With the widespread adoption of cloud computing, businesses have grown more agile and able to deliver new products and services. Ballooning investment in the Internet of Things (IoT) and Artificial Intelligence (AI) is also transforming the customer experience in ways that will increasingly drive the bottom line. However, access to new markets and improved customer engagement has been accompanied by a heightened information security threat landscape.
The exploits of sophisticated nation-states and profit-motivated cybercriminals are ubiquitous. Commercialization of Cybercrime as a Service (CaaS) and the democratization of AI is also reducing barriers that previously deterred would-be bad actors. Yet the little things don’t change. The patterns that drive information security risks remain: controls degrade when not maintained, and threat actors capitalize on complacency and human error. Good information security hygiene, rooted in a culture of risk-awareness, remains foundational to keeping your organization and its stakeholders safe.
Rapid technological innovation is creating new business opportunities. Companies best positioned to capitalize on change will be those that mitigate information security risk by consistently getting the little things right. As a mature company that utilizes technology well, you probably have controls in place, but how are you thinking about them? Are controls a check-the-box exercise? Is your system of internal controls designed optimally? And, most of all, are you placing an emphasis on the little things that make the biggest difference?
All organizations can benefit from getting the following baseline requirements right:
- One size does not fit all - Tailor risk management, including internal controls, based on your business (e.g., technology, operations, data sensitivity and jurisdictions).
- Security awareness – Train employees to recognize, avoid and report potential social engineering threats. Incentivize behaviors that promote safety and seek to minimize repeat actions that introduce risk.
- Protect what matters – Use phishing-resistant multifactor authentication. Encrypt data (e.g., business secrets, regulated information) at rest and in transit, and secure keys.
- Access management – Control user access with groups based on the principle of least privilege. Recertify access periodically, based on the importance of the system and underlying data.
- Baselines – Use baselines to harden your infrastructure. Monitor and remediate configuration drift and anomalous activity.
- Patch management – Validate and apply patches and software updates in a timely manner.
Spending on information security continues to grow, but leading-edge tools and services cannot defend against a weak foundation. Risk leaders can strengthen cyber preparedness by ensuring that management and those charged with governance understand that deficiencies in these areas meaningfully degrade cyber-defense posture.