8 February 2022 is designed as Safer Internet Day. First started as an initiative by the European Union’s SafeBorders project in 2004, and was eventually taken on by Insafe, a European network of Awareness Centres promoting safer and better usage of the internet.
The theme for 2022 is “Together for a better internet” with one of the goals being to make the internet a less harmful place for children and young people.
The event itself has a distinct education and family-oriented focus, hence the involvement of educational institutions and non-profits. That said, FutureCIO recognises that many platforms that thrive on the internet are built and managed by commercial enterprises that may target consumers and educational institutions.
Among its prognostications for the coming future, Gartner predicts that by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
“Investors, especially venture capitalists, are using cybersecurity risk as a key factor in assessing opportunities. Increasingly, organizations look to cybersecurity risk during business deals, including mergers and acquisitions and vendor contracts. The result is more requests for data about a partner’s cybersecurity program via questionnaires or security ratings,” explains the analyst.
As such, we thought it would be good to pull in comments from technology practitioners for their take on how to make the internet a safer place for everyone, after all these companies are at the forefront of securing the internet will be security firms like Mandiant (formerly FireEye Inc.).
Security and technology firms benefited from the shift to remote work as enterprises had to bring in third-party organisations to augment the limited resources (expertise) and experience in both enabling a work-from-anywhere and securing remote work. Many technology firms, particularly in Asia, have not only the technology but also practised remote work for years given the nature of business.
Security lessons from the pandemic
Drawing from the experience of the industry, Steve Ledzian, CTO for APJ at Mandiant cautions that while the security risks of staff shifting from working in the office to working from home are often front-of-mind, they shouldn’t be the only point of focus.
“Another (sometimes less addressed) is the challenge related to Internet connectivity - the ever-growing attack surface being spawned out of digital transformation initiatives. As businesses become more agile, departments can often self-service their own IT requests through cloud services,” he continued.
According to Ledzian, IT and Security teams are left in the position of trying to understand what Internet-facing resources are used across all departments in the organization. These resources change dynamically, so this is a continuous rather than a one-time effort for those teams.
Asked why it is important to identify these assets, Ledzian argues that security teams can’t protect assets that they don’t know they have.
“As technology dependence only continues to grow, organizations are turning to Attack Surface Management tools to help identify Internet-facing assets and the issues those assets have which pose a risk,” he explained.
Mitigate against the continuing vulnerabilities in 2022
Ledzian says many CISOs might feel tempted to think that they have already mitigated their vulnerabilities. The typical organization over the years has multiple security controls and mitigations 30-50 layers deep providing defence-in-depth. Many of those security controls are applied in both office and work-from-home settings if the employee is working on a corporate laptop.
“At Mandiant, we see a lot of Board of Directors asking CISOs who have already deployed many layers of security “How secure are we?”. CISOs often struggle to answer that question in a quantitative way,” he opines.
According to Ledzian, forward-leaning CISOs are starting to formally quantify the effectiveness of their security controls by validating them against real-world attacks through software automation.
“You can think of security validation almost as a quality assurance function for your defence-in-depth stack,” he posits and adds further: security validation gives CISO’s the capability to answer the question “How secure are we?” and “In which direction is our security posture trending over time?”
The weakest point for businesses in Asia
No surprise that his answer remains humans. “Often, all it takes is for just one employee to click on something they shouldn’t for an intrusion to be successful. User awareness and education are just as important as technical security controls,” Ledzian adds.
He suggests CISOs and organisations ask themselves as they look to create a safer internet experience:
- Does your organization test and train its staff by sending periodic phishing samples?
- Does your organization encourage staff to report phishing messages in an effort to help protect staff which might not be as security or technology-savvy?
- Does your organizations leadership build a culture where cybersecurity is a priority, and promote that priority with annual trainings and events?
“Raising the human resilience to cyberattacks and scams often produces a meaningful positive increase in an organisation's overall security posture,” concludes Ledzian.