Cyber threats are not new just because more people are working from home. Attacks on your network happen every day, and did long before the COVID-19 pandemic.
It’s reasonable to reconsider our cyber security readiness now that so many more people are working remotely. In the spirit of business continuity, employees are suddenly conducting business using non-corporate issued devices and sharing business critical data while connected to home networks—significantly widening the attack surface and diminishing your visibility into potential risks.
The good news amidst all of this rapid-fire change is that the current shift to more remote work forces us all to do more than play defense. Forget about simply holding down the fort. This shift in technology use is an opportunity to rethink our current levels of cyber security readiness and see where we might even improve.
A person’s physical location simply no longer matters for most jobs. Gone are the days of the common worker having to be on site to do his or her job, even when working with confidential or sensitive information. Ready or not, remote work is here. With that in mind, here is some good information on how to get, and stay, ready.
Cyber security readiness is a mindset
That’s right, cyber security readiness is not just about technology. It never was. It’s about access.
Every network has multiple access points. Devices, users, connections, applications, servers, databases, and more – everything talks to everything else, all day long. Sometimes all night long, too. With that many devices and all of that data going back and forth, surely there are gaps in your network security posture. Do you know where they are? They likely keep changing, as each of the access points change.
A strong cyber security readiness plan can never be about predicting the future, making a plan for contingencies, and then calling it a day. That’s because it’s impossible to predict every contingency. None of us knew in February that just one month later so many people would be working from home.
To be prepared for truly any contingency, a strong cyber security readiness plan must be progressive. Forward is the only way to look, never back, because the landscape changes too much.
According to AT&T, the four levels of cyber security readiness are:
- Passive: Simply wishing a threat to go away won’t make it so.
- Reactive: Being on the defensive is a weak position and doesn’t help you protect yourself against future attacks.
- Proactive: Better than being reactive but still not visionary, this level involves staying on top of day to day operations, and maybe even calls in an expert third party to consult.
- Progressive: This level of cyber security readiness involves a team that is deeply embedded in the company, involved with management, and actively leverages technology and data to stay ahead of the curve.
As with all things, so it goes with technology: it’s better to be ahead of the curve than to chase it, or worse, to fall behind.
How much security is too much?
Any strong cyber security readiness strategy involves constant evolution and re-evaluation with or without a global pandemic affecting everyday business practices.
An absolute lockdown of access is too restrictive to be practical. End users will be frustrated at the limitations imposed on them. They won’t be able to accomplish their work without issue, and quality of work may suffer.
On the other hand, granting full access to anyone who can find their way to your network or your system is also a bad idea. While your end users will have unfettered access to everything they need quickly, valuable intelligence would be at risk.
Zero trust
The way to strike the right balance is through adopting a zero trust mindset within your network.
The concept of zero trust certainly sounds like an absolute lockdown, doesn’t it? Yet, much like with the concept of cyber security readiness overall, zero trust is also about a point of view. A zero trust network is designed to do exactly what it says: trust no one and nothing. That doesn’t mean that it doesn’t let anyone in. It simply means that you have to knock on the door and show valid ID before being admitted, so to speak.
Gone are the days of the castle and moat mentality when it comes to cyber security readiness. Today, IP addresses, machines and other hardware, and especially end users are all possible threats to the network, whether intentional or not.
By adopting a zero trust mindset, IT professionals can unlearn the bad habits of previous network designers and corporate culture. They are positioned to be proactive and progressive, not reactive and regressive. They always assume there is a breach – because there is.
So, how does one find the balance?
When considering how to assess your cyber security readiness, start with the mindset that cyber security as a whole is all about balance and evolution. Follow the steps of this Intelligent Cyber Security Framework:
- Identify threats and vulnerabilities
- Protect hardware, access, and resources
- Detect the inevitable threats by keeping up with tools to constantly search for them
- Respond with speed and thoroughness
- Recover quickly and completely
Then, do it again. And again. And again.
You get the picture.
Time to practice
Ready to evaluate your own level of cyber security readiness? The Moor Insights and Strategy Readiness Scale provides a quantifiable way to measure exactly where your system stands. Perhaps more importantly, it helps you know what to do next.
This scale is most useful once you have a comfortable understanding of where your team lies with the Intelligent Cyber Framework, above.
Then, rate your system by each of these criteria:
0 = Exposed
You have no cyber readiness plan at all. No training, no security, no policies, and no back up plan. Vulnerabilities are unknown.
1 = Lagging
Basic protections and policies are in place, but you have minimal technology for protection, detection, and discovery of threats.
2 = Emerging
Some policies are in place, though they may be incomplete. You have implemented software for access control, authentication, and incident response. The policies you do have are documented.
3 = Steady
You conduct regular, organization-wide training, have a dedicated IT cyber-response team, and more comprehensive cyber security policies. IT staff training and appropriate software is deployed.
4 = Leading
You employ a zero trust infrastructure, and zero trust policies. Your cyber strategy was developed with the help of a trusted and experienced third party. You regularly test your cyber security readiness strategy. Hardware and software are in place to detect cyber threats.
Moving forward
By adopting a progressive, zero trust cyber security mindset, you won’t just be ready to evaluate your current state of cyber security readiness. You’ll also be ready to take on anything that comes your way in the future.