Published on January 25th, 2023 📆 | 4827 Views ⚑0
Diligent Cybersecurity Requires More Than A Month Of Our Attention
Rami Sass, cofounder and CEO at Mend.
Cybersecurity Awareness Month (CAM) marks a call to action from the government and private sector to raise awareness for both individuals and organizations to understand the risks of cybercrime and hacking. Through diverse programming and themes, CAM helps quantify the risks associated with lax—or nonexistent—data or information security (InfoSec) practices among consumers and enterprises.
This past October, we saw leaders across the industry acknowledging the initiative, now in its eighteenth year. But unfortunately, highlighting cybersecurity during the month of October alone does a disservice to a lot of people and companies. Why? It suggests limiting these initiatives to one month of the year—and leaves the door open for cybercriminals to prey on the organizations neglecting critical security measures for the remaining eleven months.
Cybersecurity awareness is important, but it’s just the first step of an impactful cybersecurity initiative. Enduring organizations understand the significance of a continuous, year-round program and make cybersecurity a topline priority through investment and culture.
Here’s how the best-equipped companies think about cybersecurity and what leaders should consider going into the new year.
Awareness is step one—but action makes the difference.
Cybersecurity is an evolving industry, and attackers are constantly changing their techniques to stay one step ahead—it’s impossible to truly complete due diligence around cybersecurity within the span of one month.
As such, cybersecurity requires ongoing effort, investment, buy-in from executive leadership and security-aware cultures within organizations.
On the execution side, this requires significant legwork—especially for software companies. Think about the vast amount of code that powers any given application or service. It’s crucial for teams to be aware of where threats may crop up. But cybersecurity initiatives also must expand beyond the cybersecurity or IT team—cybercriminals and hackers can gain access to critical data due to anything from weak employee passwords to poor data hygiene.
This is not to say that a formal time dedicated to cybersecurity awareness isn’t important—in fact, October is an excellent time for companies to spend time safeguarding their assets. It’s right before the holiday season when cybercriminals hedge their bets on lax oversight and take advantage of skeleton security teams. But these threats don’t just disappear when the holiday season is over. Cybercriminals are always looking for a way in—as such, companies should offer training and require stress testing throughout the year.
Invest in the right tools, protect against today’s threat.
Implementing an effective security procedure starts with ensuring you have the right tools to tackle the current problem you are looking to address and to have a protocol in place for potential future issues.
It’s important organizations review their current solutions and determine which need to be updated or replaced—a tool released a few years ago may have been great at the time, but it might not have had meaningful changes or updates made to stay current.
As part of this process, it’s important to consider what processes and manual work could potentially be replaced with automated solutions. Thanks to advancements in the industry, a number of mundane processes, such as identifying critical vulnerabilities, are automated to allow teams to focus on more important tasks.
Investing in these tools is especially important given the sprawling volume of applications that organizations rely on nowadays. Companies use hundreds of applications across departments, and this number continues to grow year over year. And according to Forrester Research, applications are also the top cause of external breaches, as cybercriminals view them as one of the easiest entry points to attack. As supply chain attacks increase, overlooking application security (AppSec) is not an option.
Cybersecurity is a factor in business planning, starting at the top.
As threats become more commonplace and sophisticated, the security function must span beyond the perimeters of the IT department, requiring attention from both the C-suite and Board. Yet a fifth of CISOs reports little contact with the CEOs at their respective companies.
Even if an organization’s Board and CEO understand the value and necessity of infosec practices, experienced leadership that understands how to prioritize work around code inventory (or software bills of materials) and technical debt—as well as keeping appraised of known vulnerabilities and potential threats in the ecosystem—are crucial in helping organizations remain secure.
Put in the work: Comprehensive security means building a security-aware culture.
Building a security-aware culture and fostering a collaborative workflow between developers and security teams strengthens any organization’s cybersecurity program.
Consistent training, phishing tests and multifactor authentication requirements are excellent tactics to help build a company culture that values security and encourages employees to better understand the role they play in security.
Companies that don’t keep up with cybersecurity practices at the same rate as innovation and new product development across their organization risk losing millions of dollars—not to mention tarnished reputations and potential liabilities around sensitive consumer data.
A serious shortcoming of CAM as it is now is that it positions cybersecurity as a one-and-done initiative—but this couldn’t be further from the truth.
Safeguarding an organization means year-round, ongoing investment and effort. It also means a little bit of elbow grease and budget, but these efforts are bound to pay off in spades should another catastrophic vulnerability as Spring4Shell or Log4j come.
Don’t be an easy target by limiting your cybersecurity tasks to surface-level awareness during just a month of the year. Put in the work: Secure executive-level buy-in, invest in the tools your team needs and work to weave security throughout your organizational culture.