“New year, new threats” could easily be the mantra of most cybersecurity professionals this year. The arrival of mandatory data breach notification in 2019 put a spotlight on how far and wide cybersecurity vulnerabilities have spread throughout Australian organisations of all stripes. But as IT leaders and cyberteams grasp at everything from AI to blockchain as the silver bullet for their security woes, I’d say the best defences are in fact much simpler than they may think.
It’s time we went back to basics on cybersecurity—rethinking the fundamentals of how we protect our data and prevent malicious entry into our systems. If we don’t, we risk making the same mistakes contributing to breaches time and time again. I’ve identified three fundamental assumptions about cybersecurity which haven’t stood the test of time—and come up with some ways to break them for everyone’s good.
If we’ve learned anything from the numerous phishing, social engineering, and backdooring successes of the past decade, it’s that passwords don’t provide robust security against cybercriminals. To the contrary, password policies often render organisations less secure than they otherwise might be. Password rotations lead to unhygienic user behaviours, from cyclical password reuse to storing passwords in less than secure locations. So, do even the most inhumane of password requirements (at least one capital letter, special character, emoji, etc.). Yet to this day, we’ve insisted on these archaic strategies as the foundation of how we protect enterprise systems and data.
The irony is, we already have the systems needed to make passwords great (or at least not so bad) again. Most banks already employ two-factor authentication to protect their customers’ finances. More vigilant IT types have been using password managers for years, if not decades. The introduction of these two mechanisms alone would substantially boost the security of almost every organisation out there—and make password best-practices, like complexity and non-duplication, far less vulnerable to human shortcuts than they are today.
Don’t get me wrong, training plays a critical role in good cybersecurity hygiene. But in recent years, I’ve noticed a tendency amongst many organisations to rely on training as a crutch for their cybersecurity efforts, instead of addressing the root causes of organisational vulnerability. You can’t rely on your employees to be fully trained to handle every possible attack vector potentially creeping up on them—just as you can’t expect your highly-trained employees to remain in your organisation forever.
IT leaders would do well to refocus their priority from the volume of training to its consistency. Basic cybersecurity practices for email security, data protection, and privacy control should form part of every new employee’s onboarding process—but they shouldn’t go into such depth as to overwhelm new recruits. Frequent but concise updates on the latest threats and trends can sustain awareness amongst all employees as time goes on.
IT leaders may even consider working with their counterparts in employee communications to make cybersecurity a part of regular internal discussions. And at the same time, cybersecurity teams should build up sufficiently comprehensive back-end defences, from the monitoring of networks to filtering suspicious content, so they’re not simply relying on their co-workers—who, you know, also have their own jobs to do—for protection and prevention. It may be true that employees are the front line of cyberdefence…but they certainly can’t be expected to be the only line.
Despite it reaching headline status on almost every IT leader’s agenda, cybersecurity still suffers from a perception problem—namely, that organisations think they’ve got it. I’m a long-time proponent of “assumed compromise” when it comes to cybersecurity: working on the belief that you’ve already been breached and will be breached again. We need to correct the notion that an organisation can ever be fully secure, and assuming compromise does away with the complacency and hubris which have plagued cybersecurity policymaking and strategy for years.
On a practical level, this means taking contingency measures seriously: not only adopting, but also enforcing basic processes like the 3-2-1 backup rule as insurance in the case of catastrophic data loss. It also means, as I’ve mentioned before, relying less on humans to “do the right thing” and assuming they’ll inevitably make mistakes—then installing IT security solutions like password managers or web filters to act as a safety net when such errors occur.
Finally, it means IT leaders must constantly ask the question: what’s next? What threats are emerging, where is our business vulnerable, and how might these two variables intersect or have already intersected? It’s not rocket science, but it does resemble brain surgery: rewire the way we think about cybersecurity, and the rest will follow.