The total value of ransomware-related payments in just the first six months of 2021 ($590 million) exceeded all of 2020 ($416 million). Yet, even with the increasing impact of cyberattacks, 90 percent of security leaders still believe they’re falling short in addressing cyber risk.
We can do more in 2022 to protect ourselves through a robust cybersecurity posture. And In my opinion, the operative word here is “posture.”
A robust cybersecurity posture certainly isn’t a clunky, mishmash of poorly integrated, multi-vendor security products. Instead, it’s an always-on state wherein all your assets — every application, all data, and every device, across any network — are always protected in a manner that is agile and scalable for your IT team and frictionless for the end user. And at the center of it all is a new mindset — to remain vigilant and protected — that needs to be endorsed and applied by every employee in the organization.
While there is much work to be done for all organizations to adopt this posture, this is, by no means, a pipedream. In my conversations with InfoSec teams globally, many organizations have developed their cybersecurity roadmaps based on modern approaches and architectures. Let’s look at a short checklist of items I’d recommend. Do you have them on your 2022 agenda?
Checklist Item #1: Build cybersecurity into your organizational DNA
InfoSec teams, led by CIOs and CISOs, play a key role in educating organizational leadership that cybersecurity isn’t just a checkbox for compliance. Instead, it’s an opportunity to differentiate the business and build customer trust by protecting customer privacy. In today’s world, where breaches make the news, this matters.
To build this habit of security across the organization, employees outside the InfoSec team must also prioritize it. For instance, DevOps teams must build app and API security into their plans, versus leaving that as an afterthought. System admins should never use passwords like “Hello123”, “training,” or “Password1” (these were literally listed in the Conti ransomware playbook for brute force access). And everyone must limit recreational browsing to websites of repute, staying away from sites with questionable content. (Shlayer, one of the most prolific malware varieties in 2020, often spread through sites with pirated content.)
InfoSec teams can help build such cyber-hygiene habits with periodic employee education, phishing tests, app penetration tests, and web filtering with custom warning pages (to restrict access to potentially malicious websites, domain extensions and file extensions). Of course, cyber hygiene only supplements robust cybersecurity architectures. With increasing sophistication of attacks, the need for the latter has increased.
Checklist Item #2: Protect every employee, everywhere, all the time
“WFH culture” is here to stay. Enabling employees to work from anywhere requires ensuring they’re always protected. Unfortunately, traditional approaches of VPN-ing traffic through datacenter-based security stacks adds app latency. To remain productive, employees disconnect from VPNs when accessing internet and SaaS. The net result? They’re left unprotected.
Protecting remote workers requires security that’s frictionless — security that doesn’t even seem like it’s there so employees can work without interruption. This can be done by replacing traditional “VPN through the datacenter” architectures with a two-pronged approach:
- Protect access to internet and SaaS with cloud-delivered security: Steer all internet and SaaS traffic to a globally distributed, comprehensive, cloud-delivered security service that blocks threats, without any noticeable added latency. Such a service must include everything you have in your datacenter, and ideally more, but within a high-performance and scalable architecture. This is an increasingly popular approach, with 76 percent enterprises looking to move their security to the cloud, according to PwC’s Global Digital Trust Insights Survey 2021.
- Protect access to internally managed apps with zero trust access: Access to internally managed applications in PaaS or on-premises datacenters should be protected with identity-aware zero trust network access (ZTNA). Zero trust network access is built on the principle of verifying identity before granting access, and only granting access to specific, allowed apps (versus VPNs that grant access to the full network). As a result, it’s harder for a threat actor to enter your network; even if one does, their lateral movement is restricted.
Depending on your current needs, you might decide on bolstering the above approach with multi-layered protection that includes both endpoint and access security solutions, perhaps supplemented by an AI-driven analytics platform. It makes sense to brainstorm on what approach is most applicable for you. But however you design your architecture, its administration does not need to be complex; stronger security does not imply more complexity. In fact, it’s important to simplify administration for stronger security. More on that next.
Checklist Item #3: Simplify for stronger security
Every InfoSec team needs to execute threat hunts, red-blue team exercises, emergency procedure definition, internal audits, employee education, exploration of new technologies, and more (as if that wasn’t enough!). If your InfoSec team is sufficiently large to support all these functions, in addition to administration of multiple vendor solutions, then you might have the opportunity to pick vendors of choice and manually integrate them. This does come with the overhead of multiple consoles (i.e. blind spots), different update cycles, different licensing tiers, and more.
Given that 57 percent of organizations have been affected by a shortage in cybersecurity talent, with 38 percent stating that the skills shortage has led to employee burnout and employee attrition, we have seen a trend in the industry for vendor consolidation to simplify cybersecurity, without compromising effectiveness. Here are a few ideas:
- Converge vendors: Vendor convergence across different cybersecurity and non-cybersecurity technologies (app security, access security, analytics, networking, DaaS, etc.) has several obvious logistical and operational benefits such as faster procurement, training, troubleshooting, scale, and more. But this convergence is also relevant strategically. Product teams within vendors that offer multiple technologies are actively working to unify their supplementary technologies to create a “1 + 1 = 3” effect. Granted, many vendors talk about it and are unsuccessful, but some do succeed. It’s important to look for vendors that already have the IP and the resources to pull off the unification that you need (if they haven’t already).
- Ask about interoperability: Even with vendor convergence, you will likely need to leverage multiple vendors. It’s important to ensure that each vendor natively works well with the others. So, you need to ensure that your new security approach does not exclude any endpoint operating systems, apps (depending on where they’re hosted), or locations from threat protection. And this is based on your current and future requirements. For instance, today, you might only be using Windows and MacOS endpoint devices, but you might be asked to support Chrome OS in future, perhaps driven by an M&A. The security solutions you choose today must support tomorrow’s needs.
- Reduce and simplify hardware: Have you considered TCO reduction that can be achieved by eliminating security hardware? This includes the lesser truck rolls, easier implementation and administration, and reduced errors and troubleshooting. Taking it further, what if you replace traditional endpoint devices, typically Windows and MacOS devices, with easier-to-manage Chrome OS devices that use DaaS for any-app access (including any Windows and Linux apps)? There’s TCO reduction in there as well! While a cloud-first IT approach can have its hidden costs, it also has hidden TCO reductions. It just takes a little curiosity to find them.
While no one can predict what will happen in 2022, it’s clear that we must be ready for change — to evolve with new business requirements, new employee expectations, new cyber threats, new technologies, and everything in between. And that’s OK. After all, nobody ever got anywhere standing still. Happy holidays and have a prosperous 2022!
Did you know that Citrix has a comprehensive solution set for securing your business, from access to internet, SaaS, and internally managed apps, to the apps themselves? And if you’re still unsure about what you need, reach out to us for a conversation with our experts, and we can take it from there.
