We all know that change in IT is constant – it's something I've witnessed in the two decades plus that I've been working in the cyber industry. But since March 2020 and the subsequent lockdowns, the pace of change we've experienced has intensified.
Security, particularly, has caused some considerable hardships in the wake of COVID-19, with the number of cyber incidents and vulnerabilities rising.
There are two key reasons for this. Firstly, new applications and cloud services were implemented under extreme time pressures in spring 2020, which is leaving more gaps than would be the case when following normal safety checks.
Secondly, and perhaps more importantly, social engineering has really raised its head. This sort of malicious activity includes things like phishing scams and pretexting, and, if successful, results in users unwittingly giving cyber criminals access to their employer's information, data, network, and other restricted details. Next thing you know, you've suffered an incident.
Why’s social engineering come to the forefront?
Socially, we’ve become more fragmented. People are working from remote, independent workspaces. This can make it easier for someone to be manipulated into doing something they wouldn’t normally have done in a traditional workplace environment.
Say this is the first experience of working away from the office for most of your employees. Their reliance on email and collaboration tools is higher than ever. They’re having to navigate more emails and communications, while facing wider uncertainty. All of these factors can lead to us being that bit more vulnerable.
But what about costs?
I’m stating the obvious here by saying that more and more verticals are under greater financial pressure now than before lockdown, both in the UK and globally. It means that incidents, and the need to protect against them, have gone up, while IT budgets have gone down.
It creates a tricky conundrum. But tricky doesn’t have to equal doom and gloom. There are many ways to bolster security, without having to search for additional funds and increase spend levels – and without impacting on profitability.
In our new state of normal, now’s the time for careful planning. I’m going to dive into four areas that can help you mitigate risk and maximise budgets.
The four steps to security value
1. Get more from what you’ve got
Think about all the investments you’ve already made across your hardware and software.
Say, for example, you’ve purchased a piece of software to address a specific, individual security event. More often than not, its capabilities will stretch further than that one concern. Or maybe you’ve invested in a security licence but not yet activated its full functionality.
It’s a case of seeing what’s in place, and where you can get it working harder.
Partners that work with a wide range of vendors are a good place to turn. They’re best positioned to give impartial advice on what your existing technology is capable of.
2. Take an agnostic view
Assessment services are a useful tool. You can choose assessment services that provide:
- A commercial view of where you’re not using the entire functionality of your licences
- An observation of where linking technologies can enable a greater level of protection than if the technologies were working separately
- Recommendations for planning further ahead in a more methodical manner. This includes helping you to identify, based on industry accepted frameworks, where a greater chance of incidents exists and prioritise future spend
And over the next couple of years, it’ll be easier to make stronger, more intelligent use of finite spend.
The Assessment Service information is generic and provides information about what they could involve, as opposed to categorising the two assessments This ensures this section is not too product-focused.
3. Consolidate, consolidate
Consolidate. I’m referring to vendors here.
Spend some time thinking about where you have a range of different manufacturers or providers helping you with your security. You might find there’s some duplication.
Consolidating will lower your spend, be easier to manage, and will help you to make informed decisions and rule changes with simpler access to your data and insights. And it won’t have a negative impact on your protection levels.
It’s a huge benefit for your IT team. By working with fewer platforms, consoles and vendors, it simplifies management, freeing up more time to focus on other priority areas for your business.
4. Short can be sweet
For some relationships, shorter is better. You’ll want to be sure you’re not investing in technology or services that require a long-term fixed commitment. As we know, change is a given. It’s important to bring that idea internally, too.
My suggestions here are to work with vendors on a single rather than multi-year contract and to utilise cloud services that let you scale up or down with short-term notice. It means you’ll have what you need, and not be paying for what you don’t. It’s all about flexibility.
Using professional services and sharing ideas with a partner are areas that I’ve noticed are underutilised. Don’t miss out on the rich benefits that come with them.
They can help you to make changes to processes, adapt end user education and adjust internal policies – all of which can have a greater impact than purchasing new technology. Plus, you may discover new opportunities for automating technologies that help you cut out manual processes.
We’re moving at a fast speed. It can be easy to default to buying something new and shiny, and underestimate the impact of changing policies, approaches and attitudes to security.
Making the gains
You’ve no doubt already made plenty of decisions when it comes to your tech and security – so, as mentioned, it’s essential you understand what you already have and make the most of it.
Take stock of what’s already in place, work with trusted partners to help you define risk and prioritise important commercial decisions for the longer term. Maximise your current investments, while reducing your vendor footprint.
The net gain should be, if not a reduced cyber spend, a more manageable and predicable IT spend. It’s the result of your planning ahead, setting the right expectations internally, and linking together technologies to increase visibility and awareness of a possible incident.
My final thoughts?
It’s time to accept that an incident is a probability and we need to think more about how we respond, not just how we can avoid one.
As with more things in life, just like checking the weather before a walk, planning ahead allows us to respond more proactively to what’s around us.