Securing the enterprise is no easy task. With a huge workforce to train, hundreds or even thousands of devices to manage and protect, and forever evolving security threats — the job never stands still.
CSOs and CISOs rely on their strong network of information to keep their organization as secure as possible. IDG TECH(Talk) led a Twitter discussion, plus a live-streamed video, with security experts and tech-industry watchers to talk about the state of enterprise security in 2020 and how to keep attackers out.
Security ignorance an issue
Lack of security awareness still plagues the organization, as employees and IT staff often make mistakes that leave the company vulnerable. Those include: weak passwords, bad email practices, out-of-date policies and tools, no monitoring, and no knowledge of where data resides, said Peter Salvitti (@psalvitti), chief technologist at Boston College.
Business owners are often ignorant of threats and don’t like to change things even if it means reducing the organization’s vulnerability, added Wayne Anderson (@DigitalSecArch), security and compliance architect with Microsoft’s M365 Center of Excellence.
“Two phrases I hate [hearing when] working with business owners: ‘But we have done it that way, and we really don’t want to mess with what works’ and ‘We really just aren’t that big a target,’” he said.
To combat the latter, Ed Featherston (@efeatherston), vice president and principal cloud architect for Cloud Technology Partners (CTP), said he shows people how the organization is, in fact, a target for hackers.
“I frequently sit with a client, setup a public share/storage point with a honeypot, [and] usually within minutes, someone tries to hit it, prompting a ‘Hmmmmm, [I] didn’t expect that’ [response] from client,” he said.
Lack of awareness spreads into employees’ personal actions, such as sharing too much information on social media, said Scott Schober (@ScottBVS), author of Hacked Again, a cybersecurity news pundit, and CEO of Berkeley Varitronics Systems.
How to improve enterprise security
Enterprise security issues can be resolved by improving password policy basics, creating a system to verify passwords are being updated, and educating staff.
A key aspect of doing that well is to empower staff to feel involved in ongoing security — to create a culture of security. You want employees to feel part of the solution, not the problem.
As Salvitti said, “Don’t go around saying ‘employees are the weak link.’ Engage them, make them stakeholders and part of the program.”
Will Kelly (@willkelly), a technology writer, agreed: “It’s [about] building the more security-minded employee, the more security-minded developer, the more security-minded Ops person. Then reinforce those people with industry standard frameworks, training, and tools. Rinse and repeat.”
In addition, IT operations and security need to work together, Salvitti stressed. “First and foremost, [IT operations] should partner with your security team! Don’t leave them out. Join with them … like, at the beginning,” he said.
By bridging the gap between these siloed teams, you improve visibility and have better security, Zeus Kerravala wrote in a recent CIO article, The big task for CIOs in 2020: Bringing security and IT operations together.
“In organizations that lack collaboration between security and IT, it takes nearly two weeks longer to patch IT vulnerabilities than teams with a healthy relationship, the study found. This delay can put companies at significant risk of being breached, causing brand damage or even crippling an organization,” Kerravala wrote.
Organizations must also verify the security of products and services they use, said Salvitti: “Ask them: 1. Do you participate in, subscribe to, known security frameworks? 2. Do you know the CIS Top 20 [Security] Controls? 3. Are you a member of an industry body dealing with security (think: IoT here)? 4. Are they in compliance with latest regulations?”
It boils down to have a defense-in-depth strategy, said Ben Rothke (@benrothke), senior information security specialist at Tapad. Layers of security can build in buffers to impending hacks, giving staff multiple lines of defense and reducing some of the strain they face to be always on alert.
“Firms need defense in depth. Use the lifecycle of infosec tools of firewall, filtering, DLP [data loss prevention], IoT security, encryption, IDS/IPS [intrusion detection systems and intrusion prevention systems], DNS security, pen tests, container security, WAF [web application firewall], DDoS mitigation, cloud security, and more. And don’t forget physical security,” Rothke said.