Culture is king in the cyber battle

In a noisy cyber vendor landscape, organisations can focus on the wrong technologies. The real key to being secure by design is the installation of a security culture

Cyber attacks have broken through into wider public consciousness like never before in recent years, accelerated by Covid-induced changes in employee behaviours which have exposed companies to additional vulnerabilities. The increased daily reliance on poorly protected home networks is unlikely to subside, as many people have become accustomed to the flexibility of remote work. International criminal networks, like ransomware gangs, have meanwhile not only
become more professionalised but also easier to participate in, amid widely accessible and improved tools which malicious actors can download for free to identify and attack new targets.

These factors, and more, have fuelled a surge in ransomware attacks that increasingly make front page news, with devastating consequences for businesses. The average downtime a company experiences after a ransomware attack is 21 days, according to Coveware, but the reputational damage is far more enduring. And while organisations are making larger investments than ever in bolstering their cybersecurity, most still lack a baseline understanding, at the executive level, of what their most critical risks are and how to mitigate them more effectively.

“Social engineering attacks, the use of deception to manipulate individuals into divulging confidential or personal information, continue to rise in popularity because they are effective,” says Andrew Sellers, chief technology officer at risk analytics company QOMPLX. 

“Humans can be careless, subject to manipulation, and make mistakes. As more of our private information becomes available online, whether through data breaches or information people inadvertently supply themselves, the pool of easy victims continues to grow. While guarding our personal information and pushing for better data privacy is important, it’s insufficient to solve the problem.

“That’s because of what we expect people to do as part of their everyday duties. If you work in HR, it’s your job to open the résumé files of people you don’t know who could be embedding them with malware. If you work in accounting, it’s your job to open Excel spreadsheets that may contain malicious macros. Bad actors often only need one access point to corrupt your entire network. What companies need is a security culture at their core, and it must start at the top.”

A mature security culture at any organisation means, at every level, from executives to new entry-level hires

A mature security culture at any organisation means, at every level, from executives to new entry-level hires, the security of systems and assets is a widely recognised priority. Managers must set the tone that basic security policies must be followed, and that the information security executives are empowered as true decision-makers with influence within the C-suite. All employees must be aware of these policies, and trained on how to avoid common mistakes.

Perhaps most importantly, however, organisations cannot expect any employee training programme to stop every single attack. There are simply too many threats to remain entirely secure, and regardless of investments in endpoint security, any organisation’s systems are too porous. Instead, they must invest in establishing a security culture which, in addition to enforcing basic cyber hygiene measures like multi-factor authentication, adopts modern security protections that can safeguard identity in order to make their systems less vulnerable by design.

“It’s a common lament among security experts: despite ample warnings to their superiors of critical vulnerabilities, senior leaders failed to either invest or properly implement the security posture required to prevent the most damaging threats, like attacks on identity,” says Sellers. 

“While proactive mitigation efforts can seem costly at first, they pale in comparison to the now commonplace multi-million-pound ransoms and massive business interruption of core services, not least the stigma of reputational damage that may not be recoverable in a competitive sector.

“The reality is most organisations operate on systems like Microsoft’s Active Directory, which have had many critical vulnerabilities come to light over the years. That’s why understanding your ground-truth exposures, using advanced data analytics to better quantify, model and predict your risk, is absolutely essential. That quantification in real financial numbers allows security executives to then make a more compelling case for investments in better security.”

The inherent vulnerabilities of individuals and organisational cultures must inform what kinds of technologies vendors offer in order for those solutions to be effective in practice. It’s all too common for organisations to focus on the wrong kinds of technologies, including those that oversimplify or make false promises about catching bad actors before they get into a system.

Bad actors often only need one access point to corrupt your entire network. What companies need is a security culture at their core, and it must start at the top

A mature security culture with a modern security posture prioritises investments in a broader set of security tools which recognise that all systems, like the people who built them, are fallible. And those security tools must be able to provide powerful capabilities to enhance a company’s visibility, resilience and ability to intelligently plan for the future based on its ground-truth risk.

As well as providing unique risk analytics capabilities, QOMPLX also works with organisations as partners to help them foster a security culture. True mitigation is difficult, and can’t simply be bolted on, so QOMPLX understands each organisation’s needs, security architecture and level of business risk before helping build in greater resilience against exploitation of privilege and authentication, which is evident in nearly every single major ransomware attack or data breach.

“We don’t just hand you software off the shelf with a login and say good luck. We ensure you’re able to see your real exposures that will help you understand the wider picture along with what other risks and opportunities are present, so you can better protect the business,” Sellers adds.

“You can’t defend against what you can’t see. A robust security culture allows business leaders the space and authority to ask key questions in advance. Do I know who and what is truly operating in my environment? Is what I’m seeing the whole picture? The more that companies can understand their true ground-truth risk, not just what a check-box compliance requirement says, the better they can make intelligent decisions for their long-term security and growth.”

For more information, visit qomplx.com

Promoted by QOMPLX