Cybersecurity, over the last few years, became a popular subject and many companies came on board of the new and exciting trend.
Many of these newcomers base their selling pitches on fear and the evidence of recent or significant cyber-attacks that damage reputation, image, and profits. The greatest the fear the better the possibility of landing lucrative projects, not always the most effective from a security point of view, but with well-defined objectives of visibility and profitability.
Like in any other field, there are good companies out there and others that sell themselves as cyber experts but all they do is run automated tests, that produce automated reports and identify generalized corrections. This one size fits all approach may seem adequate to some, but to real experts, they are far from effective.
Although automated systems are a good complement to a proper security assessment, they are not capable of exploring vulnerabilities that may require lateral movement and privileged escalation techniques, among many others, that are often used by cybercriminals.
Cybersecurity is not about running a bunch of automated tests and plugging up the identified vulnerabilities. Cybersecurity, like most things in life, is about knowing what you are doing and applying available resources to the most effective mitigation and countermeasures on a regular or continuous base.
Cybersecurity is about people that can use the tools and understand the results and take the problem to the next level, the level where criminals operate. It is about understanding where the risk is, evaluating it and applying the proper measures to mitigate that risk, spending the necessary budget in the right places and the right amounts. Cybersecurity is also doing things right from the start, be it in software development or network infrastructure deployment.
How many times have we come across companies that spend huge budgets on cybersecurity and claim to have good defenses but still have sensitive data on sale on the web? How many companies claim to be protected simply because the spent huge budgets of tools and equipment, but do not have the experts to understand the results and provide continuous improvements?
In the last few months, effective cybersecurity took a huge leap from being important to being essential. The social effects of COVID 19 and the need imposed to many companies to send employees to work from home, with very little warning, demonstrate that many were not prepared or rushed to accomplish the seemingly impossible.
Remote work became a reality in a very short period and infrastructures were prepared in a rush to deal with the needs and demands of a new reality.
Now, more than ever, good solid security skills are essential. Please make security a priority and evaluate carefully to whom you trust your company’s security, your business may depend on it.
By Rui Carvalho – Head of Cybersecurity at InnoWave