This article goes beyond the usual industry practices, focusing on less common cybersecurity tips, to address the ‘road less travelled’ kind of strategies.
If you ask cybersecurity practitioners for tips to strengthen one’s cybersecurity strategy, you are more likely to receive similar [predictable] responses – employee training, strong passwords, patch management, incident response, regular backups etc.
So, I started by asking ChatGPT and, as expected, it listed the same ‘usual suspect’ responses, all of which are well-known, common industry practices.
Before moving forward, let us first establish what we mean by a ‘cybersecurity strategy’. It is a comprehensive plan that outlines the approach and practices an organisation will take to protect the confidentiality, integrity and availability of its information and information assets.
A lot is packed in this definition. A cybersecurity strategy can mean so many things, but it boils down to the cybersecurity culture of an organisation – the total package of what they do and their attitude towards cybersecurity.
Security solutions and practices should be intentional and not just for the sake of fulfilling requirements. For example, security policy documents should be concise, straight to the point, and carefully written. It is of no use, having a policy of 100 pages that no one reads – yes, it may tick the box of a certain requirement but it may not translate to actual security gain. A good practice is to have summaries of long documents, with users able to refer to a full version for more details.
Complacency is an enemy of solid cybersecurity. A story is told of an oil company that had a control centre for monitoring their network of pipes. It happened that a seasonal weather condition caused some of the pipes to expand/contrast and this kept triggering some of the sensors to think that there were leakages. The staff at the control centre got used to the ‘frequent’ false positives and started ignoring the alarms until a farmer phoned in one day to report a flood of oil on his farm.
Don’t leave anything to chance or ignore anything, even the seemingly boring or mundane ones. DON’T IGNORE SECURITY ALERTS. There will always be false positives/negatives. These should be opportunities for improvement and not lead to complacency. Enforce a culture of zero tolerance for ignoring security alerts/warnings.
Cybersecurity can feel like a game of ‘cat and mouse’; “a series of cunning manoeuvres designed to thwart an opponent”. Playing this game effectively entails taking proactive practical steps to stay ahead of attackers and preparing for when (not if) an attack does happen. Some of these practical steps include:
People typically associate the phrase ‘access control’ with strong passwords. Although a ‘strong password’ is relative, it is generally seen as one that is ‘long and complex’. Because long and complex passwords are usually difficult to remember, and password rotation policy has worsened things, people have resulted in unsafe practices ( e.g., writing passwords down, password recycling, using password managers, etc.) to help them remember their passwords. Start moving away from over reliance on passwords.
Multi factor authentication should be a basic requirement. Given the inherent complexities of using passwords (simple ones are easy to hack, while hard ones are difficult to remember), organisations should also consider passwordless authentication. After all, password is not the only item (factor) in the ‘what you know’ bag – only ‘what you have‘ + ‘who you are‘ is also multi-factor authentication.
Moreover, access control should be user-friendly and not get in the way of people doing their work. Help people understand the goal of access control (what you intend to achieve), the importance of it, and not just the means. Carefully implement zero trust, separation/rotation of duties, least privilege, and need-to-know principles.
According to Advisera*, only 37% of the 114 ISO 27001:2013 security controls are IT-related. However, 88% of data breaches are caused by human error [1]. These, and many other studies, show that humans are the most important link in the cybersecurity chain . It is not always about the tools, but the people.
Security should start from the recruitment process, including writing job descriptions. Ensure that you target and get the right people. Diligent checks are important. For example, a prospective employee who posts unnecessary details of their current employer’s system/network on social media might be a security risk.
After recruitment, help employees achieve more security with user-friendly solutions. Ensure that people are motivated, understand what is required of them, and that they have what they need to do their job. Avoid ambiguity and complexity where possible. According to NCSC, “Good operational security should not require complex, bureaucratic, time consuming or expensive processes.”
*Dejan Kosutic’s training old notes on ISO 27001:2013 for Advisera
A high percentage of data breaches are caused by human error, and training has been identified as the best solution for ‘patching’ such human vulnerabilities. However, training has to be fit-for-purpose. The traditional one-hat-fits-all approach has been proven inefficient and ineffective. When it comes to cybersecurity, we know that there is no single-training-fits-all solution – people have different technical skills, different prior knowledge and experience, are in different roles, exposed to different security risks, and require knowledge that is relevant to what they do.
Implementing tailored role-based cybersecurity training that recognises prior knowledge and skills personalised to the specific role [2] is a good approach. We need to rethink training and awareness. This should not be another box-ticking exercise, but designed and tailored to ensure that every individual is properly equipped to do their job.
In this article, we have discussed cybersecurity strategy from a more holistic and less formal perspective. When conceptualising an effective cybersecurity strategy and understanding how it can be achieved, it’s helpful to remember three key attributes – organisational culture, people-centricity, and user-friendliness.
First, cybersecurity strategy should be embedded in the organisation’s DNA. It should be naturally obvious to anyone how seriously the organisation takes cybersecurity. Does a new employee’s experience (from recruitment, through the first day in job, to weeks after job start) demonstrate to them that security is a big deal for the organisation? Second, since ‘humans are the weakest link in the cybersecurity chain’ and that organisations are as ‘secure as their weakest link’, cybersecurity strategy should be people-focused. ‘Securing’ the user addresses most of the security risks. Third, security controls/systems should empower the user to do their job securely and not get in the way. Complexity can sometimes lead to security exposures.
[1] Hancock, J.: Psychology of Human Error: understand the mistakes that compromise your company’s cybersecurity. Tessian Research (2020). https://bit.ly/3Lzn1Fg
[2] Eze, T., Hawker, N. (2022). CAP: Patching the Human Vulnerability. HAISA 2022. IFIP Advances in Information and Communication Technology, vol 658. Springer, Cham. https://doi.org/10.1007/978-3-031-12172-2_9
Cybersecurity Supply Chain attacks are an underestimated risk for companies, where cyber threat actors can hack into a software vendor’s network, posing a significant danger to many companies. Who may be affected by these attacks? Every company of every branch who is in a business relationship to a third-party vendor who offers services or software to […]
Read more
Cybersecurity The use of network scanners with a graphical user interface has been observed in a number of former IR engagements conducted by our CSIRT. Discover how operators use these tools to map networks and minimize detection.
Read more
Cybersecurity In 2023, Airbus Protect demonstrated unparalleled achievements in cyber defence, marking a significant milestone for the company. Four key events in Germany contribute to the organisation's commitment to excellence and innovation in the ever-evolving landscape of cybersecurity.
Read more