InfoSec Insider

Time to Build Accountability Back into Cybersecurity

Chris Hass, director of information security and research at Automox, discusses how to assign security responsibility, punishment for poor cyber-hygiene and IDing ‘security champions’ to help small businesses.

In the age of remote work — where hybrid teams work out of offices, houses and coffee shops using a multitude of devices — presents challenges in terms of understanding who’s responsible for ensuring proper cyber-hygiene across the perimeter-less footprint. Suffice it to say that cybersecurity has become a massive headache for many organizations. It’s also a costly one, with the average breach carrying a price tag north of $4.2 million, according to IBM’s Cost of a Data Breach 2021 report.

In addition to monetary considerations, companies that experience a breach also risk damaging their reputations and making headlines for the wrong reasons. The good news is that by taking a proactive approach to cybersecurity, understanding security roles and accountability, investing in the right tools, and following best practices — you can strengthen your organization’s security stance and protect your systems, data, and brand along the way.

Who’s Responsible for Cybersecurity?

Historically, leadership has largely been accountable for cybersecurity and has almost always viewed security as a cost center. In the age of escalating cyberattacks, that’s all changing.

Today, security is everyone’s responsibility. If you’re aiming to protect yourself against threats, you will have a hard time accomplishing your goals unless every employee understands that security is a shared responsibility.

At the same time, it’s important for security practitioners to understand the business needs at stake and prioritize readiness and remediation — and be able to effectively convey the risks associated with an attack. When you claim everything is a high priority, nothing is.

Repercussions for Bad Cyber-Hygiene?

Companies today are already incentivized to practice good cybersecurity. By prioritizing cybersecurity, they’re able to reduce the likelihood that systems will be penetrated, thereby protecting against the associated outcome of breaches — such as legal fines, customer churn and a lower share price.

However, with breaches increasing and their impact getting worse, it’s worth considering whether we as a society can do more to encourage organizations to take cyber-hygiene seriously.

Earlier this year, the Biden administration issued an executive order on improving the country’s cybersecurity policy at the federal level. Although little guidance has been issued concerning businesses, it seems as though the writing’s on the wall, and organizations will ultimately need to be more accountable when it comes to protecting their systems and networks.

While there should be repercussions for bad security practices, it’s not so easy to figure out what those punishments might be. For example, companies that violate Europe’s General Data Protection Rule (GDPR) can be fined up to €20 million or 4 percent of annual global turnover, whichever is higher. Unfortunately, small companies would feel the impact of those fines much more severely than behemoths like Google and Facebook, which might not even notice the dent in their proverbial wallet.

In addition, fining companies for bad security practices could really hurt startups. After all, most startups can hardly afford to pay themselves, let alone hire a fully functioning security team. Making matters more complicated, some of the threats organizations face — like persistent attacks from nation-state actors — can be nearly impossible to defend against. Is it really reasonable to ask a small team to play defense against these types of threats?

Any way you look at it, this is a complex issue with no easy answers.

How to Build Accountability into Your Security Infrastructure

While compliance legislation and regulation can certainly help raise the bar for cybersecurity hygiene, neither will keep the advanced attackers out forever. Companies need to take a proactive approach to cybersecurity by building accountability into their security infrastructure and deploying the right tools and frameworks.

To do this, start by setting a solid baseline and beginning with the basics. Things like patching, credential management, zero trust and least-privilege access can go a long way toward protecting your organization. When you get the basics right, IT has more time to focus on critical functions because there are fewer help-desk tickets to solve and the network becomes more predictable, which often leads to a less stressful job.

In addition to using the right tools and automating repetitive IT tasks where possible, organizations should also embrace frameworks such as those from the National Institute of Standards and Technology  (NIST), which provide excellent roadmaps and guidelines for structuring your security program. Similarly, they should examine Center for Internet Security (CIS) best practices as a good starting point to hit the ground running.

For the best results, companies need to identify security champions within the organization — particularly if there’s not a dedicated security team just yet. When it comes to building accountability, security champions can be a force multiplier since they typically understand their role and the processes of their team better than anyone else. They are able to identify weak spots quickly and drive the implementation of the necessary controls and processes needed to remediate the situation.

Improve Your Cybersecurity Hygiene Before It’s Too Late

While the number of breaches might have fallen in 2020, a whopping 37 billion records were stolen by hackers, an uptick of 141 percent compared to the previous year. If your organization has managed to avoid being on the receiving end of a breach, you are one of the lucky ones. But if you continue testing your luck, it’s only a matter of time before bad actors get a hold of your sensitive data — and you’re forced to endure the fallout.

The sooner you begin optimizing your organization’s approach to cybersecurity, the faster you’ll get the peace of mind that comes with knowing your networks are protected. Instead of scrambling to respond to a breach when it’s already too late or worrying about security, you’ll be able to spend considerably more time focusing on your mission and more strategic, high-impact initiatives.

Chris Hass is director of information security and research at Automox.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.

Suggested articles