Mitigating risks related to security threats and vulnerabilities can be a tricky business. What do you prioritize? Where's the cutoff in terms of how many tools and services you should use? What vulnerabilities might remain even after you've taken action?
There are also budget considerations, and for many organizations, a major shortage of available security skills to help address the growing number of threats. In fact, research from (ISC)² estimated a shortfall of more than 4 million cybersecurity experts worldwide, with 51% of respondents saying their organizations were at moderate to extreme risk because of the shortage.
To address these challenges effectively, we all need to take a more commonsense approach to security. Sometimes, honest dialogue and collaboration can help an enterprise create a cost-effective, real-world security posture. And sometimes, the commonsense answers are right in front of us, if only we take the time to look for them and act on them.
Let's look at a few examples of how this approach works.
Assessing the Risks
A small startup company might have a budget that only supports $1 million per year for cybersecurity tools, services, and one dedicated security employee. But the team responsible for IT acknowledges that this approach will not be sufficient, given the growing security threats facing the company.
Rather than just making do with less and hoping for the best, the team takes a proactive, collaborative approach and explains the possible risks to the company's senior leadership and board.
If the board assesses the situation and concludes that the risks are reasonable, it can approve the current strategy. Or it might say the risks are unacceptable and recommend doubling the budget and committing two staffers to security.
For example, I was on the board of a local, large business in Oregon. Company officials were debating whether to restrict the corporate website to just local web traffic in order to reduce the risk of an attack.
However, when it was pointed out that local businesses were responsible for only half of the company's overall revenue, officials agreed it did not make sense to restrict traffic. Instead, they devoted more budget to securing the company and its website.
Another example from my own company illustrates this point. We used to offer a "freemium" product, a free, limited version of our software that's great for generating leads. But we soon realized we were putting too many resources into managing this portion of the business. We also saw that the security exposure was too great and the strategy could backfire, hurting our reputation.
We decided to discontinue the version, redirecting the budget to marketing to attract enterprise customers, and ended up with much better results.
In another instance, I witnessed a CIO and CTO team face a ransomware attack. Over the course of a few hours on a Sunday, many computers used by the research and development team were compromised. All the data on these systems was encrypted as a result of the attack.
The attacker left a readme text file on a user's desktop, stating the files had been encrypted, and to decrypt, the user had to acquire a tool. That would entail sending an email including the user's personal identification, receiving a free test for decrypting a few files and then being assigned a price to recover the balance.
After receiving instructions from the attacker on how to pay for the decryption tool and then making the payment, the user would receive it. The message ended with a warning: "Do not try to do something with your files by yourself. You will [break] your data!!! Only we [can] help you!"
The good news for that particular team was that the company had a practice of separating production systems from R&D computers, and it had all its data backed up to the cloud on an hourly basis.
These two basic but strong measures allowed the IT organization to ignore the attack and recover 90% of its data from backup within less than 24 hours. And because of the practice of separating production and R&D systems, the company's production was not harmed in any way.
That's how common sense works with cybersecurity. Protecting systems and data doesn't have to be complicated or involve going through a long chain of command to get approvals. It's often a collaborative process and that involves clear explanations of the problems and how they can be solved.
Providing training for employees so they can recognize and handle potential threats is critical and gamifying the experience helps retention. For instance, cyber ranges allow for complex IT environments that provide hands-on experiences in real-world scenarios. Through these, learners can be challenged to handle realistic threats with exact tools. This interactive training approach has proven to be a strong proactive solution in mitigating risks.
Better training can help organizations teach employees to avoid risks and traps, such as falling prey to phishing attempts, using unprotected external devices, and installing unsafe software.
There's never been a more important time for organizations to practice commonsense security and emphasize collaboration among stakeholders. New threats and vulnerabilities are emerging all the time, yet many companies are grappling with limited security budgets and the ongoing cybersecurity skills gap.
By being proactive about security and fostering an open, clear dialogue about threats and how to address them, companies can better protect their information assets. It's common sense.
- How to Define & Prioritize Risk Management Goals
- Unreasonable Security Best Practices vs. Good Risk Management
- When Compliance Isn't Enough: A Case for Integrated Risk Management
- Third-Party Cyber Risk Management: Getting to Know Your Vendor
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Wendy Nather on How to Make Security 'Democratization' a Reality."