Security Hardshipssecurity infosec grc awareness
In today’s digital age, where data breaches and cyber attacks have become all too common, ensuring robust cybersecurity measures is crucial for the survival and reputation of any company. However, despite the growing awareness and the staggering costs associated with breaches, many organizations continue to struggle in establishing effective cybersecurity frameworks. So, why is it so hard for companies to have good cybersecurity in place?
This blog post highlights some of the complex challenges that businesses face when it comes to safeguarding their digital assets. We will look at the impact of evolving cyber threats, the critical role of human factors and employee awareness , the limitations imposed by resource constraints (financial + human), and the difficulty to balance between security and usability. We will also consider the influence of rapid technological advancements, the necessity of collaboration, the lurking danger of insider threats, and the ever-changing regulatory landscape.
Evolving Threat Landscape
As old as cybersecurity itself - the ever-evolving threat landscape. Some people can’t hear it and can’t deal with it, and for others it’s nothing to worry about. But the fact remains that it is one of the main reasons why organisations need to be concerned. New attack techniques, vulnerabilities and exploits that require regular updates to security measures and strategies is a daunting task.
The only remedy? Keep your people and systems up to date! There is a German saying: “Wer nicht mit der Zeit geht, geht mit der Zeit”, which roughly translates to: if you don’t keep up with the times, you’ll (surely) be gone in no time.
Lack of Awareness
Another classic that contributes to the problem: Awareness, awareness, awareness, awareness, awareness, awareness, awareness, … Awareness! Limited cybersecurity awareness among employees and management contributes to poor security practices and makes organisations more vulnerable to breaches. Addressing this issue is not as simple as keeping up with the times. Ongoing training takes time, people get bored easily and bypass security measures if they think their methods are smarter or if their usability is compromised (more on usability later).
The only way to address this is to be creative. Gamification, security events and the appointment of (non-technical) security champions could all be ways of spicing up the boring and mandatory video training, flyers, emails and PowerPoints.
Human factors are always described as the weakest link in the chain, but they can also be your greatest asset if they are aware of what is going on. Nevertheless, human error and negligence, including weak passwords, falling for social engineering and clicking on phishing emails, pose significant challenges to cybersecurity efforts. Organisations must emphasise the importance of good security hygiene and implement measures to mitigate these risks.
Allocating sufficient resources, both financial and human, to build and maintain a robust cybersecurity infrastructure is a constant challenge - and the number one complaint of CISOs. Organisations often struggle to balance investment in security with other business priorities. However, if cybersecurity is approached correctly - primarily to support the functioning of the business - this issue should resolve itself.
Balancing Security and Usability
Striking a balance between strong security measures and user-friendly systems can be difficult. Excessive security measures can hinder productivity and frustrate users, while lax measures can compromise security. Think of poor password policies and strict multi-factor authentication. Too much security is always at the expense of availability - hello CIA triad ;)
Getting the balance right is crucial.
Rapid Technological Advancements
The rapid adoption of new technologies, such as cloud computing, IoT devices, and artificial intelligence, introduces additional complexities and potential vulnerabilities that organizations must address.
Most of the time, however, companies are busy bringing their current systems up to date. All the vulnerabilities have to be patched first, and the checklist is often long.
Staying on top of emerging technologies and their associated risks is critical.
Lack of Collaboration
Organizsations often face challenges in fostering collaboration with government agencies, industry peers, and cybersecurity experts.
Sharing knowledge, best practices and threat intelligence is critical to staying ahead of cyber threats.
Protecting sensitive data from internal threats, such as disgruntled employees or unintentional data leaks, requires robust access controls, monitoring systems, and comprehensive employee training programs.
Organisations often focus only on external threats. But disgruntled employees should never be underestimated.
Organisations must navigate complex and evolving regulatory frameworks, such as GDPR or NIS2, to ensure compliance with specific security requirements. Meeting these obligations adds another layer of complexity to maintaining good cybersecurity practices.
However, GRC is fundamental to cybersecurity, especially in the context of OT.
What do you think about this? Is it old news or an issue that needs more attention? Feel free to email me with your thoughts.