The Formula for Strong Cybersecurity: Oversight and Vigilance


Posted on

Some organizations believe they can get by, more or less, by adopting a cybersecurity boilerplate of standard procedures and tools, then leaving it in the hands of the IT security staff. Some don’t exert even this much effort. Both need a reminder from time to time that their practices—or lack thereof—substantially enhance the odds of being breached.

Nobody knows this better than cybersecurity pros, and they aren’t hesitant to point it out. “What we keep seeing is that spending on cybersecurity continues to grow, but so, too, does the incidence of attacks and breaches,” says Nik Whitfield, the founder and chairman of Panaseer, a London-based cybersecurity company. “Clearly, whatever is being done overall to reduce cyber risk is not enough.”

Consider just two examples among many in recent years.

Wood Ranch Medical, a healthcare practice in southern California, thought it was too small to justify a cyberattack. Nonetheless, it suffered a ransomware attack that encrypted servers containing electronic health records, as well as its backup hard drives. Wood Ranch could not come to terms with the hacker. It ceased operations, unable to restore the data needed to run its practice.

Another entity, a much bigger one in the Far East, Singapore Health Services (SingHealth), the largest healthcare group in that country, didn’t take the trouble to make sure various cybersecurity details were implemented correctly. As a result, a breach compromised the personal data of its 1.5 million patients and also stole the medical data of 160,000 outpatients who used the company’s network of clinics.

A committee found that SingHealth lacked adequate cybersecurity awareness, resources and training to properly counter the cyberattack. It resulted in substantial fines and undermined SingHealth’s reputation, fueling consternation about what the miscreant or miscreants would do with their patient data.

These organizations, like so many others—now including sharply rising cyberattacks against public school systems—generally fail to realize that strong cybersecurity procedures have become crucial in our hyper-connected world.

“Good enough” security no longer cuts it. Breaches continue to escalate as the increasing digitization of data, products and processes create even more vulnerabilities. Compounding the problem is the increasing complexity of IT environments, which today often include computing on-premise and in the cloud, multiple connections to third parties, and the digital tools of a rapidly growing remote workforce.

What is needed today is a sound security strategy, one constantly reevaluated and well supported by architecture upon which the strategy is based. Security architecture is intended to make the business of security easier and more effective. It designs security countermeasures into the network rather than relying on last-minute fixes to vulnerabilities. It’s roughly akin to traditional architecture, where, for instance, designing a fire escape into a small building is commonplace. This way, people don’t have to run around looking for an exit in the event of a fire. 

Companies of all sizes and stripes are under pressure to adopt a security strategy and architecture or affirm their strength if they have not already done so. Many smaller companies, lacking big resources and preoccupied with the demands of the COVID-19 pandemic, have yet to take this to heart. At the least, however, they need to make sure they’re not further undermining security by following bad security practices until they get around to setting things right.

Among the worst practices—and one that is common among big companies as well as small—is building a sprawl of different cybersecurity tools in their infrastructure. Those who do so may be good shoppers but are poor strategists. This approach often leads to a more complex set of defenses with little or no integration among the security tools provided by multiple cybersecurity vendors.

Another issue is the shared security model commonplace in public cloud computing. While public clouds secure their own infrastructure, customers are responsible for securing their own apps and data. Customers are often surprised to learn that public cloud providers don’t apply the same security measures found in an enterprise data center and don’t realize how vulnerable they can be.

One thing companies committed to improving their cybersecurity should explore is so-called continuous controls monitoring (CCM), an emerging area of security automation focused on making sure that all security tools are properly configured and actually working as intended. Too often, this is not the case, in part because many companies have purchased lots of complex security tools in recent years and not infrequently fail to set them up properly. They can wind up hidden from the corporate network, undermining their protective capability.

“Tools don’t know what they don’t know,” says Panaseer’s Whitfield. In some cases, endpoint protection controls aren’t fully employed at the time of implementation. In others, security controls oversee so many tools that it becomes difficult to configure everything properly. Both open an attack vector for hackers.

For organizations that have yet to take security and security architecture sufficiently seriously but now want to improve, here are some additional pointers:

+ Gain an understanding of what you absolutely need to protect. Start with reviewing your business processes and understanding how the company generates revenue and which systems would have the ability to disrupt that by being unavailable or having their data stolen. Also, identify which data and other IT assets, such as applications, are critical to your business and must be protected at all costs.

+ Know your company’s appetite for risk. Before implementing a cybersecurity strategy, it’s crucial to understand the total risk your organization is prepared to accept in pursuit of strategic objectives. This helps determine the prioritization of security measures. Risk appetites differ, depending on your company’s industry, financial strength and particular objectives.

+ Evaluate your company’s “security maturity” level. This refers to a company’s adherence to security best practices and processes. Measuring it helps to identify gaps and areas for improvement.

Security is a freestanding specialty. It must be ongoing in terms of updating and auditing and cognitive of always-evolving processes and technologies. Vigilance is what security best practices are all about. These steps and others are essential to mitigating breaches in a world replete with astute hackers.

Hackers & Threats

hackers & threats application security

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs