Remember when cybersecurity was something we thought we could actually master to keep all the bad stuff out?
Me neither. For a long time now, many organizations have come to view IT security as an impossible, never-ending battle that just keeps getting harder, no matter how much effort they put into it.
Kinda like the predicament of Sisyphus. If you’ve forgotten your grade school Greek mythology, Zeus got so fed up with Sisyphus’s wicked ways that he condemned him to spend eternity pushing a boulder up a hill, only to have it roll back down towards him every … single … time.
“Sometimes IT security feels exactly like that,” said Jamie Hari, director of cloud and security at Zayo Group. He made the comparison during his presentation at SecTOR, the annual infosec conference held in Toronto this week.
According to the 2017 Cybersecurity Trends Report, organizations aren’t just putting more effort into infosec, they’re also throwing more money at it.
In the survey of 1,900 IT security pros, more than half (52 per cent) said they plan to boost their security budget by, wait for it … 21 per cent. Furthermore, 45 per cent of them cited lack of budget as their biggest barrier to defending against cyberthreats. (It tied for first place with “lack of skilled personnel.”)
Clearly, many IT managers view spending as a key factor in keeping their organizations secure.
“What if I could challenge that concept?” Hari asked the SecTOR audience. “What if there are things you can do that don’t require the capital outlay of spending a bunch of money on equipment?”
He then went on to list “things you can do that are hopefully zero- or near-zero cost, to move your security maturity forward.”
Here are some of Hari’s top tips to protect your network without dipping directly into your capex IT budget:
Take an inventory of your devices and software
You need to prioritize your assets before you can protect them, Hari pointed out, and it costs little or nothing to do that.
Take an inventory of your security program assets
Do this so you know exactly what infosec you’ve got in place, how much is outdated and what you need to beef up. According to another Zeus (not the Greek god, but research analyst Zeus Kerravala), the average enterprise uses 32 different security vendors. Taking inventory can help you streamline, integrate and make sense of them all.
Beware the cost of ‘free’
“There are hidden costs to every free tool we use,” Hari warned. Stressing that he’s not against open source, he reminded SecTOR attendees that running any IT tool comes with labour and operational costs like computing power, storage, staff training and patching.
Rethink password dogma
Remember the formula everyone at your company is supposed to follow for creating ironclad passwords? Nobody does, and Hari said that’s probably because it’s far too complicated and ridiculous for everyday use. Aim to simplify password rules without sacrificing security, he said, and try using multifactor authentication “everywhere,” too.
Maybe the cheapest (and most effective) security tool you can wield is a mirror. Hari urged enterprises to take a harder look at the risk points inside their own organization. Beyond offering cybersecurity education and training to staff, companies need to get specific with each employee.
“We need to tell everyone in the entire organization ‘this is your task.’ We need to be telling the receptionist and the finance director and showing them what their role is and what happens if they’re breached,” Hari said. “It’s not just about mitigating the IT event. It’s about how everyone in the organization is going to respond.”
Hari’s other tip for self-reflection is to control access based on each employee’s role, not their identity. Then Sam’s or Sally’s access level doesn’t continue (or expand) even if they move to a different job or department.
PwC’s 2018 Global State of Information Security Survey seems to back up Hari’s focus on managing internal risk. When it polled 9,500 executives in 122 countries, PwC found that current employees were responsible for the majority (30 per cent) of attacks. Just 23 per cent were attributed to unknown hackers.
You’ll still have to spend money on security, of course. But Hari hopes these simple hacks can help you “move that rock up there, using leverage” instead of precious IT budget dollars.