Anthony Di Bello, VP Strategic Development, OpenText

Anthony leads a team of market development directors driving OpenText strategic direction within information security, data discovery, legal, analytics and AI/ML software markets.

 

With cybercrime presenting a formidable challenge to modern life and work and the potential to wreak havoc on our businesses, there is a greater need for organisations to deploy technology to keep their cyber information safe. However, state-of-the-art cyber security and network protection technologies alone are not enough since a security breach will inevitably occur and can be triggered by the simple action of an employee who unwittingly clicks on a dangerous link.

The real focus should be on cyber resilience for optimum security. Cyber resilience is all about an organisation’s ability to bounce back from an adverse event and return to ‘business as usual’ as quickly and painlessly as possible. It starts with the ability to detect a breach and incorporate everything required to ensure business continuity, whilst removing the threat. Incident response technology or managed service contracts should be in place and ready to go when the inevitable breach occurs. The better your response plan, the better your ability to achieve cyber resilience.

For those organisations that have a resilience strategy in place, it is often compartmentalised, treated as a separate entity to security frameworks or policies. However, there is more value to be gained when cyber security forms an element of a wider cyber resilience strategy. It is only then that businesses can protect against the inevitable and mitigate any potential damage that a breach might cause. 

Data stored on desktops, laptops, and tablets is of course vulnerable to ransomware, hardware failures, human error, loss, and theft – all risks that have multiplied by the mass shift to remote work and reduced IT/ admin oversight over dispersed employees. To stop employees bringing these bad practices home, the importance of companies creating a culture of cyber resilience is more important than ever.

Cyber resilience is the ability to continuously deliver intended operational outcomes, despite any barriers thrown up by adverse cyber events. It requires total network, endpoint, and user protection, as well as data recovery, as part of a robust ‘defence-in-depth’ strategy. Moreover, it mustn’t stop there. Conducting regular training sessions to ensure employees are aware of cyber risks is a critical component of cyber resilience. These steps will enable organisations continue operations without the disruption of files and servers being locked due to a cyber-attack.

Adapting security to the new normal

As we look ahead, few things are abundantly clear. First, we know remote work is here to stay.  Cyber attackers/ criminals will look to innovative tactics to exploit weaknesses, like less secure personal devices and home Wi-Fi. They will continue to thrive in a highly porous security environment. There are two major blind spots that can be identified, and these include misinformation which will be a persistent threat, and ransomware, which will continue to plague the operations of organisations large and small.

With the threat landscape only set to grow in the coming months, businesses need to act now to ensure that they can protect themselves in the long-term by taking a proactive approach that includes training, technology solutions for detections and response, simulations and ongoing testing, and finally back-up and restoration solutions, should the worst happen.

Adopting automation within security teams will be crucial going forward. Businesses are likely to increase their investments in technology as a force-multiplier for security teams that are already stretched. Greater automation and contextualisation of security alerts will help teams comb through mountains of false-alarms to prioritise the real threats.  

The critical importance of cybersecurity awareness

Time and again, system users (employees) have proved to be the weakest link in the cybersecurity landscape. Despite the most advanced technologies, social engineering and phishing have become some of the most successful techniques applied in decades to breach the strongest of cyber defences. While organizations often invest significant sums of money in security solutions, the most important aspect that is often ignored is employees and training staff about the basics of cybersecurity. This is extremely important in the current times when most employees are working from home, and it can just take a harmless click on a rogue or malicious link sent by a hacker to take control. 

For cybersecurity awareness, it is never too early to start. Cybersecurity education is continuous and evolving over time. In the school classroom, basic safety and security education must be imparted and extended to navigating cyberspace as well. Not clicking on links from strangers is a great example of the kind of rudimentary cybersecurity training that can be introduced at a young age.

Similarly, in the workplace, the onus is on the employer to secure their organisation’s devices and network infrastructure. The employee is an integral part of that infrastructure, the first line of defence, but also ‘the weakest link’. As such, it is the responsibility for the employer to continue that education to minimise the risks that can be introduced by carelessness, or simply by an employee being ignorant about cyber-attacks. There are several commercial employee cybersecurity training programmes. These programmes can help employees learn to spot phishing, social engineering, malware, potential risky behaviour and more.


Once awareness has spread, stakeholders will understand their respective roles and be prepared when a breach happens. In reality, it is not only the C-suite that needs to ensure that employees have these skills, it also includes InfoSec, IT, HR, communications and legal departments – they all have roles to play. Tabletop exercises and mock drills should be conducted to reinforce the action plan and work on addressing shortcomings in the plan. 

Training should start right at the top. If you are a CEO or IT admin that is not doing the security awareness training that you are asking your own staff to do, then it is not fair. All C-Suite and IT staff need to ensure that they are practising these lessons just as hard as anyone else.

Understanding the need for compliance

In terms of specifics, in some countries, such as US, many companies and Federal agencies are required by law to provide security awareness training. For example, HIPAA requires all covered healthcare entities and business associates to provide cybersecurity awareness training to their employees. FISMA requires all US Federal agencies establish a security awareness training program. Other mandates requiring cybersecurity awareness training include FACTA for financial institutions and creditors, and even the GDPR which requires the Data Protection Officer to create awareness and provide training to all staff involved in data processing.  

While these regulations don’t apply to all organisations, many are beginning to understand the long-term return on investment of implementing these practices. For example, if cybersecurity awareness training can reduce successful phishing attempts by 20%, that could translate into millions of rupees saved on incident response, recovery and lawsuits that can result from a data breach.Today, an employee with no training can lead to a data breach, which may have a legal implication. This is important as typically insurers want to limit their exposure to large pay-outs and are likely to include language allowing them to decline coverage in certain situations.  One such clause may be a ‘Failure to Maintain’ minimal or ‘adequate’ security standards. For example, if a company is found to not have a basic control like encryption for sensitive or protected data, the’ Failure to Maintain’ clause will allow a carrier to decline coverage. At this point, Cybersecurity Awareness training could be considered a minimal or adequate security control by some insurers.  A lack of such training (particularly for a claim that involved an obvious phishing element) in that case, could lead to a decline of coverage if the insured entity does not provide such training to its’ employees.

Today, any technology used for cyber defence can also be applied by cyber attackers. Cybersecurity is therefore a journey, not a destination. The secure enterprise will focus on information governance to protect its most valuable information, will use smart automation to deal with cyber threats at scale, and will adopt a zero-trust mind-set toward endpoints and identity.   

Related Articles