In 2021, 64% of companies worldwide have experienced at least one form of cyberattack, raising cybersecurity to the top of the agenda in board rooms. Cyber threats have grown to such a scale that almost half of CEOs worldwide consider it the second biggest threat to a company’s growth, second only to the pandemic.
These threats can vary from data breaches to companies falling victim to ransomware and have increased by 93 percent in the first half of 2021. And the danger is not just from an immediate revenue perspective, as business operations are disrupted, and the loss of sensitive data incurs financial penalties. The long-term hit to a brand’s reputation can prove just as costly.
In this environment, it is critical to ensure you have adequate defences in place to protect your business. But we also recognise it can all be a bit overwhelming. So where do you start if you want to build strong cybersecurity from the ground up? Hack The Box believes you need to focus on three key areas: culture, recruitment, and training.
1. Create a Security Culture
Many people think that cybersecurity is solely IT’s responsibility. This is not true. Security and security culture shouldn’t only apply to technical staff. It should extend to employees across the entire organisation. It starts at the top, with policy and leadership, and flows down to employee awareness in every department.
A security culture includes a strong company policy around data and information security, (e.g. defined roles and responsibilities around data and cybersecurity) a multi-level approach to information and data access, as well as a strong awareness of the best practice among employees.
Poor employee awareness is often blamed on a lack of budget. However, that doesn’t explain how we often see millions of dollars being suddenly found by companies in the wake of cyberattacks to fund the recovery.
This money gets spent on extensive IT work, PR, and legal tedium, but could have gone towards building a strong cybersecurity culture that may have prevented the breach in the first place. It’s much more cost-effective to invest in cybersecurity from the very beginning than to deal with cyber incidents in their aftermath.
More from Tech
2. Recruit the Best Talent
Cybersecurity and the cyber threat landscape are both constantly evolving, which means that cybersecurity specialists need to keep on top of their skills to stay ahead of the malicious actors. This will only be possible if businesses shift their focus to recognise skills in interactive scenarios and test their prospects using hands-on skills evaluation, rather than theoretical exercises.
Old-fashioned tests and certifications are outdated and do not accurately represent the actual skills and knowledge of a candidate. Placing them in a realistic scenario will allow job applicants not only to show their understanding of the theory but also to demonstrate thinking “on their feet” in both defensive and offensive roles.
Cybersecurity is a very dynamic field, so experts need to be able to replicate exploits that cyber attackers are using now or will do in the future. Many companies have learned the hard way that certifications are not always the best proof of experience and ability. It’s clear that having insufficient security knowledge makes organisations more susceptible to cyber exploitation, and more harm is done because incidents cannot be mitigated effectively.
With this in mind, businesses need to source their talent in new ways. Generic job boards are not the best place to look as they do not reflect actual skills. Make sure HR is aware of the places where cybersecurity experts showcase their practical skills, like CTF events and dedicated competition platforms that advertise vacancies, for example.
3. Invest in Continuous Learning and Development
Your company is only as secure as the team that protects it. Once your company has recruited the best talent, it is imperative to ensure that businesses keep the team’s skills up to date. It is important that both newly recruited, and existing security staff engage in continuous learning to ensure that they are aware of the latest threat landscape and have the skills necessary to counter new attack methods. One way to do this is to keep the existing team’s skills up to date through practice and real-life attack simulations.
Nikos Fountas, Director of Global Operations at Hack the Box