Perhaps just as important is the need for organizations to regularly educate their workforce. The majority of data breaches can be traced back to humans. Verizon found that 68% of breaches involved a human element. Malicious actors are getting more sophisticated in their attacks, and they use a combination of authority, urgency, and fear. Their hope is often to exploit a vulnerability left by a human, whether directly or indirectly.
Many companies start with a zero-trust security framework that requires all users to be continuously authenticated and authorized for every action they take. Using an authenticator app is more secure than receiving an SMS or email notification.
Operationalizing cyber defense in active, online systems is another sound strategy – and organizations like the Defense Intelligence Agency (DIA) and Central Intelligence Agency (CIA) are making it a priority. Operationalization uses AI and machine learning to model what abnormal behavior looks like, improving decision-making and incident response. These types of assessments can identify areas of focus within cybersecurity.
“We look at the health of the cybersecurity environments that agencies are connecting to JWICS,” said DIA CIO Doug Cossa, referring to the Joint Worldwide Intelligence Communication System, the Department of Defense’s secure intranet system.
“That goes to everything from red teaming to looking at the current state of infrastructure, of end of life, whether it’s patching or providing a risk assessment based on those findings.”
A few other steps to consider:
Focus on the basics and IT security best practices. Use strong passwords and enable multi-factor authentication. Encrypt data at all levels, including at rest, to ensure it remains secure even if stolen.
Understand potential security risks. Only work with providers who have a proven track record of security. Additionally, grow the organization’s command of modern cloud security solutions, like advanced encryption techniques and CNAPP.
Put in place a cloud management strategy that defines performance and security benchmarks for all cloud technologies. Evaluate every application from a security perspective before deployment.
Non-compliance with Regulations and Laws
Many industries, especially health, finance, legal, and telecom, as well as the government, regulate the working of organizations in their space. These regulations cover data, transactions, IT operations, and other business functions.
For example, HIPAA requires all healthcare providers to protect patient data confidentiality. Similarly, PCI-DSS mandates that all businesses that accept credit cards need to safeguard customer data.
Companies operating in these industries need to establish controls and checks on the data storage, transfer, and access methods that they use. They also need to maintain stringent thresholds of uptime while provisioning for backups and data recovery. In several cases, outsourcing these functions to a third party or service provider may not be allowed, especially if that provider is headquartered in a different country.
As a result, many companies cannot use public clouds for business-critical workloads or data storage. Those that can must ensure the vendors they rely on maintain a minimum level of compliance. They need to have policies and procedures in place for incident response; even then, if a breach occurs at the cloud service provider, the company might still be liable.