In the digital age, cyber security incidents are increasingly considered one of the biggest threats facing companies – financially and reputationally, writes Mark Hughes, President Security, at DXC Technology.
In the UK alone, the ICO (Information Commissioner’s Office) can issue firms dealing with a data breach, with fines of up to £17.5 million or 4pc of the company’s total annual worldwide turnover. However, often the biggest risk for an organisation can in fact be the enemy from within – that is, highly complex, poorly implemented or maintained IT environments.
At DXC Technology, we are frequently tasked with managing mission-critical systems for some of the largest corporations worldwide – including advising on how best to tackle internal cyber security threats. So, how can organisations ensure a robust approach to security in a world of increasingly complex IT environments?
Know weakness
Prior to implementing any large-scale security overhauls or upgrades, organisations need to ensure they have a deep understanding of their existing operating network – including any known vulnerabilities which need to be resolved.
Whilst cyberattacks are difficult to anticipate, cyber criminals will often mobilise malware to take advantage of these vulnerabilities. Ultimately, you cannot protect against a potential threat without mastering the basics.
Identify access points
Secondly, organisations to need to ensure they can identify any access vulnerabilities. An attack can often begin from an initial entry point – perhaps from one of your employees, or an outside contractor clicking on a phishing email. Concerningly, the practice of “spear-phishing” – targeting users with an email from a known or trusted sender – is becoming increasingly common due to its effectiveness in evading access controls.
This can be especially challenging for larger corporations, where it can prove even harder to keep track of access points. Security teams are often removed from decisions about which employees or contractors require system access. This can only further exacerbate potential control issues. However, with greater awareness, a security team can introduce the necessary additional security protocols such as multi-factor authentication.
Assess third-party software risk
Alongside the potential threat from external contractors, third-party software can also present security vulnerabilities. Hackers are increasingly exploiting vulnerabilities in software used across multiple organisations, enabling them to efficiently gain access in numerous footholds. Concerningly, this is becoming common in all types of software – ranging from core ERP systems to ancillary open-source products.
Inevitably, some degree of third-party software and SaaS will be introduced into an IT environment. However, organisations need to make sure they are aware of what they are running and cognisant of any associated risks. This will allow companies to ensure they are actively maintaining software, whilst looking to additional solutions, such as threat intelligence mechanisms, to bolster security.
Integrate into business transformation
With many sectors looking to digital transformation, this is also creating more complex IT environments, which are proving more challenging to defend. Regardless of how well-designed a cloud and hybrid IT environment is, organisations need to ensure they are adapting their security practices to accommodate these transitions.
However, with security teams often externalised, this can mean they lack the context of who requires access, or how outsourcing partners are operating within that environment. Amid increasingly complex IT systems, embedding security and ensuring greater collaboration across teams, has never been more important.
Simplification over diversification
Finally, as companies increasingly prioritise security, they are inevitably becoming overwhelmed with different security tools and solutions. Be it endpoint protection, monitoring, network firewalls, or cloud security – there is an abundance of options on the market. Whilst it can be tempting to incorporate all into your security toolkit, the best solution may in fact be simplification.
Some cloud providers such as Microsoft and AWS have been making headway when it comes to platform-native security controls. For instance, a single Microsoft license can replace up to 26 siloed security tools. Embracing simplification can help optimise investments, and ultimately, efficacy when it comes to tackling nefarious actors and evolving security threats.
About Mark Hughes
Mark Hughes is president of Security for DXC Technology. He is responsible for DXC’s Security business including cyber defence, digital identity, secured infrastructure and security risk management. Mark joined DXC from BT, the telecoms provider, where he most recently served as chief executive of BT Security. He joined BT in 2002 and held a variety of senior appointments, including key government customer-facing roles. In 2013 Mark led the formation of BT Security. Earlier in his career, Mark was the commercial director at MWB Business Exchange. He began his career in the British Army. Mark has served on national boards, including the Cyber Growth Partnership for the United Kingdom, and the World Economic Forum’s (WEF) Global Cybersecurity Board.
Awarded a BS with honours by the University of Leicester, Mark trained at the Royal Military Academy Sandhurst, and the Junior Division of Staff College.
https://www.professionalsecurity.co.uk/products/cyber/cyber-strategies-to-embrace/