Technology
1.) Accept we’ll never be able to stop breaches First, SMEs need to subscribe to a new philosophy. If the recently exposed widespread vulnerability Log4j taught us anything, it’s that trying to stop 100% of attackers from getting into our systems is futile. Traditional security solutions like firewalls try to stop attackers from penetrating the system by identifying threats based on historical attacks. They categorise known attacks as ‘bad’ and guard against them on this basis — commonly known as the ‘rules and signatures’ approach. However, what we’ve learned over the last decade is that simply trying to stop attackers getting onto systems is only effective for low-level attacks. It doesn’t work for the advanced attacks – like those exploiting the Log4J vulnerability – that these businesses now face. Instead, business leaders must contain attacks quickly and minimise disruption, so the organisation isn’t negatively impacted. Accepting that attacks will get in isn’t accepting failure. It’s the reality of being a mobile, global and interconnected business.
2.) Create a culture of security Chief executive officers and C-level executives should be vocal about the importance of cyber security across the business, and all departments should know what their responsibilities are, and that cyber security is relevant to them. The board should be briefed regularly on cyber security and security providers should be involved in this process. Ideally, the CISO should be part of the top management team. If not, key personnel within the security team should give regular briefings to the management team on how the business is responding to cyber threats.
3.) Pay attention to the supply chain If companies want to keep closing the cyber-resilience gap to large corporations, supply chain security should be a focal point. Supply chain attacks can be some of the hardest to mitigate, but a few best practices are necessary here. These include doing the due diligence before providing access to third party vendors. Such access should only allow the bare minimum required to do the job, or in other words, follow the principle of least privilege. Where possible, try to minimise the number of third parties connecting to the network to reduce the potential entry points. Assess supplier and vendor security when deciding whether to work with a company. Examine whether they have external certifications that confirm they take security seriously. Be open with them about this being a factor in decision- making around whether to award contracts. You’re only as strong as your weakest link.
A parting thought In 2022’s cyber threat landscape, being breached by hackers is inevitable. While there’s no shame in hackers gaining access to your digital estate, allowing them to cause long-term disruption and damage is unacceptable to many SMEs, and fundamentally avoidable. Taking time to examine your business’s cyber-resilience could well save you a lot of trouble down the line.
37
| Professional in Payroll, Pensions and Reward |
Issue 79 | April 2022
Made with FlippingBook - Online magazine maker