In our future-oriented environment, the idea of looking backwards rather than forward seems rather counterintuitive. But cybersecurity experts are shifting in that direction as we strive to help organizations shield themselves from attacks and prepare for tomorrow’s threats.
According to my colleague Pete Hobson at KPMG, “There’s so much effort spent on what could happen within a system. But what did happen?”
His point is that cybersecurity has traditionally focused on managing risk within business applications based on what hackers might do next – since they are always thinking ahead. Cybersecurity experts have concentrated on access control and user roles within the system, or vulnerability management, or code scanning. These are of course important techniques that use technology strategically.
However, we now have technology that enables us to see how an attack happened, to learn from and apply that knowledge. Artificial intelligence, machine learning, data analysis: Huge volumes of data within business applications can be analyzed to recover and protect against exposure and better understand the organization’s risk portfolio. Going forward, continuous threat monitoring of business applications will become a must. Companies will not survive without such technology.
Next-Generation Methods for Thwarting Danger
When we look at the major threats today and those looming on the horizon, we are seeing a dramatic rise in ransomware attacks as companies grow increasingly reliant on digital infrastructure to run their businesses. Ransomware typically involves hackers impersonating internal users:
An attacker can easily guess the email address of targeted individuals by looking at job titles within companies (which are increasingly visible on social media).
They can then send a message that will look just like a legitimate email from the company. Phishing.
The only thing the attacker needs is oneof those targeted individuals to click on a weaponized file or link within that mail.
That can be a sufficient entry point upon which to attack applications to stop business processes, make payments, download credit card and bank account information, and so on.
Companies are desperate and often agree to pay ransom, and are therefore increasing the incentive to break in.
To stop the attack in time, impersonation of users must be recognized very quickly. Thus, security processes supported by innovative technologies must be in place to mitigate the unintended errors that people will inevitably make.
In short, this will require centralizing and automating pretty much everything – not just user-access administration but controls, data masking, monitoring, and audit. This will be crucial as companies move toward heterogeneous and hybrid landscapes.
Monitoring must encompass both internal and external threats. Companies will shift towards a model that assumes more flexibility in the way they manage segregation of duties – and ironically, actually allowing for more internal trust. Businesses need to run and they need to run fast.
This model will involve monitoring users to ensure they act as per codes of conduct, and automatically block access or mask data only when activities seem suspicious or dangerous. This is the optimal Zero Trust model.
An Evidence-Based Approach to Gaining Buy-In for Security Investments
That said, I am well aware of the challenges for security personnel in convincing business leadership to make these investments. The security team is typically requesting budget resources from an audience that is far more focused on sales and finance, increasing revenues or reducing costs.
How can you bring their attention to the urgent need for security and get buy-in?
One way is to use data analytics to show evidence of cyber threats, highlighting the magnitude and impact these could have on the company's strategic business objectives.
Talk about the things business executives care about. Communicating clearly is paramount, avoiding heavily technical language about the methodologies you use and acronyms that are incomprehensible outside the security realm.
Keep in mind your stakeholders and the issues that matter to them, and tie the conversation back to a business risk that is meaningful. In the end, security measures are in place to support the business in running better and more securely, and must be implemented according to the end-user experience.
An Embedded Security Culture
At a higher level, the best practice is to embed security at every level of the organization.
Chief information security officers will become more important in that regard. The trend is moving toward integrating security professionals into the process of deploying solutions from the outset.
Any type of software implementation is focused on enabling the business – making it faster, driving efficiencies, and ensuring business continuity. The conception in the past was that incorporating security would do the opposite. This is why security has often been an afterthought, creating many issues after go-live.
Today, security can be implemented to seamlessly run in the background, and leveraging data analytics automatically allow or block access. This means that security, compliance, and controls can be deployed at the start and throughout the project without impacting the implementation timelines and frustrate the business.
Emphasis on Efficiency
Finally, I recommend that security teams continuously challenge themselves to think broadly about different ways to solve a problem.
Try to find a way that is least intrusive to your business operations. Supporting the efficiency that the entire organization values is how you can drive buy-in – the acceptance to say: yes, security needs to be part of this because we're finding ways that are invisible and allow our business to operate and flow as it should, and more secure.
To Learn More
Many thanks to my colleague Pete Hobson, KPMG Managing Director of Cyber Risk and Regulatory, for his contributions to this topic.