Why constant monitoring & training is key to optimal security

This article originally appeared on Silicon India

There is a common saying in cybersecurity circles that goes something like this: “It’s not that you have not been breached; just that you don’t know it yet.”

An adage like this would be funny if it were not true or its implications not so serious. According to the Cost of a Data Breach Report 2019 by Ponemon Institute, the average time to identify and contain a breach—and this is a global average—is 279 days. This implies that for over nine months, an organization may have no clue that its security has been breached. And the average total cost of a data breach? A $3.92-million hole in your pocket.

Unfortunately, most companies practice cybersecurity as an afterthought, often trying to retrofit their systems with tools instead of doing it from the ground up. This not only proves futile when a new, advanced attack happens, it also escalates their overall cost.

In my view, cybersecurity should be built into the organizational design from the very initial stages, and companies should take a holistic approach to meeting their specific security needs. Remember: one size does not fit all. So each organization should regularly do an exhaustive exercise to figure out their security posture that best fits their needs.

Protecting your crown jewels

One thing each company needs to keenly protect is its ‘crown jewels’—the most critical data pertaining to them. For instance, for a healthcare firm, the most important data assets are likely to be patient health records, whereas, for a bank, it could be data related to transactions.

Again, a holistic approach requires you to first identify and define what you are protecting. To achieve this, you should start with identifying your crown jewels such as the proprietary intellectual property you may have developed, your customer list, your financial data, and the like. 

What’s more, a comprehensive view involves securing your data assets in a multi-layered way. So you are not just talking about securing the end points but also ensuring that for each of the security layers, you have the right instrumentation to tackle any incident. You may have purchased several shiny security tools but, quite often, such a proliferation gives organizations a false sense of security. In order to have a solid foundation, you must include security as a core element of your strategy.

Being proactive and alert—all the time 

While data breaches have become the new normal, all is not lost. There are four proactive things you can do to minimize risk: constant monitoring; training and awareness; containment planning; and cybersecurity insurance.

Organizations today have to navigate through a complex sea of regulatory compliances and simultaneously watch out for new threats, including socially engineered attacks and sophisticated ransomware. As such, no single tool or even a combination of tools is sufficient to keep their data safe. So, what is the way out?

One useful analogy here is how we monitor the fever of a patient by using a thermometer. It wouldn’t be off-the-mark to think of your network as ‘a body’ that can be feverish at any moment. So you need to keep your security instruments ever ready to take the temperature, pulse, blood pressure, or whatever is necessary at any moment to keep the sickness—whether visible or simmering somewhere in its entrails—within manageable limits. 

In security parlance, these measures would mean performing frequent penetration tests, having bug bounty schemes, or analyzing network traffic for any unusual patterns or employee behavior.

The good news is that companies do not have to invest in expensive technology to sort this out: most of them already get log analysis of activities on their servers. What they need to do is define what unusual activities mean for them, then learn from that data analysis, and further keep building on that knowledge to fine-tune their detection capabilities.

Secondly, given that the security of any network is only as strong as its weakest link, the importance of employee awareness and training cannot be overemphasized: employees are often known to get tricked into clicking phishing links or otherwise compromise the security fortress you have so painstakingly built.

But one caveat I would like to add to any elaborate security training program is this: don’t make it too long and boring! What proves effective is what gets actually adhered to, not what is ignored. For instance, have short and quick ‘trainable moments’ within the company rather than force the employees to sit through tedious webinars or hours-long sessions. Gamify the learning process if you will.

Likewise, mock drills for incident response preparedness are useful but do keep an element of surprise and urgency in them—so that they are done in the right earnestness and not taken as ‘business as usual’.

Next, it is equally important to have a containment plan designed to keep critical business services active even as the incident response team in your company is busy cleaning up the contaminated areas and assets. 

And last but not the least, it is good business practice, besides being an important aid to managing reputational risk, to obtain some form of cyber security insurance to cover the cost of addressing your breach.

There is another age-old saying that rings true in security: “An ounce of prevention is better than a pound of cure.”