Lewis Huynh, Chief Security Officer at NinjaOne, examines why C-suite leaders must give more attention to enterprise cybersecurity needs this year than ever before.
Despite a year of major attacks, organisations, stakeholders, and leaders must resist falling into a false sense of security in 2022. When spending on cybersecurity goes down and attention wanes, that’s when we’ll most likely see another massive attack hit that has a ripple effect across multiple sectors.
This will catapult the world back into a state of (temporary) concern, awareness and hypervigilance. Unfortunately, this seemingly never-ending cycle won’t be broken until every employee feels a sense of personal responsibility to follow security best practises.
Cybersecurity Must Be a Top Priority
Going into 2022 there is a perfect storm brewing when it comes to cybersecurity. Across the board, leaders are scrambling to engrain a culture of ownership and responsibility of digital security and privacy throughout their organisations. Whilst many of us recognise the need for protection and vigilance, many employees just aren’t sure what good security looks like. This is why strong leadership is essential for setting an appropriate example on how to make security a topic all employees are engaged in.
We’ve seen the pandemic accelerate the adoption of digital transformation far sooner than predicted, introducing a dual challenge of proliferating devices and new user behaviours to learn and manage. Remote working and the closure of many in person services shifted how we rely on digital infrastructure to work, live and socialise – with many accounts and systems set up with the intention of being revisited, and sometimes on company-owned devices. This can be extremely challenging to manage and commonly leads to shadow IT, which can lead to data leakage or theft, and distort IT budgets.
In the midst of these challenges, the media has lauded and promoted the success of organisations across all sectors this last year – and for the most part that’s true. Yet we’ve also witnessed hackers iterating through security vulnerabilities with lightning speed, to the point where IT and security teams are pushed to their limits, like with PrintNightmare or the ongoing Log4j vulnerabilities. Witnessing their security teams thwart these attacks, many leaders could view this as a win – and a reason to start spending less. But that’s the wrong mentality and being lulled into a false sense of security has enormous consequences.
Consider how stretched the IT and security teams have found themselves. This is not merely due to the rash of vulnerabilities and attacks, but also a by-product of teams having insufficient security expertise. As well, teams may rely so heavily on SMEs with security expertise that their availability and bandwidth for strategic and proactive security solutions is non-existent. Reducing, or stopping the spend on security resources and initiatives can be a recipe for the next disaster.
As organisations work to find the right balance, criminals are also attuned to these very real problems and waiting for the next opportunity to arise. As a consequence, we could see more large-scale attacks across the industry. This will undoubtedly trigger another cycle of concern, awareness, and hyper-vigilance that fades into a false sense of security where leaders question the need for continued security spending.
Many leaders may not realise how prevalent shadow IT is in their organisations, but the risks of leaked or stolen data, or the discovery of hidden or old accounts forgotten can be gravely critical.
Chief Security Officer, NinjaOne
Manage Users to Get in Front of Threats
A natural question leaders ask when it comes to investing in security is, “where should we focus?” We need to focus on “us.” Whether it is organisational security or personal security, the weakest link starts with each of us – as the user of a system. Social engineering tactics have become increasingly sophisticated, crossing the bounds of our “work identities” with our “home identities,” where our personal information abounds across social media and every place we’ve visited online.
This has led to not only phishing attacks, but also to very targeted spear phishing campaigns. This can result in identity theft, but also the theft of trusted access credentials, and proprietary intellectual property. We, as the users, now become the keys for criminals hoping to gain access to an organisation. Fortunately, “we” are also the best defence any organisation can have when leaders implement strategies that build a culture of security ownership.
As organisations begin to evolve their approach on security, issues such as shadow IT will become more evident. Many leaders may not realise how prevalent shadow IT is in their organisations, but the risks of leaked or stolen data, or the discovery of hidden or old accounts forgotten can be gravely critical. Combined with the intermingling of company assets with the networks and systems of remote workers’ home environments, attackers have the potential to leverage online and social media lives to find their way into an organisation’s systems.
Building, promoting, and socialising a culture of security ownership is no simple, nor quick, task. Taking practical steps such as end-user security training (that touches on both work and home life), internal phishing campaigns (with rewards and incentives), and having open and frank conversations will all go a long way. Layer into this the controls and processes of well-regarded security frameworks, along with unified endpoint management and security tools on user systems, and leaders will see their organisations extend the reach and capabilities of their dedicated security teams.
Don’t Assume You’re Safe
If 2021 showed us anything, it’s that cybercriminals aren’t slowing down in their attacks and increasingly they’re going through employees to make their infiltration. While organisations have made headway in improving their IT and security systems, leaders shouldn’t assume they’re doing enough.
From NinjaOne’s 2020 report on shadow IT, we know that given the opportunity many employees will break the rules. Innocuous reasons such as the policies being too burdensome, impacting productivity, or simply if the security team is too slow to review new tools were all cited as reasons for breaking the rules. This risky behaviour is hard to correct, which is precisely why a culture of security ownership is so important. When employees are bought into security and recognize the importance of their own actions, organisations can begin to overcome these challenges.
Additional investments, like expanding the security team to focus on red and blue team operations, engaging in regular penetration testing, investing in the tools and protocols needed to meet cybersecurity framework standards, and frequent security training can all elevate an organisation’s security standing.
Don’t be tempted to lower your security investment. Leaders should consult with their IT managers or managed service providers (MSPs) to understand how they can best protect themselves while keeping the organisation thriving.
ABOUT OUR GUEST WRITER
Chief Security Officer, NinjaOne
Lewis Huynh is Chief Security Officer at NinjaOne. Prior to joining NinjaOne, Huynh worked at OneView Commerce Inc. as a Vice President overseeing governance and compliance, security operations and architecture, as well as cloud IT, DevOps, and database architecture. He has also held multiple cloud architecture and DevOps leadership positions as a director at Oracle, a consultant at Cengage Learning, and a Vice President with OwnerIQ.