Cybersecurity Must-Haves for 2023
With smartphones now as powerful as PCs, it is possible to work from anywhere. However, the flexibility comes with a trade-off. With the removal of perimeters, employers are grappling with securing an extended perimeter as conventional castle-and-moat cybersecurity models are no longer viable.
Recently, I sat down with Dave Klein from Cymulate and together, we agreed on 3 cybersecurity must-haves for businesses to securely implement a perimeterless digital workplace.
In the webinar, we address a few key points for consideration regarding service-level agreements (SLAs) as well. To learn more, click here [insert hyperlink:
To start, it is imperative to have:
1. A Clear Understanding of Risk Scenarios
A risk scenario explains how a possible risk event will have an adverse impact on business goals. Typically, it is written in the form of a narrative that succinctly describes the circumstances required for the risk to materialise and the consequences that would result.
A well-written risk scenario equips organisations to better prepare for future uncertainty by narrowing the communication gap between cybersecurity professionals and business stakeholders. Ransomware, for instance, is more concrete and tangible when it is explained as having the potential to disrupt systems for X number of days where we will no online business function can be carried out; “Non-compliance with regulatory requirements will cause the business to incur a fine of Y dollars”, etc.
When cyber threats are phrased in the business perspective of the business, business stakeholders are able to understand the business consequence of a cyber risk, and they will be able to decide and define what is an acceptable loss to them. This information will shape our understanding of the organisation’s risk appetite and help inform the risk mitigating activities that need to be implemented thereafter.
2. Balance between Usability and Security
Too much of any one thing is never a good thing. This holds as true for fast food as it does for security controls.
The goal of cybersecurity is to protect the business; and for that, we need everyone’s participation. Good security solutions restrict unauthorised access to assets, but they must also be sufficiently intuitive to enable the non-tech-savvy employees to navigate. The more complex a tool, a security policy, a user interface or user experience is, the greater the resistance to it and the organisation’s security risk remains high when security tools and policies are not adopted by employees.
Logging a user out within 5 minutes of inactivity, requiring more than 2 factors for authentication to use a non-critical software are examples of excessive security which can do more harm than good. When security disrupts workflow, it discourages adoption. Case in point, no one really reads online privacy policies because they are always so lengthy and convoluted. Users also tend to end up granting excessive permissions because it takes too much effort to investigate what each permission is for when they just want access or to get the job done quickly. Building controls that make sense and are practical requires a balance between security requirements and usability.
3. Incident Response Plan that Involves Your Third Parties
In an ideal world, we need only worry for our own safety. In a world where supply chain attacks are growing more and more frequent however, we have to accept that our partner’s risks are our risks as well. What we mean is that each organisation will have to shoulder the costs and responsibility of answering to their own customers and the authorities even if the security breach occurs as a result of the negligence or vulnerability of one of their third parties.
Moving forward, the expectation is that threats can come from anywhere within our ecosystem — it might be from a compromised vendor, supplier, or even customer. In which case, ensuring your own business continuity must involve working with your third parties. Perhaps this means assessing risks associated with suppliers before engaging them for specific projects or contracts; or having policies in place governing relationships with third parties from start to finish.
It is best that important conversations like these are had before moving into contract negotiation. Minimally, you ought to be in agreement on a way forward when an attack occurs. As a start, consider the following: What are your individual roles and responsibilities? Who calls the shots? What extent of your ecosystem needs to be involved?
Before you spring into contracting new vendors to resolve the above mentioned issues, I urge you to first consider your inventory; What are some of the existing tools and resources in your arsenal that you can leverage already? For example, if you have already purchased tools to facilitate data loss protection, some of these may also include risk assessment and ransomware protection in their package.
With that visibility, you can then identify the gaps that you need to fill and from there, you can determine whether it makes sense to outsource or manage internally based on your budget and resources.
By Magda Chelly
Chief Security Officer | TEDx Speaker | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)
Find out on magda-on-cyber.com
Follow Magda on Twitter: https://twitter.com/m49D4ch3lly
- The IFSEC Global influencers in security and fire 2021
- Top Women in Security Asean Region 2021 Awards https://www.asiapacificsecuritymagazine.com/winners-and-judges-of-the-top-women-in-security-asean-region-2021-awards/
Follow Magda on her Social Media Accounts:
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
- Twitter: https://twitter.com/m49D4ch3lly
- Facebook: https://www.facebook.com/m49d4ch3ly
- Instagram: https://www.instagram.com/m49d4ch3lly