Reflecting on the past week, a whirlwind of thoughts and ideas filled my mind following my attendance at The Business Show. One of the highlights was my participation in a panel discussion related to Cyber Security. The experience was eye-opening, featuring four individuals with varying backgrounds and experiences providing their unique perspectives on how cybersecurity should be approached. I decided to express my thoughts in a short blog for continuation and, if possible, open debate.
The discussion revolved around risk management, threat modelling, and the use of technical controls to thwart malicious attacks stemming from improper configurations, software vulnerabilities, or user behavior’s. The panel reached a consensus that a robust set of well-implemented controls is essential to address specific risks and threats unique to each business operation. It was agreed that educating people, through policy and training is pivotal to success.
User awareness training was a hot topic and essential to effectively empowering people to identify and respond to potential threats. Implementing measures like incident response plans to help identify what to do and enable people to test the process ensures that when the inevitable occurs, there’s a pretested, effective response in place, free from blame, panic, and chaos.
The panel also agreed that adopting various systems or tools like endpoint protection, network firewalling, vulnerability scanners, and abnormality detection capabilities like managed detection and response were essential but potentially pointless if people don’t understand them or use them effectively.
One aspect I didn’t address adequately is that businesses are not all the same. While many rely on computers and networks where traditional firewalls and endpoint protection works, we can’t ignore the increasing use of mobile phones and third-party hosted IT services, such as Software as a Service (SaaS) applications for various business functions or Infrastructure and Platform as a Service (IaaS/PaaS) for hosting or developing digital products and services. These areas are left exposed, outside the traditional security boundaries.
Therefore, it’s imperative to remind ourselves that, as we embrace modern work practices and rely on software hosted on external platforms within an interconnected ecosystem, we must adopt further practices and tooling to address these risks.
Rigorous selection of SaaS applications is essential, ensuring that these tools adhere to robust security practices, operate within secure environments or organisations, and maintain their platforms in line with recommended security standards. Monitored regularly, with their own posture assessments or vulnerability tools, continuous monitoring for anomaly detection is crucial.
Once we’ve adopted these software solutions, in many scenarios we retain responsibility for how they are accessed and configured, and have their data protected. This includes identity and access control considerations, data leakage or loss prevention and recovery.
A cloud-hosted web security gateways or VPN services ensures safe internet access for both PC devices and mobiles on public 4G or Wi-Fi networks.
Another aspect that was not discussed much was zero trust access. This could be crucial in these scenarios, where it’s necessary to minimise access to unnecessary data assets while maintaining an agile and collaborative work environment. Implementing a condition-based access layer that can validate the person’s access based on their identity, role, device, location, and time of access enhances a great level of security. If implemented correctly, it’s possible to do so without hindering productivity, which can be seen as a downfall in an overly secure work environment.
In conclusion, managing cyber-related risks across different shapes of organisations demands a proactive and multifaceted approach. This approach must centre around a well-informed and educated workforce who understand the risks and behave within the guidelines and behaviour of the tools provided. By embracing these practices, we can safeguard our businesses in an interconnected world where the security of every component matters.
Lastly, I would like to thank my peers on the panel. I look forward to reading the planned follow-up article and seeing the other members participate further on future stages, podcasts, and even their own books!
Ben Paddick
Technical Director / CxO / vCISO