Cybersecurity is big business, with the value of the industry in the UK alone predicted to exceed £8.25 billion this year. This is only set to grow, as the latest research from Fastly finds three quarters (76%) of businesses in the UK and Ireland are planning to increase their cybersecurity spend. But with four in ten protective tools overlapping in functionality (39%) or not properly implemented by the businesses that buy them (37%) - it seems cybersecurity strategies are spiralling out of control, as businesses splash their cash on the latest tools that they just don’t need or use.
So, how can businesses keep safe from cybersecurity threats without wasting valuable time or money in the process? Jay Coley, Lead Security & Compute, at Fastly, shares five fundamental steps all businesses should take to form the cornerstone of an effective (and affordable) cybersecurity strategy.
Do the simple things (and do them well)
Despite what many security vendors will tell you, the solution to increasingly complex cybersecurity threats is not increasingly tailored - and hard to use - tools. A “buy everything” approach leads to wasted investment and relatively meagre rewards. Instead, there are several simple steps that form the foundations of a strong cybersecurity strategy. These are inexpensive solutions that - although lacking in ‘wow’ factor - can go a long way to protecting your business from the vast majority of cyber threats.
Non-SMS based two-factor authentication can help to verify the identity of anyone trying to access sensitive material. The recent Optus hack in Australia demonstrated exactly why two-factor must not be SMS-based as phone numbers are far too easily compromised, introducing an additional risk element. Rigid authorization rules within an organization also provide an extra layer of protection for sensitive information that could otherwise put a business at risk.
Jay Coley is Senior Security Architect for EMEA at Fastly.
Implement a Zero-Trust mentality from the off
At the simplest level, a Zero-Trust mentality is the use of user authentication and authorization to grant access to resources. This works independently of an employee’s physical location or any network level information to create a secure environment.
By adopting this model - with end-to-end encryption on all communications & two-factor authentication for accessing sensitive data - organisations are able to defend against the majority of the most common threats, particularly potential data breaches. Many of the most serious data breaches are the result of issues with two-factor authentication, so ensuring these basic measures are properly implemented significantly reduces your organisation’s risk of being affected by the most common cybersecurity threats.
Level up security training for your whole organization
Traditionally, individual employees have been seen as potential security risks, and the possibility of so-called “negligence”. Organizations must stop taking this approach and recognize that a best-practice cybersecurity strategy needs full buy-in across the business to succeed.
By providing employees with additional and continuous training on cybersecurity best practices, and helping them to secure their own online activity, organisations can reap the significant benefits of full organisational security.
Accept remote work is here to stay
It is a fact that the majority of organizations will never go back to pre-pandemic modes of working - but many are concerned about the risk created by remote workers.
One way to mitigate this is to migrate to a cloud-based infrastructure, designed with location and cloud redundancy. This ensures their apps and APIs are far easier to secure and access from anywhere. Cloud-based architecture is easier to secure than legacy systems, such as physical data centers, and by building in redundancies it prevents bad actors from having one single target to hit.
In a properly designed security architecture, it does not matter where individual workers are. This kind of security posture will always assume these are in an untrusted environment, and require them to validate their identity accordingly.
Trust the experts
As businesses increasingly move to cloud-based, serverless models, outsourcing to experts can take a significant load off of already overstretched in-house security teams. Of course, there has traditionally been a level of reticence around adoption of the cloud due to fears surrounding control and visibility, but this couldn’t be further from the truth.
A huge number of US-based companies have at least some aspect of their operations in the cloud, with many organizations outside the US also making large strides in this direction. Third-party security offerings should be able to run anywhere, be that in a data center, in the cloud or at the edge, and security vendors must adopt this approach to be flexible enough for modern requirements. Outsourcing cybersecurity also helps businesses to overcome the industry-wide challenge of sourcing talent in this space.
Take care of the fundamentals and the rest takes care of itself
Above all, most organizations do not need to worry about the threat posed by state actors. The majority of the biggest global security breaches instead come from basic criminality, and businesses must ensure their cybersecurity strategy encompasses the fundamentals to stay protected from the threats that are most likely to affect them. That is why, when it comes to cybersecurity, it is usually best to keep it simple.
