Taming Cybersecurity Threats: How to Provide Security Protection without Friction
When Ben Franklin famously said, “In this world nothing can be said to be certain, except death and taxes,” cybersecurity threats did not yet exist. Otherwise, he would have likely added them.
Cybersecurity threats are one of CIOs’ biggest headaches—just as you figure out how to beat one, another appears. They are also one of their biggest worries because they are no longer confined to IT and they are increasingly impactful, front-page events—generating the kind of press you do not want for your business. Who did not hear about the 2014 Yahoo breach that compromised 500 million accounts or the 2013 Target breach that hit 110 million customers?
There is much IT can do to improve security but not without ongoing effort, focus and resources
Not only are financial and healthcare accounts at risk but intellectual property, confidential information that can compromise politics, business and national security, the computer in your car or even the one in your pacemaker—all are fair game. Regardless of what organization a CIO is responsible for, if there is something digital that can be hacked, stolen or manipulated, it likely will be if it hasn’t already.
What are the costs? Reputation, brand damage and lost customer relationships hit hard and fast. And increased insurance premiums, regulatory fines, post-breach customer protection services and the need for new, costly cybersecurity enhancements quickly follow. For a CIO bearing the brunt of responsibility, these breaches can feel personal.
Can you keep up with cybersecurity threats?
The fact is you can never be “finished” with IT security plans. The best you can do is develop a continuously improving plan with the resources to support it.
Constant shifts in technology give hackers new and ingenious ways to hack into your site and your apps, obligating you to counter with continuously improving technology to foil them.
A bit of good news is that accountability is moving up the corporate chain to CEOs and CSOs, building pressure to increase budgets to counter increasingly sophisticated attacks. But in most companies, IT still handles the security function and CIOs still take most of the heat.
Friend or foe?
Security risks come from inside as well as outside the organization.
Internal breaches can result from a dishonest employee but a surprising amount of benign negligence within a company is often the culprit. Some examples include leaving mobile phones or laptops in vulnerable places and compromised credentials and accounts due to password sharing, phishing and social media.
Another problem is the growth of shadow IT—apps that are used by business users and owners without IT sanction or oversight. Growth of SaaS compounds this problem that unintentionally creates fertile ground for hackers.
External breaches are more difficult to identify. They run the gamut from tampering with ATM machines to DDoS attacks that immobilize your digital presence and malicious bots that mimic legitimate customer behavior to access pricing and competitive info. Malware is everywhere.
How can IT be successful?
Make security everyone’s job—even among your C-Level execs.
To improve internal security, IT can educate users on security best practices and track compliance. Employees need to be reminded not to open attachments from unknown senders, to mouse over URLs first to check their validity, to not share their login info or personal data with anyone. Trust, but verify.
For external threats, use virus and spam filtering, security patches and updates with the most advanced technology, and authentication services, including risk-based authentication, to establish a strong security barrier that even works during sessions.
And pick your battles. What kinds of breaches would do the most damage? This varies by business so IT needs to articulate what would hurt their organization the most and then address it.
Can you balance security with a positive user experience?
Regardless of whether you partner for your IT security, keep everything in-house and on-premises or choose to use a combination of both in a hybrid IT environment, it is important that you balance easy access and fast performance with state-of-the-art protection.
We know that users often abandon apps that take more than 6 seconds to download and that they want single sign-on and the ability to log in from social media or partner sites. We also know that a security breach often makes them abandon your brand forever. And there is the challenge. Information security goals need to be aligned with business goals and IT so that in making your business secure, you don’t make it so difficult to access your site or apps that you drive customers away.
So, how can organizations work within the new reality of hybrid IT environments and shadow IT without burdening the user or adding unnecessary friction into their experience with your products and services? Look for:
• Security software that starts with authentication to prevent unauthorized access through strong password/PINs, device authentication, and newer cutting-edge capabilities such as context-based authentication that detect anomalies by analyzing behavior, devices, login time and typical actions for a given user.
• Comprehensive identity access solutions that provide single sign-on for both cloud-based and on-premise applications, support social login and registration as well as a security engine for ongoing session control. Single sign-on makes it easier for users to access the range of apps they use and can also improve password quality control.
• Solutions that make it easy for application owners to onboard their apps to your identity service with minimal configuration and business-friendly rules to automate user provisioning. Make it easy to avoid creating shadow IT.
• Solutions that offer complete lifecycle management for privileged accounts. Privileged accounts are where most breaches occur.
• Behavior or threat analytics that analyze user behavior, calculate risk scores based on behavior and adjust security controls in order to mitigate the risk.
• Governance for privileged user accounts that simplify processing requests for privileged access to resources, groups, and roles, as well as provide insight into existing access rights. This will simplify the elimination of inappropriate access and reduce risk.
So what are you waiting for?
There is much IT can do to improve security but not without ongoing effort, focus and resources. As security breaches continue to run rampant and negatively impact business reputations and revenues, resistance to increasing the budget for IT security will likely soften.
In the meantime, don’t be a “sitting duck” for hackers. Use technology to fight technology and look for the right solution for your complex, hybrid environment. Identity access management, single sign-on, privileged access control and increasingly sophisticated security analytics will be your best defenses.