CyberSecurity Awareness Month: Cybersecurity First Aligned With Explore. Experience. Share.

By Colin Mo

October 19, 2021

Once again, we find ourselves combining the Cybersecurity & Infrastructure Security Agency’s (CISA) Week 3 theme of Explore. Experience. Share. with Week 4’s theme of Cybersecurity First. Ultimately, people and organizations can better prepare for an increasingly virtual world by sharing cybersecurity knowledge and making it top-of-mind.

Want to know why cybersecurity matters for businesses? Here are the key findings from IBM’s Cost of a Data Breach Report for 2021:

Source: IBM’s Cost of a Data Breach Report 2021

As cybercrime is up 600% due to the COVID-19 pandemic, we are reminded that the internet is the modern wild West, and full of cybercriminals. Institutions once prioritized the physical, but those days are gone. The world is shifting towards the digital, and so too will the bulk of crime. This year alone, data breaches have cost organizations an average of $4.24 million following the upwards trend year-over-year.

With that in mind, businesses should adopt this mindset: Cybersecurity is security.

Mindset is critical here, so we’ll explore the following topics and how they intersect with CISA’s weekly themes:

Building a Culture of Cybersecurity Awareness
Planning for Flexibility and Versatility
The Value of Zero Trust Architecture

Building a Culture of Cybersecurity Awareness

Building a cybersecurity culture is much like building any culture: you start at the top. If those at the top of the organization do not understand that a Cybersecurity First culture is a necessity, the reality of the world will force them to when the next breach costs them their job.

We’ve entered an era where executives are being held to account for security negligence. Users are entrusting their privacy, data, money, and potentially access to lifesaving IoT devices to these companies. When company revenue and reputation is at stake, we’re seeing a trend for senior employees responsible for cybersecurity to be fired and in some cases, for boards to replace their C-level executives.

A cybersecurity aware culture is paramount in the modern era of internet-first and remote-work initiatives.

By making Cybersecurity First a guiding philosophy for leaders, the rest of the organization will naturally begin to Explore. Experience. Share. the latest cybersecurity trends, best practices, and related news. You want your organization to have a Cybersecurity First culture because it pays off in dividends when internal users are operating under the following mindset:

A cybersecurity breach will cost the company more than just the ransom and cost of repair

A breach can be caused because just one person wasn’t following best practices

If a breach happens, the organization needs to identify and contain it immediately

_{Source: IBM’s Cost of a Data Breach Report 2021}

We recognize that this is not going to be an easy shift in mindset to adopt, especially considering the traditional associated trade-off with security measures.

Cybersecurity First initiatives are normally associated with a trade-off: increased security comes at the cost of productivity.

When employees are blocked from being productive because of increased security measures, businesses tend to prioritize productivity over security measures. Over time, security measures are lowered and reduced in pursuit of less friction and more productivity, until eventually it’s low enough for the business’s cybersecurity to be more easily compromised.

The good news is that new technology and architectural design patterns are ensuring that cybersecurity measures do not come at the cost of productivity and user frustration. Yes, there is inertia and preconceived notions to wade through, but ultimately the role of initiating a Cybersecurity First culture and mindset shift should still come from the same people: those at the top.

Planning for Flexibility and Versatility

Inseparable from a Cybersecurity First and Explore. Experience. Share. mindset is a flexible and versatile plan to defend against and respond to cybersecurity breaches.

Though fancy zero-day exploits and leaks get covered in the media all the time, the reality is that the vast majority of hacks merely exploit banal vulnerabilities such as an old unpatched system, an employee clicking a link they shouldn’t, or allowing for lateral movement in your network unimpeded, unauthorized, and unauthenticated. Think of the digital equivalent of leaving your front and backdoor unlocked.

The hard reality of cybersecurity risk management is maintaining best practices while responding to the realities of the changing landscape of risks.

