Cybersecurity is not a destination, it’s an ongoing journey. Organizations were reminded of the relevance of this industry aphorism recently in new guidance from UK’s National Cyber Security Centre (NCSC). The security agency is concerned that an extended period of elevated cyberthreat posed by war in Eastern Europe may take its toll on systems, processes, and security teams.
Its document offers plenty of advice for IT security leaders in organizations of all sizes. Most importantly, it emphasizes the importance not just of best practice security controls and cyber-hygiene processes, but of attending more carefully to the human element of cybersecurity. With a “whole of organization” approach founded on effective user awareness training, organizations can not only support their security teams but also build a formidable first line of defense against threats.
Taking its toll
As the conflict in Ukraine enters its fifth month, the NCSC is right to be concerned. A protracted period of heightened tension could take its toll on staff and require a recalibration of risk decisions made months ago, when it seemed like the war would last just a matter of weeks. The agency differentiates between two distinct phases of geopolitical tension:
- An acute phase — when organizations must strengthen defenses and address vulnerabilities
- A protracted phase — when that stronger posture must be maintained to manage residual risk
Among those classic best practices recommended by the NCSC to get defenses up to par are:
- Vulnerability management and patching
- Enhanced access controls
- Up-to-date anti-malware and correctly configured firewalls
- Logging and monitoring
- Regular backups
- Incident response tooling and planning
- Vulnerability scans
- Anti-phishing tools
- Reviews of third-party access
Looking after your people
However, best practices aside, the NCSC is particularly concerned about the impact of a protracted phase of tension on security staff wellbeing. Increased workload and pressure over time could lead to lower productivity, unsafe behaviors, and an increased risk of human error, it said. All of this is especially true given severe skills shortages in the industry, which have left a shortfall of over 2.7 million workers globally, including 402,000 in North America and 199,000 in Europe.
The NCSC recommends several steps to tackle this, including:
- Empowering more security staff to make decisions, in order to enhance agility and free leaders to focus on medium-term priorities
- Spreading workloads more evenly across a wider pool of staff to reduce the risk of burnout and enable less experienced employees to benefit from development opportunities
- Providing opportunities for staff to recharge through more frequent breaks and time away from the office, as well as work on less high-pressure tasks
- Looking after each other by watching for signs colleagues are struggling and ensuring they always have the right resources at hand
A “whole of organization” approach
However, arguably the most important tip is the final one: engaging the entire workforce to strengthen the organization’s defenses. This echoes best practice “security-by-design” approaches — requiring companies to build a corporate culture where each and every staff member understands the importance of cybersecurity to the company’s mission and what they can do personally to reduce risk.
The first step on this road is undoubtedly improved user awareness training. Organizations can find a huge range of tools on the market to help with this. The best ones will allow them to run phishing and BEC simulation exercises that mimic real-world threat campaigns, collect and analyze data on how each staff member performed, and then adapt the program going forward. The best chance of effecting genuine behavioral change is to run courses little and often, say 10-15 minutes in length. And it goes without saying that everyone must attend — from the CEO down to part-timers and contractors.
As the hybrid workplace becomes a reality and more people work from home more regularly, such training has never been more important — especially as many say they feel more distracted when working away from the office.
To this advice, the NCSC makes an important additional point: Organizations must also have the right internal communications processes in place to join-up everyone involved in the security mission.
The new normal
In many ways, this conflict and the extended period of heightened cyberthreat it represents is the new reality of cybersecurity in the 2020s. In the same week as the NCSC’s announcement, the leaders of MI5 and the FBI gave an unprecedented joint press conference to warn of the “massive” threat to businesses, academics, and Western political systems from China. In many ways, this is a threat without end.
Understanding the acute and protracted phases of what could be a cyclical raising and downgrading of tensions is going to be an increasingly important discipline for corporate cybersecurity bosses. Better start planning now.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.