With European Cybersecurity Month in full swing, this week’s topic of discussion is "Cybersecurity Training." Whilst cybersecurity training and awareness has undoubtedly improved, a common mistake is that it is often treated as a one-time tick-box exercise, rather than an ongoing process. As cyberthreats become part of the reality of daily business, the limitations of traditional security controls have been exposed and businesses need to recognise that cybersecurity is not simply a one-off task on the to-do list.
A security breach is now assumed to be inevitable and whilst layering defensive security controls and tools are a step in the right direction, ensuring that customers and employees follow even basic security practices is crucial in maintaining defences to defeat targeted attacks.
For many, this is where the difficulty lies. Security is often viewed as an obstacle, and the processes designed to keep users and their data safe can become a hindrance to the user. The challenge for businesses is to protect the most valuable assets while continuing to enable a productive workforce, without undermining those security processes.
The threat of a cyberattack is real, it is not a case of "if" but rather "when." Every attack starts with a compromise, and that can very often come from within, as users and data move freely throughout and beyond the enterprise network boundaries. Employees should be trusted, but businesses must also recognise that their employees represent a significant threat to the integrity and security of the enterprise’s data. Training and educating staff and customers on the basics is imperative.
Usernames and passwords remain the easiest way for hackers to gain access to a business through the proverbial front door so it’s essential that an organisation constantly educates users on the importance of good password hygiene and ensure that it remains central to the core security policy.
Multi-factor Authentication (MFA)
Very few cybersecurity professionals believe that username and password-based security is an adequate form of protection, and many organisations are turning to multi-factor authentication (MFA) to provide the safeguards necessary in today’s complex IT and security world. MFA mitigates password risk by requiring additional authentication factors such as a PIN, answer to a security question, and response to an e-mail or a one-time security code. Biometrics such as fingerprints, retina scans and voice recognition are increasingly being used for MFA too.
Robust Access Policies
With increased risk from users accessing services from outside the corporate network perimeter, as well as users carrying many more devices to access these services, passwords alone cannot be trusted to properly and securely identify users.
Organisations need a better solution that incorporates strong authentication and delivers a common multi-factor experience across all apps—SaaS, cloud, mobile and on-premises. The solution also needs to have adaptive policies that take into account the complete context of the access request.
Single Sign-On (SSO)
Sing Sign-on (SSO) permits a user to enter a username and password once in order to access multiple applications. This eliminates the need for ongoing prompts for passwords and login credentials every time another application or resource is accessed. SSO authenticates the user for all the applications they have been given rights to access and should include MFA for further protection if that single username/password combination is compromised.
SSO simplifies the end user experience and enhances IT security and control. Users only have to remember one username and password to access all of their applications whether in the cloud, on-premises or via mobile devices.
Privileged Identity Management
Businesses should implement comprehensive privileged identity management with a granular privilege elevation to allow running certain commands or programs on demand. Users can then log in as themselves and only raise their privilege level for individual tasks as required.
When we leave the house, we lock the front door, and this behaviour was learned over time as the number of bad guys and corresponding likelihood of burglary increased. Data security needs to be treated in exactly the same manner. It must become habit that businesses adhere to security basics in order to prevent a data breach because there are now hackers and bad guys everywhere. Employees and users need to be educated and maintain security best practices until it becomes normal every day behaviour.
Learn more about multi-factor authentication here.