It’s reasonable to reconsider our cyber security readiness now that so many more people are working remotely. In the spirit of business continuity, employees are suddenly conducting business using non-corporate issued devices and sharing business critical data while connected to home networks—significantly widening the attack surface and diminishing your visibility into potential risks.
The good news amidst all of this rapid-fire change is that the current shift to more remote work forces us all to do more than play defense. Forget about simply holding down the fort. This shift in technology use is an opportunity to rethink our current levels of cyber security readiness and see where we might even improve.
A person’s physical location simply no longer matters for most jobs. Gone are the days of the common worker having to be on site to do his or her job, even when working with confidential or sensitive information. Ready or not, remote work is here. With that in mind, here is some good information on how to get, and stay, ready.
That’s right, cyber security readiness is not just about technology. It never was. It’s about access.
Every network has multiple access points. Devices, users, connections, applications, servers, databases, and more – everything talks to everything else, all day long. Sometimes all night long, too. With that many devices and all of that data going back and forth, surely there are gaps in your network security posture. Do you know where they are? They likely keep changing, as each of the access points change.
A strong cyber security readiness plan can never be about predicting the future, making a plan for contingencies, and then calling it a day. That’s because it’s impossible to predict every contingency. None of us knew in February that just one month later so many people would be working from home.
To be prepared for truly any contingency, a strong cyber security readiness plan must be progressive. Forward is the only way to look, never back, because the landscape changes too much.
According to AT&T, the four levels of cyber security readiness are:
As with all things, so it goes with technology: it’s better to be ahead of the curve than to chase it, or worse, to fall behind.
Any strong cyber security readiness strategy involves constant evolution and re-evaluation with or without a global pandemic affecting everyday business practices.
An absolute lockdown of access is too restrictive to be practical. End users will be frustrated at the limitations imposed on them. They won’t be able to accomplish their work without issue, and quality of work may suffer.
On the other hand, granting full access to anyone who can find their way to your network or your system is also a bad idea. While your end users will have unfettered access to everything they need quickly, valuable intelligence would be at risk.
The way to strike the right balance is through adopting a zero trust mindset within your network.
The concept of zero trust certainly sounds like an absolute lockdown, doesn’t it? Yet, much like with the concept of cyber security readiness overall, zero trust is also about a point of view. A zero trust network is designed to do exactly what it says: trust no one and nothing. That doesn’t mean that it doesn’t let anyone in. It simply means that you have to knock on the door and show valid ID before being admitted, so to speak.
Gone are the days of the castle and moat mentality when it comes to cyber security readiness. Today, IP addresses, machines and other hardware, and especially end users are all possible threats to the network, whether intentional or not.
By adopting a zero trust mindset, IT professionals can unlearn the bad habits of previous network designers and corporate culture. They are positioned to be proactive and progressive, not reactive and regressive. They always assume there is a breach – because there is.
When considering how to assess your cyber security readiness, start with the mindset that cyber security as a whole is all about balance and evolution. Follow the steps of this Intelligent Cyber Security Framework:
Then, do it again. And again. And again.
You get the picture.
Ready to evaluate your own level of cyber security readiness? The Moor Insights and Strategy Readiness Scale provides a quantifiable way to measure exactly where your system stands. Perhaps more importantly, it helps you know what to do next.
This scale is most useful once you have a comfortable understanding of where your team lies with the Intelligent Cyber Framework, above.
Then, rate your system by each of these criteria:
0 = Exposed
You have no cyber readiness plan at all. No training, no security, no policies, and no back up plan. Vulnerabilities are unknown.
1 = Lagging
Basic protections and policies are in place, but you have minimal technology for protection, detection, and discovery of threats.
2 = Emerging
Some policies are in place, though they may be incomplete. You have implemented software for access control, authentication, and incident response. The policies you do have are documented.
3 = Steady
You conduct regular, organization-wide training, have a dedicated IT cyber-response team, and more comprehensive cyber security policies. IT staff training and appropriate software is deployed.
4 = Leading
You employ a zero trust infrastructure, and zero trust policies. Your cyber strategy was developed with the help of a trusted and experienced third party. You regularly test your cyber security readiness strategy. Hardware and software are in place to detect cyber threats.
By adopting a progressive, zero trust cyber security mindset, you won’t just be ready to evaluate your current state of cyber security readiness. You’ll also be ready to take on anything that comes your way in the future.