Once the pandemic hit, companies of all sizes had to quickly adapt and implement remote work environments. Even though such changes brought even bigger cybersecurity risks, work-from-home policies will likely remain intact and companies will need to adapt once again.
The main challenge is to find ways to protect employees and private business information outside the office environment. A good start is safeguarding home devices with professional security tools that offer real-time protection against malware and ransomware.
However, best cybersecurity practices don't stop here. So we’ve asked Michael Pleasant, the CEO of Open Security, to explain what are other effective security measures that can help protect companies and their employees.
How did Open Security originate? What has your journey been like throughout the years?
Open Security originated from a desire to combat some cybersecurity vendors' tendency to present what they do as magic or a secret that only they possess and go to lengths to protect. We know that cybersecurity is vitally important for everyone today, so sharing our practices, tools, and methodologies is a vital tenant of Open Security, hence the name.
Can you introduce us to what you do? What are the main issues you help solve?
Everything we do and all of our products and services, exist to answer two fundamental questions for our clients: are we secure, and to what degree? Whether we're assessing client networks, applications, policies, or offering solutions to strengthen existing security programs, we aim to give our clients the confidence to know the state of their security posture and what decisions they can make to affect it.
What vulnerabilities do you find the most concerning at the moment?
The user will always be the biggest vulnerability to a given system, no matter the technology. This is true whether you're a seasoned cyber professional or a newly hired junior intern.
The challenge is building resilience in the technology that these users interface with. This includes pieces of hardware and software but also training and procedural safety nets.
A well-rounded cybersecurity program should approach its objectives using a variety of methods and tools. This takes time, energy, investment, buy-in from leadership, support from middle management, and adherence by all. It is an effort that is never truly finished and takes constant refinement, review, and balance.
This is what makes it that much more challenging for smaller organizations with fewer resources, but it is possible with dedicated effort and the proper support behind it.
How did the pandemic test cybersecurity worldwide? Were there any major gaps or flaws that came to light?
Suddenly, businesses were forced to acknowledge that working remotely was not only possible but often preferred. This new paradigm means businesses will have to make their rapid pandemic infrastructure changes permanent and think about the long-term implications for their data security.
This includes data in transit and at rest across their entire enterprise, testing all of the controls they have in place and how those controls can fail. It's important to remember that no matter what protections we put in place, there will be some level of failure.
We should expect and plan around this by creating what's known as defense-in-depth, or layered defenses, so that when control fails, there are other protections there to slow a malicious actor down.
Why do you think some companies are unaware of the malware or viruses hiding in their own network?
The truth is, no matter how vigilant a security operations team might be, some level of complacency through familiarity sets in. You become too comfortable with the same environment or applications you're used to scanning and assessing and become too close to the source to see potential problems arise.
The good news is that there are ways to combat this. On the tech side, having security controls that identify breaks in the baseline trends or patterns can help raise the alarm.
On the employee side, having policies and procedures that require rotation of focus areas for engineers. This includes rotating security vendors and why we recommend bringing in occasional third-party assessors for precisely this reason.
In your opinion, what IT and cybersecurity details are often overlooked by new companies?
New companies are especially vulnerable to security oversights due to the nature of their youth. Young companies are understandably focused on growth and speed, which doesn't leave much time to think about architecting security infrastructure and matching procedures.
This is where startups and similar organizations can benefit from services like having a fractional or virtual CISO. You get all the benefits of having an embedded CISO on the team at a fraction of the cost. It can be their responsibility to think about these kinds of considerations and collaborate with the rest of the organization to achieve the growth they want with security having a voice and a seat at the table.
What kind of attacks do you think we are going to see more of in the next few years? What should average internet users do to protect themselves?
Unfortunately, we're going to see more ransomware. It's going to get worse, and it's going to affect more businesses, especially those on the smaller end of the spectrum.
The fact is that ransomware is continuing to become easier, cheaper, and faster to deploy at scale. Bad actors can fire away at targets of opportunity at such a rapid pace, and they only need a few to be successful for them to cash in on a payday.
When a client comes to us after having fallen victim to ransomware, our first order of business is to get them back up and running as quickly as possible to avoid as much interruption as possible. This process can be significantly sped up if the client has recent backups of business data unaffected by the ransomware they were hit by.
There are several ways to accomplish this, but the easiest and most cost-effective is having some type of cloud backup storage, separate from their regular operating environment, which they can rely on should the worst happen.
Talking about organizational cybersecurity, what kinds of checkups and tests should be done regularly?
We get this question a lot from business owners concerned about what they can do with limited resources and budget. Here's what we often suggest as a starting point to examine your current security posture:
- Password and MFA Policies. Having simple yet lengthy passwords – or better yet, passphrases – is often better for users and more secure. Also, if multi or two-factor authentication is an option, it should be enabled everywhere without exception.
- Data Backups. Do you have a reliable, external data backup system ready to restore your business in working order should you lose everything?
- Activity Logging. Having activity logs of your environment can help forensic breach analysis figure out how the breach occurred and what can be done to avoid it again in the future.
- Periodic Security Control Testing. Any security controls you have in place should be tested. It's the same idea as trying to open a door after you've locked it just to be sure.
- Access Controls. Have you reviewed who has access to what parts of your business or data? If not, this is a good hygiene step to take.
- Cybersecurity Support. Do you have someone you can turn to whether you have a simple question about your security or an emergency that needs immediate attention? If not, having that support hotline ready to go can make all the difference.
And finally, what's next for Open Security?
We view the small and mid-sized business market as wholly underserved by our industry even though they pose a frequent and easy target for malicious actors. This problem stems from several issues: scalability, implementation, pricing, and technical complexity make addressing this concern difficult. Nevertheless, we're determined to do something about it. As a result, we are currently developing new tools and products aimed specifically at these customers to aid them in becoming secure and protecting their futures.