomes a thing of the past. Read here

Relieve strain using cutting edge technologies

Finally, it’s important to minimise the strain on IT personnel where possible, and Ian Pratt, global head of security for personal systems at HP, recommends deploying cutting edge technologies at the heart of security initiatives.

“Organisations must invest in strategies that not only protect the enterprise, but that also reduce pressure on IT, while not burdening the user,” said Pratt.

“This strategy must be underpinned by leading edge technologies, to enable fine-grained segmentation, mitigate and limit the impact of cyber breaches.

“For example, rendering malware harmless through threat containment via micro-virtualisation, which shrinks the addressable attack surface and delivers protection against the most common attack vectors – email, browser, chat, downloads and USB devices.

“Self-healing firmware, in-memory breach detection and automated alerting helps IT and security teams to monitor, manage and recover from attacks. Added to this, cloud-based intelligence and data gathered via endpoints enhance threat data collection to turn a traditional weakness – the endpoint – into an intelligence gathering strength.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.