Nov 3, 2021
0 0

Time to Build Accountability Back into Cybersecurity

Written by

Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Chris Hass, director of information security and research at Automox, discusses how to assign security responsibility, punishment for poor cyber-hygiene and IDing ‘security champions’ to help small businesses.
In the age of remote work — where hybrid teams work out of offices, houses and coffee shops using a multitude of devices — presents challenges in terms of understanding who’s responsible for ensuring proper cyber-hygiene across the perimeter-less footprint. Suffice it to say that cybersecurity has become a massive headache for many organizations. It’s also a costly one, with the average breach carrying a price tag north of $4.2 million, according to IBM’s Cost of a Data Breach 2021 report.
In addition to monetary considerations, companies that experience a breach also risk damaging their reputations and making headlines for the wrong reasons. The good news is that by taking a proactive approach to cybersecurity, understanding security roles and accountability, investing in the right tools, and following best practices — you can strengthen your organization’s security stance and protect your systems, data, and brand along the way.
Historically, leadership has largely been accountable for cybersecurity and has almost always viewed security as a cost center. In the age of escalating cyberattacks, that’s all changing.
Today, security is everyone’s responsibility. If you’re aiming to protect yourself against threats, you will have a hard time accomplishing your goals unless every employee understands that security is a shared responsibility.
At the same time, it’s important for security practitioners to understand the business needs at stake and prioritize readiness and remediation — and be able to effectively convey the risks associated with an attack. When you claim everything is a high priority, nothing is.
Companies today are already incentivized to practice good cybersecurity. By prioritizing cybersecurity, they’re able to reduce the likelihood that systems will be penetrated, thereby protecting against the associated outcome of breaches — such as legal fines, customer churn and a lower share price.
However, with breaches increasing and their impact getting worse, it’s worth considering whether we as a society can do more to encourage organizations to take cyber-hygiene seriously.
Earlier this year, the Biden administration issued an executive order on improving the country’s cybersecurity policy at the federal level. Although little guidance has been issued concerning businesses, it seems as though the writing’s on the wall, and organizations will ultimately need to be more accountable when it comes to protecting their systems and networks.
While there should be repercussions for bad security practices, it’s not so easy to figure out what those punishments might be. For example, companies that violate Europe’s General Data Protection Rule (GDPR) can be fined up to €20 million or 4 percent of annual global turnover, whichever is higher. Unfortunately, small companies would feel the impact of those fines much more severely than behemoths like Google and Facebook, which might not even notice the dent in their proverbial wallet.
In addition, fining companies for bad security practices could really hurt startups. After all, most startups can hardly afford to pay themselves, let alone hire a fully functioning security team. Making matters more complicated, some of the threats organizations face — like persistent attacks from nation-state actors — can be nearly impossible to defend against. Is it really reasonable to ask a small team to play defense against these types of threats?
Any way you look at it, this is a complex issue with no easy answers.
While compliance legislation and regulation can certainly help raise the bar for cybersecurity hygiene, neither will keep the advanced attackers out forever. Companies need to take a proactive approach to cybersecurity by building accountability into their security infrastructure and deploying the right tools and frameworks.
To do this, start by setting a solid baseline and beginning with the basics. Things like patching, credential management, zero trust and least-privilege access can go a long way toward protecting your organization. When you get the basics right, IT has more time to focus on critical functions because there are fewer help-desk tickets to solve and the network becomes more predictable, which often leads to a less stressful job.
In addition to using the right tools and automating repetitive IT tasks where possible, organizations should also embrace frameworks such as those from the National Institute of Standards and Technology  (NIST), which provide excellent roadmaps and guidelines for structuring your security program. Similarly, they should examine Center for Internet Security (CIS) best practices as a good starting point to hit the ground running.
For the best results, companies need to identify security champions within the organization — particularly if there’s not a dedicated security team just yet. When it comes to building accountability, security champions can be a force multiplier since they typically understand their role and the processes of their team better than anyone else. They are able to identify weak spots quickly and drive the implementation of the necessary controls and processes needed to remediate the situation.
While the number of breaches might have fallen in 2020, a whopping 37 billion records were stolen by hackers, an uptick of 141 percent compared to the previous year. If your organization has managed to avoid being on the receiving end of a breach, you are one of the lucky ones. But if you continue testing your luck, it’s only a matter of time before bad actors get a hold of your sensitive data — and you’re forced to endure the fallout.
The sooner you begin optimizing your organization’s approach to cybersecurity, the faster you’ll get the peace of mind that comes with knowing your networks are protected. Instead of scrambling to respond to a breach when it’s already too late or worrying about security, you’ll be able to spend considerably more time focusing on your mission and more strategic, high-impact initiatives.
Chris Hass is director of information security and research at Automox.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.
Share this article:
Anti-dumping code kept investors from selling SQUID while fraudsters cashed out.
The FBI is warning about a fresh extortion tactic: threatening to tank share prices for publicly held companies.
Google’s Android November 2021 security updates plug 18 flaws in the framework and system components and 18 more in the kernel and vendor components.
Dave Grootwassink on

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
The @FBI says #ransomware gangs are targeting companies leading up to “significant, time-sensitive financial events…
10 mins ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.


Article Categories:
Cloud Security

Comments are closed.