There is no question that digital technology has dramatically changed the way businesses work. Cloud-based applications and an increasing number of employees working flexibly and remotely mean traditional approaches to cybersecurity are no longer sufficient. As company upon company suffers at the hands of hackers, cybersecurity has to be an absolute priority for the C-suite and the board of directors.
Exploding Attack Surface
The increase in the number of apps used across personal smartphones, in the cloud and IoT devices in the enterprise has resulted in an exploded attack surface. Each end user or end-point becomes a potential target and point of vulnerability. Yet, despite the hugely increased potential for attack, cybersecurity practices simply have not kept pace as the near daily reports of security breaches confirm. Although it is C-Level heads that sit firmly on the chopping block in the event of a hack, surveys continue to show a serious lack of senior level participation when it comes to security.
For example, a recent survey of board directors in the US by the National Association of Corporate Directors found that only 19 percent of board members feel they have a high level of knowledge of the cybersecurity issues facing their businesses.
The result is a reactive approach that leaves gaping holes in the security plan that cannot be easily fixed later down the line. Furthermore, the lack of a unified cybersecurity strategy defined by C-Level and approved by boards leaves a fragmented and siloed approach, leading to chaos and a seriously increased risk of cyberattack.
How do we deal with this?
The best practice approach ensures security is considered, evaluated and incorporated into the planning stages of every corporate strategy – not addressed after the fact. A dedicated security team should have full, centralized control over policy and implementation enabling the business to achieve uniform security across the entire enterprise. Critically, with security people involved in the planning stage from day one, the company can ensure that best practice cyber technologies are implemented to improve defense and drive business value.
For example, replacing a traditional – and vulnerable – rigid firewall with a software-defined perimeter that is far more fluid enables a business to remain secure despite constant operational change.
Security can no longer be about managing devices and networks. It must instead be focused on managing users and applications, and tightly align with the business objectives associated with both. For example, role-based access control can enable an enterprise to consistently enforce policies across the range of users and applications, directly aligning that critical security function of remote access with the overarching business objectives.
The most effective approach enforces these policies in the actual access control process itself, building on existing policies for user access and identity management. Then, when access is to be granted, the application traffic is protected by cryptographic segmentation that prevents it from being accessed by the non-permitted users and therefore blocking any unauthorized lateral movement. If all applications are protected by real-time role-based access control, and if all user access is limited to only what a user needs to do their jobs, then the compromise of one user does not grant access to everything.
When every business decision has a technology implication, cybersecurity clearly needs to be led from the top. Done well, security is not simply a defensive strategy, but an enabler of better enterprise performance – and those organizations with a C-suite and board that prioritize cyber security are not only in a far better position to minimize risk but also well placed to drive tangible business value.