For decades, the cybersecurity industry has followed a defense-in-depth strategy, which allowed organizations to designate the battlefield against bad actors at their edge firewall.
The shift to the cloud has slowly reduced the dependence on network isolation, as businesses move critical services such as email, helpdesks, and intellectual property from behind their firewall into areas covered by software-as-a-service providers.
Cloud technology has become a key enabler of the remote working shift. When the pandemic hit, many organizations went fully remote overnight but (as many found out the hard way) this made traditional defense mechanisms ineffective – and attackers took notice.
As we slowly but surely emerge from crisis lockdown and everything points to remote working being here to stay, businesses need to reassess how they are approaching cybersecurity and the growing number and type of attacks. A fundamental rethink is needed by organizations to ensure they are set up to continuously adapt and evolve to meet the rapidly changing nature of threats.
The current situation
Recent statistics demonstrate the scale of the cybersecurity issues faced by companies. In 2020, malware attacks increased by 358% and ransomware increased by 435%, and the average cost of recovering from a ransomware attack has doubled in the last 12 months, reaching almost $2 million in 2021.
As businesses adapted to new ways of working, security weaknesses were exposed. Organizations found that even routine security issues were difficult to resolve – as the desktop computers that could previously be accessed manually within an office were no longer there.
Alongside this, bad actors are continuing to evolve their skillset with new techniques and methods proving they will go to any length to advance their capabilities.
In this cyber “new normal”, traditional approaches do not apply. A new, more agile and dynamic mindset is needed across the business world to keep pace with this fast-moving target. As the threat evolves, businesses must adapt accordingly, and that means continuously adapting and updating their cyber teams’ knowledge and skills.
Expertise is not a permanent state that is achieved through one-off training, a qualification or job experience. It should be the aim every day, in need of constant maintenance and rooted in best practice principles.
Organizations must change their approach towards training for IT and security staff.
Traditional security training is no longer fit for purpose. The certification process is so slow that by the time approvals go through, it is often outdated and untrusted. This renders some qualifications obsolete by the point professionals complete a course.
What’s more, some traditional processes are designed to incentivize getting the certificate rather than mastering the skill. So, despite what it may say on LinkedIn, many security leaders lack the pedigree to perform the defensive task.
Consider how bad actors hone their skills. They practice by doing – carrying out attacks. Organizations that want to keep up must mimic their foe. Cybersecurity professionals must become ethical hackers, and all businesses should build always-on internal ethical hacking teams.
They should train on purpose-built materials that mirror real-world environments, replicating the benefits that attackers gain from this approach.
Without hands-on training, many organizations lack experience within teams of dealing with hacking attempts. This has led to a trend of companies hiring “attackers” to simulate events, with staff then focusing on patching weaknesses in the IT systems. While useful, this does not empower professionals to discover and tackle the issues for themselves.
There is another way. Professionals can take part in gamified training that engages them in the techniques used by bad actors, helping to prepare them for real scenarios. This kind of training builds the mentality needed to protect enterprise infrastructure from attacks, while presenting the training in an interactive way that engages professionals.
By opting for interactive, hands-on training rather than traditional, theory-based alternatives, companies can bolster their ability to tackle security threats in a proactive manner. Security and IT professionals become in-house pen-testers for the business, constantly assessing and penetrating security environments to prove their ability and strengthen the resolve of an organization’s defense.
This growing trend is helping companies to fight back against cyber attacks. Alongside good security hygiene, empowering staff to tackle security threats in an agile and practical manner will help organizations stay in control of their infrastructure.