Cybersecurity is Shockingly Simple ...!!!

Internet if full of Proof with Incidents and Events

There is plethora of information available conveying the importance and facts pertaining to Cybersecurity. No point talking about the details to convince someone of these facts, take a sneak peak at some stats compiled by Varonis out of which; by far the foremost cause of a cybersecurity incident is a human error. According to one of the reports published by Kroll: 88% of the data breaches in UK were a result of Human Error. And of course: To Err is Human...!!!

At the time writing this article; the world was battling the Corona Virus which has ravaged almost every developed economy with over 1.5 millions affected and 90 thousands dead. On the other hand few countries played the Awareness game - a country with over a billion people with insufficient medical infrastructure kept the infections as low as 0.1 per million population.

On one hand we have had over 5000 breaches exposing over a 7 billion records in 2019; with an average cost of $ 300K to mitigate the breach; major cause of which is Human Error; on the other hand a country with a billion people reporting lowest percentile of infections during a pandemic adhering to just basic awareness and lock down which of course coordinated by those billion people.

Common aspects in both the scenarios are HUMANS and AWARENESS; if they are made aware of Cybersecurity: can we say a big chunk of the data breaches could have been avoided? Most Certainly - YES.

Breaches are distributed across Organizations of different sizes and most of them are well established

Most of these Organizations have well laid out Policies and Procedures - without a doubt

A good number of these organizations must have had Cybersecurity policies - which make sense given they are established well

With the nature of business conducted by these Organizations - its obvious that the employees are skilled and resourceful

With the Global Presence - these organizations are definitely not NOVICE to technology

What we have on the other side are

• The organizations Governance structure - does it allow to pan through Strategic, Tactical and Operational layers with interconnecting Goals and Objectives
• Is Cybersecurity one of them? Do they have End to End visibility from 30000 ft to ground zero?
• How Cyber-Aware are the employees ? Are there KRIs, KGIs, KPIs and are they linked to Business and Employee Objectives?
• Most important: is there a program to measure the awareness? Given the magnitude of cost implications how frequently the awareness is assessed?
• Even if there is a lack of Cybersecurity budget; but there is definitely a budget set aside for employee training
  • Measure the Security Awareness in the Organization
  • The least an organization can do is to impart Cyber Awareness
  • Most of the Product companies in Cyber Domain have tutorials, publications and awareness material handy
  • Start from the Entry point into the Organization, cover everyone till the Top Executive
• Now the Second part of it: Employees have to use all the available technology to deliver Business

Technology means: Hardware, Software, Firmware, OS, Configurations etc etc. How frequently do they get updated?

Is there a program to manage the updates and upgrades: A Patch Management Policy

Unless there are applications dependent on H/W, S/W versions - any power user can update their computing device

With most of the Business moving to Cloud - there should be no reason why Cybersecurity cannot be achieved at least to a level.

With the above Context of exploiting and upgrading Human Intelligence with the Cyber-Awareness

• Are the employees susceptible to Phishing ?
• With Patch Updates and Hardware I/O Options self managed - Can Malware be introduced in the Business Environment?
• With a combination of access controls such as MFA + Password Complexity - Can the Identity be compromised?
• Keeping all Business critical data in Cloud with a layered defense - How like is a data breach?
• If Cyber-score is a part of Employee Performance - What would be the Over all Organizations Security Posture?
• Do all the C-Suite executives have a Cybersecurity Metric embedded in their Goals and Objectives?
• There are Quarterly Business Reviews - what about Quarterly Security Reviews?

Bottom line

A level of Cybersecurity can definitely be achieved with a combination of the below:

• A Policy to maintain the acquired technology infrastructure w.r.t. Updates and Upgrades
• A Continues Assessment of Security posture: Both Employees and Business Environment collectively
• Embed Cybersecurity as one of the Requirements through out the course of conducting the Business