How Much Cybersecurity Do You Need?
Cyberattacks are on the rise. Hackers will seize on any opportunity to accelerate or obscure their cyberattacks. So imagine their delight when the COVID-19 pandemic forced companies to shutter their offices and conduct most, if not all, of their business remotely. It was open season with easy targets everywhere.
The attacks that followed were some of the most sophisticated, aggressive and successful ever seen. Hackers leveraged the disruption of the pandemic and the increased dependence on IT to attack organizations large and small across public and private sectors. Even with the pandemic dominating the news, cyberattacks made headlines throughout 2020 and into 2021.
Ransomware attacks, supply chain exploits and digital espionage redefined cybersecurity risk. Victims found themselves scrambling to control the damage and mitigate the costs, often unsuccessfully. In a chilling example of how ruthless today’s hackers have become, most ransomware victims who paid the ransom fell prey to a second attack, frequently perpetrated by the original attackers.
The pandemic shows signs of subsiding. Unfortunately, cyberattacks do not; the largest ransomware attack in history occurred over the U.S. Independence Day holiday weekend of 2021. The digital assets and cloud-based tools that companies have come to depend on—and hackers have come to prey on—aren’t going anywhere, either.
That raises the question: When everything is a digital workspace, is anything safe from cyberattacks?
Where Conventional Cybersecurity Falls Short
The various platforms and programs that facilitate the digital workspace all come with security features built in. On top of that, most organizations have a cybersecurity strategy in place, combined with dedicated security technologies. However, it would be a mistake to confuse these measures for a dependable defense.
The reason is that all these measures look outward—for threats and vulnerabilities in the wider IT ecosystem—rather than inward for weaknesses that exist inside the defense perimeter. Glaring security flaws may plague the same systems meant to detect and deflect them and go unnoticed due to their “privileged” position. This is one of the biggest blind spots in cybersecurity (and one of the biggest risks, as a result).
The ubiquitousness of remote work only multiplies that risk. Companies will have to contend with increasing weaknesses and face bigger consequences when hackers exploit those vulnerabilities.
Is anything safe from cyberattacks? No.
How much protection is needed? More.
How Much Investment is Enough?
Recent history raised the bar for cybersecurity. Unfortunately, companies and organizations haven’t elevated cybersecurity budgets at the same pace. In many cases, security teams will need to accomplish the extraordinary using few, if any, additional resources.
Tight budgets make it important to prioritize which cybersecurity measures require immediate investment. Minimum viable plans should be funded, at least. Those plans must be able to deliver secure IT services through multi-cloud environments, continuously monitor for risks within business units and supply chains and train employees (from the C-suite down) on security responsibilities.
Minimum viable plans must also address the unique risks inherent to remote work. Those include attacks targeted at virtual networks and desktops and the challenges of cybersecurity hygiene for an exploding number of endpoints. Remote work also makes employee negligence a bigger threat and increases opportunities for phishing attacks.
Organizations also need to take a closer look into their cybersecurity investments to maximize ROI. In addition to strengthening the core through network, infrastructure and application security controls, security orchestration and automation with AI- and ML-based solutions and applying techniques like managed detection and response, next-generation identity and access management and zero-trust architecture will help counter modern-day threats, such as ransomware, more effectively and efficiently.
What it takes (and how much it costs) to get protected will vary widely. In all cases, however, protection must outpace investment if the digital workplace has any hope to succeed.
Rewriting the Cybersecurity Playbook
For CISOs, the coming months will be about redirecting investments toward only the most useful programs. Follow these strategies:
- Accelerate Cybersecurity Maturity—Cybersecurity maturity means being able to predict, prevent, detect and mitigate attacks—essentially, being mature at all phases. An internal assessment will reveal how much work is left to do. It will also help CISOs create realistic short- and long-term goals and then accelerate the pace of progress.
- Incorporate Business Goals—In the future of digital workspaces, cybersecurity risk is a subset of business risk and corporate governance. Approach cybersecurity in the context of business goals, industry forces, company culture and organizational complexity. An effective cybersecurity strategy serves the broader business goals; it isn’t confined to IT.
- Monitor in Real-Time—Preventing attacks requires abundant information delivered in real-time. That information includes internal threat monitoring combined with intelligence into new threats produced by the cybersecurity community at large. Proactive information-gathering and information-sharing require technical tools alongside a collaborative mindset.
- Address the Talent Gap—Qualified cybersecurity professionals are in short supply and subject to high demand. Recruiting and retention need to factor into any cybersecurity strategy. Given the challenges of both, however, training and professional development should also be a priority.
- Test, Test and Test Some More—Pressure testing the ecosystem for cybersecurity vulnerabilities leveraging advanced security techniques is a must.
Cybersecurity concerns arising out of the digital workspace are a board-level issue because they’re an existential threat to companies. Any question of how much to invest, and on what must follow from a careful understanding of the consequences. In a digital future, everything is at risk.