The last few years have brought a new focus to our definition of the word “essential.” Essential industries are the ones that have direct impacts on our personal lives. It makes sense these industries such as healthcare, law and higher education house our most essential—and personal—data about us. What doesn’t make sense, however, is why we have let them become so vulnerable to cyberattacks.
These industries keep our society going, but they also face unique cybersecurity challenges such as budgetary restrictions, largely non-technical end users and stakeholders who might not fully recognize the risks they face in today’s threat landscape.
If we claim these services are essential, it’s time we start protecting them that way.
A Widening Attack Surface
One of the most lasting effects of the pandemic has been the massive shift to remote and hybrid work. This has been the gift that keeps on giving to cybercriminals.
Networks have become increasingly dispersed, and bring-your-own-device (BYOD) policies are becoming accepted as the norm. For example, a BlueVoyant report cited a 2019 survey from the EDUCAUSE Center for Analysis and Research that found that 97% of higher education students in the U.S. used their own personal laptops in at least one course. This creates an almost unlimited amount of (mostly unsecured) access points for threat actors, which results in deeply unsecured networks.
Cybersecurity professionals know that a wide attack surface is a vulnerable attack surface. Cybercriminals have more side doors into networks to commit expensive and dangerous breaches than ever. We must adjust our approach to cybersecurity to acknowledge the new realities of our widened attack surfaces.
Recent developments in cybersecurity technologies have focused on the development and investment in “right of boom” (meaning: after the bad actors have perpetrated an attack) technologies. These technologies can minimize damage once cybercriminals have already successfully committed a breach and are critical pieces of security infrastructure. However, neglecting the space “left of boom” (before a threat actor has compromised a network) has left us vulnerable, especially in industries that might not be able to invest in sophisticated—and, more importantly, expensive—remediation solutions after a breach.
The proverbial “they” say that offense wins games, but defense wins championships. I would amend this to say that active defense wins championships. Stop the bad guys before they get in, and they can’t cause problems. For industries such as healthcare where a breach can, quite literally, create a life-or-death scenario, the stakes of this championship are too steep not to play active defense.
Tight Budgets Add To Security Staffing Woes
One of my fellow Forbes Councils members, Anurag Lal, recently wrote a piece about the global cybersecurity staffing shortage. Even as devastating rounds of layoffs are grabbing headlines, cybersecurity positions remain open and unfilled. There are many reasons for this, including high burnout rates and a lack of understanding from budgetary stakeholders. This has resulted in astronomical costs for qualified cybersecurity professionals—if you can find them.
One solution for this staffing crisis has been outsourcing security services to managed service providers (MSPs) and/or managed security service providers (MSSPs). These solutions are not cheap, but the payoffs of industry expertise and lack of internal staff turnover can often be well worth the expense since many essential industries do not have the bandwidth to hire and train more junior cybersecurity professionals. Moving toward managed security services can be what keeps organizations’ names out of the headlines.
However, before investing in expensive cybersecurity technology or managed providers, organizations should take a moment to get a full understanding of the threats in their networks today. Traditional cybersecurity audits focus on potential threats to the network but frustratingly fail to look at the threats already in the network. This one piece of information about an organization’s current threat posture can inform vital investment decisions for industries where cybersecurity budgets are especially tight.
A Lack Of Top-Level Buy-In Around Cybersecurity
A culture of security starts at the top of any organization. If organizations want to protect themselves, it’s up to the top decision-makers to establish a culture of security. Banish all thoughts that threat actors won’t come for you because you’re a small company; there is nothing more tempting to a threat actor than low-hanging fruit. In 2022, 61% of all SMBsreported a cyberattack. No business, regardless of size or industry, is immune to cyberattacks.
There are easy—and often close to free—ways to start protecting these vital yet vulnerable organizations and their data.
• Listen. Leadership must take the security and technology teams’ concerns seriously. Take the time to learn and understand the risks—and, of course, the costs—of a breach.
• Start simple changes now. Implement robust password policies. Your employees will adjust, and if you create a culture of security, their buy-in will come much easier.
• Update regularly. If there is a reason software updates aren’t being installed immediately, make sure the pathways for them to do this are clear. Do not give threat actors the chance to exploit an already-fixed hole and cause a catastrophic breach.
• Communicate. Communicate to every employee how security is not just the job of the CISO and their team but the job of everyone in an organization. It is up to the top levels of management to create and buy into a culture of security. In industries where the end users are burdened with their jobs of saving lives, cybersecurity can be a mile down their list. It is up to you to help give them the capacity and tools so they don’t have to choose between their job duties and good cybersecurity practices.
• Learn from others. Executives and security teams in these industries should look outside of the specific industry silo for cybersecurity solutions and policies. Too often, organizations stagnate their cybersecurity defenses because they are too insular, and the advice can become an echo chamber.
Threat actors are nimble, sophisticated and well-funded. If we want to continue to have access to our essential industries, we can—and must—be, too.