- More work is being done beyond the physical office, which means organizations have to defend an ever-larger digital perimeter.
- A wide range of security software and services are available, but those won’t do any good without a robust strategy for the human factors of cybersecurity.
- Business Insider spoke with security experts whose products and services perform best when their clients follow these seven tips.
- Visit Business Insider’s homepage for more stories.
Cyberattacks present a growing threat to businesses of all sizes, and the expense associated with security tools and services can start to add up fast.
Even so, there’s no such thing as a perfectly invincible solution, especially when it comes to the individual behavior of the people working for (and with) an organization.
As more work gets done beyond the physical office — on a mix of personal and company-owned devices — the security perimeter that needs defending continues to expand.
To understand the best practices for managing the human dimension of cybersecurity strategy, Business Insider spoke with several experts whose products and services perform best when their clients follow these seven tips.
Start with education
The massive social, economic, and political disruptions happening in 2020 are creating a perfect storm of conditions for cyberattacks, says Darren Guccione, CEO and co-founder of Keeper Security.
“When there’s lots of chaos, that’s when they like to strike,” he said.
When it comes to informing your organization, Guccione says even a small amount of knowledge about cyber threats is a significant advantage over none at all.
The first place to start is to make sure that employees understand how common hacks work, like email phishing and ransomware attacks.
Follow up with consistent training
Tech security tools have come a long way, but there’s still a lot of human-factor risks that simply cannot be solved at any price.
“At the end of the day, every organization has to have an internal control structure and a set of policies to govern their business,” Guccione said. “The software that layers on top of that is to enhance and promote and support those internal controls.”
“Companies that don’t train their employees are going be the most vulnerable,” Guccione said.
Schedule frequent tests
Guccione also said that in addition to a regular cadence of knowledge tests and simulations, his company runs internal pop-quizzes, where Keeper employees are targeted for a cyberattack.
“We just run the simulation. Those people that fail it are contacted by our head of security,” he said.
This is especially important in a remote work environment where the number of home-networks and devices creates new vulnerabilities.
“All of the distributed endpoints — every single one of those endpoints is a risk factor,” Guccione said.
Think like an adversary
Many companies maintain separate security centers for IT and infrastructure, but Galina Antova, cofounder of Claroty, an industrial infrastructure security startup, says attackers don’t care about your company’s org chart.
“To an adversary, a network is a network,” she said.
Antova recommends taking a holistic view of your company’s digital exposure — from offices to manufacturing facilities to employees’ homes — and thinking creatively about where your vulnerabilities are.
Antova also emphasizes the importance of diversity on your security team for finding different ideas and perspectives about the risks facing your organization.
Earlier generations of cybersecurity tools were designed to perform like highly customizable race cars, said Mike Armistead, CEO and cofounder of Respond Software.
Unfortunately, what they accomplished in terms of performance came at the cost of end-user experience that discouraged people from actually using the system and causing gaps in the company’s digital armor.
“If the tool is making the person feel less smart, they’re going to passively resist it,” Armistead said.
Today, there are more intuitive options for businesses large and small, with a wide range of threat-response levels.
Establish checks and balances
Humans are inevitably biased, and that can lead to inconsistent decisions about how to respond to issues flagged by your security systems.
Armistead says that well-crafted processes can help correct for this by having different members of your team checking one another’s work for possible mistakes.
Even highly experienced specialists can slip up when they’re hungry, tired, or agitated.
Plan for the long-term
The digital transformation sweeping across businesses of all kinds is fundamentally dependent on maintaining safe networks and devices.
“Security is not an obstacle, it’s a business enabler,” Antova said.
As companies adjust to new digital challenges, they should remember that many of these shifts are here to stay and that a lack of preparation now could spell disaster down the road.
“It’s like the brakes of a car,” she continued. “They don’t slow you down — they enable you to go faster because you know you can stop.”