Throughout the Scot-Secure 2021 Virtual Summit, we heard the about the importance of a well-tailored cybersecurity strategy.
While there are plenty of powerful tools and tech available, nothing should not be adopted for its own sake. Everything must have a purpose in a bespoke strategy, and creating that strategy means asking questions.
One of the key questions an organisation needs to ask is what threats it faces. Hackers are not a monolith. They all have different motivations and preferred ways of operating.
Leo Cunningham, CISO at femtech company Flo Health, led a breakout session at the event looking at how to identify threats and how this helps groups tailor their cybersecurity strategy.
Threat actors come in all shapes and sizes. The motivations, methods and resources of nation-state and cybercriminal APTs are very different from hacktivist groups, thrill-seeking loners or even insider attacks.
As such, with different threats pursuing different goals, their targets are likely to be different to one another. We have seen first-hand how medical and healthcare groups have suddenly found themselves targeted by nation-state APTs looking to steal or disrupt coronavirus research.
Meanwhile, financial institutions can be at threat from insiders. While these may not be disgruntled employees, bribery can turn many employees into a potential weakness. Why spend months sitting in an organisation’s systems when £1,000 could net tens or even hundreds of thousands of pounds of data in a matter of days.
Cunningham pointed to the range of delivery methods threat actors use – phishing, whether by email or SMS, fraudulent domains or apps, or accessing systems through exposed public-facing networks.
- Scot-Secure 2021 | Traversing the changing cybersecurity landscape
- £7m programme unveiled as Logan Review recommendations take shape
- Comment | Cyber risk management with Obrela CEO George Patsis
As the CISO of a startup, Cunningham pointed to the threat a cyber-attack can pose for similar companies at the early stage of their lifecycles. While many of these companies can be small, they can still hold valuable and enticing information for cybercriminals.
The UK’s National Cyber Security Centre (NCSC) recently released guidance to help childcare services, as even an individual childminder can hold sensitive information about children and families. This shows that no matter the size of the operation, the data held could still be valuable to someone, whether client or criminal.
For startups, which are generally still forming relationships with clients, the reputational damage of a breach could prove catastrophic. With limited resources, there can be little these companies can do to recover.
As such, while many companies start off focused on scaling, cybersecurity must be a key consideration at all parts of their journey.
To ensure this, Cunningham made some key recommendations. Defining the basics of security helps make everyone part of the process.
Organisations need to consider how their technologies interact, along with who has access to them and, importantly, why?
In addition, gathering input from across the company helps create an understanding of what security means to it. Staying aware of industry trends and reviewing how security is relevant to each employee and their role also helps promote security.
And finally, Cunningham said to always keep it simple and ensure security is an enabler.
While zero trust has become the new standard for designing infrastructure, if goes beyond architecture – it applies to people as well. Unfortunately for employees, the desire to please, whether customers or superiors, is firmly ingrained into work attitudes. As such, teaching people to be unhelpful, to ask questions and say no, can be an uphill struggle.
The most important factor when creating a cybersecurity strategy is to discover what works best for the organisation and its needs.
Ultimately, the best defence is to consider an organisation’s defences from outside, all while thinking more like a bad actor.