October is Cyber Security Month. However, cyber security is not just relevant for a month. As a company that operates primarily online, it is our responsibility to ensure that we take our employees’ and users’ security seriously 365 days of the year. Mostafa Abdelmoez, the Group Director of Security & Anti Fraud at SMG shared four things any company should consider to make sure their employees and customers are safe.
1. Risk Appetite – How much risk can you chew?
Understanding your business and its biggest risk factors is crucial to deciding how much risk your organisation is willing to take in the pursuit of any value. Otherwise, cyber security efforts could have no limits, guidance, or immediate impact. It’s almost impossible – or at least highly inefficient – to protect something if you don’t understand its risks and weaknesses.
The fundamental mission of cyber security is to protect your organisation, but how? Protection also includes business continuity, preventing loss (monetary or other), or increasing or preserving value for all stakeholders. So it is essential to understand these dependencies, how they are set up, what exactly you are trying to protect and from whom, and its impact on the business. So after you have done this risk assessment, you can get to work. Thinking about the data is usually a good place to start.
2. Humans are the first line of defence
The narrative of the responsibility of cyber security is usually centred around the people, deeming them the weakest link. We believe that to be quite untrue. Humans are the first line of defence for maintaining an organisation’s cyber security. This means it is crucial that all employees – without exception – receive appropriate training for their role or function in the organisation. This can be further encouraged and expanded on with internal events, competitions and rewards. Employees or users generally struggle to identify weaknesses in their cyber security knowledge, which increases the importance of proper training and presenting the training material in an understandable way. It is your responsibility as an organisation to offer a great user experience when conveying information about cyber security, or even when they interact with security in any way.
3. Shifting Left – Integrate cyber security into the fabric!
Now onto the more technical aspects: Monitoring your infrastructures, networks, and products should be a no-brainer. You need to log, audit, and generally be aware of blind spots, which you will only find if you comprehensively monitor your systems.
It’s best to integrate cyber security in day-to-day business operations. For example: Scan and sign the code before going into production and scan after it has been deployed. Employ different types of security testing like security audits, bug bounty programs, or application scanning. This approach to cyber security is often referred to as Shifting Left, meaning that the security practice is initiated from the very beginning – as early as even before the idea is put into practice. The earlier security is integrated, the easier it will become and the more impact it will have.
4. Prevention – Trust nothing, verify everything!
We have now mainly talked about monitoring, which facilitates detection. Ideally, we’re after prevention which can be achieved by investing in Edge Security.
In its simplest form, Edge Security consists of a firewall and an authentication server. Nothing should pass this checkpoint unless it is authorised and meant to. However, even after passing, there should be no inherent trust in anything! Always verify everything.
Think of this approach as having a multitude of edges (or checkpoints) on the inside. Any organisation should heavily invest in identity and access management – be it for its employees or its users. This experience should be seamless and at least prevent phishing, which is widely employed due to its low-effort-high-impact nature. Phishing is what enabled most of the recent big breaches, or how they started at least. You can even employ Biometrics, FIDO (Fast IDentity Online), and Hardware Keys. Choose the appropriate method for each user group. It is important to note that each Multi-Factor Authentication Method has its advantages and disadvantages – and also its own thread model, which would bring us back to the first point.
Following these four points could already make a huge difference to your organisation’s cyber security. Raising awareness is definitely very important, which is also why we have put together a list of four things anyone can do to improve their security online.
We thank Mostafa for putting together this list, and let’s keep cyber security a top priority for the whole year!