Cybersecurity Awareness Month: How enterprises should approach cybersecurity

The global pandemic has forced businesses across the world to work remotely, resulting in IT teams managing more devices than ever before. Taking the unexpected situation to their advantage by exploiting the security gaps, hackers and cyber attackers executed a series of high-profile significant cyber incidents, including the Conti Ransomware, Colonial Pipeline, and JBS Foods. Adopting a cybersecurity-first mindset and following basic cyber hygiene—using strong passwords, backing up critical data, applying security patches, and configuring multi-factor authentication—has become a pressing need for organizations.

October is Cybersecurity Awareness Month, and the best time to take stock of your cybersecurity practices. Today, many workers use personal and corporate devices interchangeably, which can lead to both our personal and professional data becoming interconnected and even exposed. Moreover, with ever-increasing cyber threats in the background, organizations need to consider the following cybersecurity practices to protect confidential information like employee data and intellectual property:

Five pillars to secure today's workforce

1) Establish clear security policies and standards

Basic security hygiene alone is not sufficient at the enterprise level to protect against advanced cyberattacks. Enterprises must move towards the "never trust, always verify" approach, popularly known as the zero-trust model. Organizations must consider their cloud platforms, software development lifecycle, DevOps processes and tools, and compliance with regional regulations while setting up their policies and standards.

Here are three points to keep in mind while constructing your cybersecurity policies:

• Analyse the current threat landscape, compare it with your industry's best practices, and build an end-to-end security strategy.
• Publish transparent security policies and standards internally to guide stakeholders making key security decisions.
• Set goals, processes, and accountability to achieve the overall company's security policies and standards.

2) Train, equip, and reward

It is critical to regularly train and educate stakeholders about the continuously evolving threat landscape: phishing, ransomware, sim swap attacks, social engineering, etc. According to data from The SANS 2021 Security Awareness Report:

• Over 75% of security awareness professionals spend less than half their time on security awareness. Companies with a successful security-first approach report that they have at least 2-3 full-time employees dedicated to these awareness programs.
• Security awareness programs are often driven by highly tech-savvy people who lack the soft skills needed to teach cybersecurity in easy-to-understand terms. These programs should be presented in layman terms for better results and change of behaviour.
• Security awareness teams should be reporting to the CISOs and not other functions such as audit, legal, or HR. This will help them strategically align with the company's security and privacy policies.

Companies should also equip all their employees with basic security tools, such as password managers, behaviour threat analytics like alerting users and administrators when someone accesses an enterprise account from unknown IP during unusual hours, data backup, and multi-factor authentication. Consider starting a reward program to incentivize proactive security hygiene and encourage your workforce to adopt better security habits. At Zoho, for instance, internal cybersecurity and bug bounty programs have significantly helped to educate and reward responsible employees.

3) Protect identities and access keys

Protecting identities and keys should be one of the top priorities for every cybersecurity team. We need to securely authenticate and authorize people, services, devices, and applications to access the company's data. For instance, many companies now use SSH keys and SSL certificates for secure cryptographic operations in the background.

Solid identity management begins with using tools and strategies like strong passwords, passwordless authentication, multi-factor authentication, role-based access, identity-based perimeters, and zero-trust access control strategies.

4) Secure the endpoints

Once an identity has been granted access, a user can gain access to numerous endpoints and applications owned by the company using the identity. In a hybrid environment, enterprise data is communicated over smartphones, IoT devices, BYOD, cloud servers, and more, and many companies still rely on traditional firewalls and VPNs to restrict access. Enterprises should move away from these legacy models and adopt a least-privilege access strategy for users, applications, systems, and connected devices. It's important to provide only a minimum level of access based on job roles and responsibilities. The key advantages of this strategy are:

• Reduced cyber attack surface
• Controlled spread of malware
• Streamlined compliance and audits

5) Keep applications up to date

Some of the easiest openings for hackers to exploit are unpatched systems and applications. Whenever a new security patch is released, attackers will try to exploit the weakness before the patch is implemented to gain access to enterprise data. Thus, enterprises should take advantage of patch management and vulnerability management tools that offer immediate implementation. Other advantages include:

• Use of new features and resources
• Increased performance
• Easy compliance and avoiding unnecessary fines

It is critical to approach your cybersecurity policies with clarity and purpose. The five pillars discussed here will help any fast-growing enterprise to get their basics right and evolve their strategies. Always keep cybersecurity and privacy foremost in all your initiatives and continually invest in formal cybersecurity training and education for your workforce.

The article has been written by Chandramouli Dorai, Product Marketing Manager, Zoho Corp