A sound cybersecurity strategy for the enterprise is an essential success factor and a critical risk. For the first time in decades, CIOs are trying to control the chaos. Not internal disruptions brought on by digital transformation initiatives, but volcanic-like eruptions that change the operational landscape. Suddenly, technology initiatives that were five years out become the top priority. Cloud migrations that were scheduled to take months happened in weeks. Infrastructures are forced to meet performance demands that exceed their design capabilities. Adding to the chaos are cybercriminals who view disruption as opportunities for financial gain.
Overnight, complaints filed with the Internet Crime Complaint Center (IC3) went from 1,000 to 4,000 per day in 2020. According to the FBI, bad actors were focused on telework solutions. Targets included cloud-based solutions, remote workers, and supply chains. Hackers know that in the middle of chaos are opportunities to exploit vulnerabilities.
Not that long ago, CIOs’ responsibilities were focused on cost and performance. Their job was to find the right technology at the best price to achieve business goals. That’s no longer the role that business executives want their CIOs to fill. Technology has become an integral part of a company’s business strategy. It no longer supports the business; technology drives it. That’s why CIOs must become strategic, especially when it comes to cybersecurity.
A lapse in security has long-lasting results. In some cases, businesses never recover. The direct financial cost for a ransom attack is over $200,000, and the average cost of a data breach is $3.85 million. Part of the data breach costs come from a loss of consumer confidence.
- 59% of buyers avoid businesses that suffered an attack in the last 12 months
- 70% of consumers do not believe companies are safeguarding their information
- 25% of buyers abandon products and services once they learn of a cyberattack
Putting together a security strategy has never been more essential to business survival. That’s why CIOs should invest in a comprehensive security strategy based on a sound framework that incorporates compliance standards.
Frameworks for defining Cybersecurity Strategy
The first strategic step is choosing a cybersecurity framework. These frameworks are systems of guidelines, standards, and best practices that provide governance and mitigate risk. Organizations can develop frameworks, or they can use existing frameworks such as:
- NIST Framework. US National Institute of Standards and Technology
- CIS Framework. Center for Internet Security Critical Security Controls
- ISO Framework. International Standards Organization 27001 and 27002
- ENISA Framework. European Union Cybersecurity Framework.
- CMMC Framework. US Department of Defense Cyber Maturity Model.
These are comprehensive frameworks that address everything from user authentication to media disposal. They form a solid foundation for the ongoing implementation of cybersecurity protocols.
Frameworks, while comprehensive, may not adhere to industry-specific standards such as HIPAA for medical information or PCI-DSS for payments. The EU recently enacted its general data protection regulation (GDPR) that protects EU citizens regardless of the business’ country of origin. If CIOs are to ensure compliance, they need a seat at the table when business strategies are discussed.
For example, a security breach as a result of PCI non-compliance starts with a per-record cost of $150 (US). Businesses are fined between $5,000 and $100,000 per month until their systems become compliant. The longer businesses are out of compliance, the larger the per monthly fine. Severe violations may result in an organization being banned from accepting credit or debit cards as payment. Businesses can’t survive if they can’t use the existing payment networks.
The next step in defining a security strategy is to look at the technologies that can help meet the requirements. CIOs must find the best solutions for their organization, whether it is advanced solutions such as automation tools using AI or modifications in employee training. When it comes to cybersecurity, user authentication and system architecture are two areas that CIOs must get right.
According to Verizon’s latest DBIR, 80% of all attacks in 2020 involved brute-force passwords or lost (stolen) user credentials. Brute force accounts for 45% of attacks, and 22% of attacks use stolen or lost credentials. Those statistics are why strong user authentication must be part of a cybersecurity strategy.
Multi-factor authentication is a better approach to user authentication than username and password. MFA is especially beneficial in remote work environments that are less secure. Stealing a passcode that is sent to a cell phone is more difficult than capturing an existing password. Knowing who is on the other end of a request is vital to system security in today’s environment.
Employees are not as concerned about password security as they should be. Requiring employees to change their passwords at set intervals has not proven to be effective. Users rotate through a few passwords or increment the last number of their passwords each time they have to change. It doesn’t take hackers long to find the matching number once they’ve acquired the base password.
Organizations need to establish least privilege policies. In the past, employees were given carte blanche when it came to access. It was assumed that anyone behind the firewall could be trusted. That is no longer the case as network perimeters expand to include remote workers and IoT devices at the edge. Least-privilege policies make it more difficult for external and internal bad actors to compromise a system.
A zero-trust model assumes that whatever is trying to access the network, whether inside or outside the perimeter, is a possible breach. As a result, the same security standards should apply no matter where the request originated. That includes other systems and applications as well as users. Zero-trust models incorporate MFA and least-privilege permissions to further strengthen user controls.
Corporate networks are no longer easily contained. The IoT has stretched boundaries to include sensors and trackers on packages and transport vehicles. With the move to a remote workforce, the network perimeter has blurred even more. Some applications or data may have moved to the cloud for corporate-wide access, leaving a hybrid model to secure.
When securing a remote workforce, CIOs must first determine if employees will be using their own devices. If companies do not provide laptops or workstations, CIOs can request that employees apply security measures, but they cannot require them. At a minimum, company-provided antivirus solutions should be provided. From a security perspective, work-provided devices are the only way to ensure that business and personal information remain separate.
When setting up remote access, be sure to review port settings on RDP servers and existing firewalls. Closing too many ports can create havoc when users want to log in. At the same time, hackers are trolling the internet looking for responding ports. Automation tools can help monitor network activity to ensure that traffic is not using ports that should be closed. With the many configuration changes that come with a distributed workforce, automation should be a part of any cybersecurity strategy.
VPN connections are a must. Recent reports of VPN vulnerabilities are based on old software that was not updated. Deploying up-to-date VPN software ensures traffic between the remote user and the network is secure. Part of a CIO’s strategy should address the specific requirements needed to ensure secure operations using a distributed workforce.
Organizations cannot flip a switch and become cloud-native. They exist for a time in a hybrid-model where some systems remain on-premise while others are moved to the cloud. This mixed architecture presents security risks. The intersection of legacy and cloud technologies can create vulnerabilities that must be addressed in any cybersecurity strategy.
Cloud infrastructure is vastly different from conventional networks. Without knowledgeable cloud personnel, CIOs can inadvertently place their digital assets at risk. Public cloud environments do not provide the same level of visibility as on-premise networks. To achieve visibility, CIOs must be prepared to develop or purchase tools that can read and report detailed statuses. Existing on-premise tools do not translate into a cloud environment.
CIO as Strategist
A CIO’s role has changed. It’s no longer just about equipment and performance. It now includes network management, cloud-based architectures, industry compliance, as well as cybersecurity. CIOs must become more strategic and find resources to help with day-to-day implementations. Developing a cybersecurity strategy enables others to protect digital assets, while CIOs can focus on the company’s strategic needs.