Never forget that the bad actors are looking to exploit any lapse in cybersecurity measures. They only need to be creative in one attack vector that you or your organization did not expect — and in many cases they only need to accomplish it once. The moment they are in your infrastructure and systems is the moment you need to detect them and contain the breach.

This is where Explore. Experience. Share. is critical to a flexible and versatile Cybersecurity First culture and mindset. Invariably, as cybersecurity defense mechanisms and best practices improve, so too do the attack vectors of bad actors.

When your cybersecurity defenses are only as good as your least cybersmart internal user or system, it becomes even more imperative for the organization as a whole to be adopting and implementing the latest best practices. The IT security team should be Exploring known Common Vulnerabilities and Exposures (CVEs) within their infrastructure, Experiencing their own cybersecurity defenses with red teams, and of course Sharing their findings with those that need to know.

For organizations that want to get started on their own cybersecurity initiatives with flexibility and versatility, we recommend access provisioning tools that can be easily deployed onto existing infrastructure by the cybersecurity team without impacting the organization’s internal users. Part of versatility and flexibility should be the ability to have the the security team’s modus operandi change without impacting the internal users that don’t care to know about security.

Security in its best form is invisible to the end-user.

The Value of Zero Trust Architecture

An organization adopting Zero Trust values will begin to authorize access based on user identity, device state, and request context — giving them a Cybersecurity First mindset on its own. But taken a step forward, doing so naturally requires the organization to Explore. Experience. Share. cybersecurity best practices.

We’ve written about Zero Trust before, laying out what it really is, why it can be important, and even how it can be implemented. But sometimes value really needs to be shown in hard numbers:

When you adopt a Cybersecurity First mindset that integrates Zero Trust, it also applies internally. Given the following average time to identify, organizations should assume at any given time that their infrastructure is already breached:

Yes that’s terrifying — but this concept should be internalized so you have the correct Cybersecurity First mindset to act according to Zero Trust values. Note that the shortest average time to identify is longer than a fiscal quarter at 154 days. The longest average is 250 days, well over half a year to know a breach has happened, assuming you identify it at all.

Based on those numbers, if your organization is performing at an average level and you have a breach during 2021’s CyberSecurity Awareness Month, you are likely not going to discover this until well past the 2022 new year (though morbidly, it does give your company time to prepare for that average $4.24 million cost). And that’s not even considering whether the bad actors installed backdoors that you aren’t aware of, opening you up to recurring breaches.

For more information on Zero Trust and how you can implement it in your organization, please read our section on Zero Trust in our first CyberSecurity Awareness Month post.

How Pomerium Helps Organizations Stay Secure

Pomerium is an open-source platform for managing secure, identity aware access to applications and services. Organizations can easily deploy Pomerium on top of their existing infrastructure to adopt a cybersecurity first stance over their internal services. IT management teams can easily use Pomerium to provision access and security for all users without sacrificing productivity. Context-aware access is increasingly necessary as the workforce shifts to remote-work and organizations open their internal infrastructure up to the dangers of the internet.

Pomerium provides the following key features for organizations looking to improve their cybersecurity posture. Pomerium ensures that:

Every request is authenticated and authorized.
Authorization is not all or nothing. Each request is re-validated for the appropriate user identity, device state, and context.
Administrators can standardize, manage, and layer in top-level authorization policy to all their applications and services.
All activity within the infrastructure can be audited.
Teams can manage fine-grained control of their resources independently.

Additionally, being an open-source platform has 3 benefits:

Transparency: There is nothing to hide in the code. You or your organization can easily audit the source and understand exactly how Pomerium works to deliver the features above.
Crowd-audited: Many eyes on the code means bugs are less likely to fall through the gaps and more likely to be found and fixed early.
Free-to-use forever: You can immediately try the solution on your infrastructure without needing to pay for it, in addition to lifelong updates. It’s as frictionless as you can get.

Check out our open-source Github Repository and give Pomerium a try today!