5 Cybersecurity Trends Your Organization Needs to Know: Takeaways from the Secure Miami Conference
The future of cybersecurity is full of mystery, intrigue, and intimidating trends. Threats loom larger every day and defending ourselves against them becomes more and more challenging. At the Secure Miami 2023 Conference, industry leaders gathered to discuss these trends and how we can safeguard ourselves and our businesses against them. The day covered exciting new topics like AI and ChatGBT while also touching on the importance of information security basics, like access and risk management.
But whether or not the conversation was about the next big thing or the classics we all need to master, it seemed there were key trends and themes running throughout the entire day. Let’s discuss the five key takeaways that emerged from every discussion that your organization can use to strengthen its security practices:
1. Proactively Plan
We all know the landscape of security culture is changing. Businesses will no longer be able to survive if they only react and respond to the threats and attacks coming for them. To survive, businesses must adapt from a reactive mindset to a proactive one. We cannot hope that we won’t be attacked; we have to assume the attack is coming. This is a classic case of when not if.
The good news is that businesses can create a plan to secure their business and protect their valuable assets. Having an incident response plan and a business continuity/disaster recovery plan in place allows organizations to plan their response to an attack and avoid ruin.
An incident response plan is a predetermined approach for identifying and addressing a security incident dictating the procedures following detection to minimize the impact. At a minimum, your plan should include:
- Roles, responsibilities, communication, and contact strategies in the event of a compromise including notification of the payment brands
- Specific incident response procedures
- Business recovery and continuity procedures
- Data back-up processes
- Analysis of legal requirements for reporting compromises
- Coverage and responses of all critical system components
- Reference or inclusion of incident response procedures from the payment brands
A business continuity plan is a deliberate and actionable strategy to ensure service delivery in the event of a major disruptive event impacting essential business functions, processes, or technologies. At a minimum, a business continuity plan should include:
- Document Control
- Priorities & Responsibilities
- Key Risks
- Roles & Responsibilities
- Emergency Recovery Process
- Business Recovery Process
- IT Business Continuity Plan
- Emergency Delegations List
- Contact Lists
In addition to creating these plans, businesses need to test them to ensure they operate as designed. Tabletop testing is one of the best ways your organization can test these plans under pressure to make sure they will actually keep your business safe.
The worst thing that can happen during a breach or attack is not knowing what to do next. Proactively plan to keep your organization safe.
2. Know Your Environment and Its Risks
In order to properly plan for the threats your organization is facing, you must know the risks you are facing throughout your entire environment. And to do that effectively, you need to fully understand your environment. No one should know your network, environment, or processes better than you. You need to know your assets, the functions of those assets, and who has access to those assets. This is the only way you can know which defenses are needed and what will work best to protect your unique environment.
Once your assets are properly accounted for, your organization will be prepared to perform an effective risk assessment. A risk assessment is the most trusted weapon against all of the threats we’re facing. By understanding what you are protecting, you will be better equipped to put the right controls in place for your organization’s unique environment and vulnerabilities.
In our Founder’s presentation at this conference, he discussed risk management as it relates to Star Wars. Spoiler alert: Darth Vader’s lack of a proper risk management plan led to the destruction of the Death Star. To have been properly prepared, the Empire should have inspected the ship for vulnerabilities and then planned to defend them. The threat they faced was the Rebel Alliance’s X-wing Starfighter, but the vulnerability was the thermal exhaust port. Being too focused on the operation, they did not manage the one thing that made them vulnerable.
So, to avoid your organization falling to the dark side, you must start thinking about the real vulnerabilities you are facing. When you connect the threats you face to the parts of your environment that make you vulnerable, you can implement stronger controls that are designed to properly protect your valuable data. By identifying the risks that could stop you from being successful and proactively planning how you will secure your organization from risks, your organization can be confident when facing today’s ever-evolving threats.
Creating these processes isn’t enough to secure your environment. You have to make sure your employees know how to implement them and are willing to do so. One of the biggest threats to an organization is human error. According to a study conducted by Stanford University in 2020, approximately 88 percent of all data breaches are caused by an employee mistake.
The only way we can combat this is through security awareness training. Train your employees often on a variety of topics so you can ensure everyone is on the same page about how to protect your organization against threats.
While your training should cover all your organization’s unique processes as well as common attacks and breaches, here are five areas to consider focusing on to encourage your employees to practice security in the workplace:
- Physical Security – Protect the home front. Implementing requirements like wearing badges while on the property, appropriate identification and sign-in procedures at the front desk, video surveillance, and proper locks all protect your office and the people inside of it.
- Password Security – Passwords should be at least 8 characters long and use a variety of upper and lowercase letters, numbers, and special characters. Default passwords should never be used, and passwords should never be shared.
- Phishing – Train your staff to be wary of phishers and to know what to look for. Make sure they know not to open attachments in emails if they do not know the source. Encourage them to not send confidential information in response to an email claiming that “urgent action is required.” Test and train your employees to make sure you’ve created an environment where if in doubt, someone will ask before engaging in an email that may look suspicious.
- Social Engineering – Social engineering threats are threats based on human vulnerabilities. It’s a way attackers manipulate people into giving away confidential information, password/ID combinations, or to gain unauthorized access to a facility. Train your employees to operate with a healthy amount of skepticism, and to never give out sensitive information without fully identifying the other person.
- Malware – Malware, much like phishing, can enter your environment through non-malicious looking threats such as employees opening emails from unknown sources, using a USB drive that is infected, or going to websites that may be unsafe. Be sure employees are trained to be aware of these kinds of attacks, and practice identifying malware threats.
4. Quit Freaking Out About AI
AI is taking the world by storm right now. It’s all our auditors have been talking about because it’s new and unknown. The sessions at Secure Miami all heavily focused on how AI and ChatGPT will change our security landscape and how we can securely implement it into our own security processes.
And while the unknown is scary, the overwhelming opinion was that we need to stop freaking out just because new tech has entered the chat. Our processes and our people have adapted in the past, and they can again. Think about when the cloud was a new concept – people freaked out about that, too, but now it is common practice with new security measures developed to protect the data that we store in the cloud.
AI will be the same way. We will build the controls we need to protect our data, but that will allow us to still benefit from this new technology.
Remember, AI is just a tool. Here are a few takeaways about how to securely approach it currently:
- Be smart about how you implement your controls and secure your use of AI (knowing your environment and proactively planning for threats is how you do this).
- Use compliance frameworks to know what controls you need.
- Educate your users on how to use AI securely.
- Make risk-based decisions. Make them proactively, not reactively.
5. Invest in People
Despite current fears, people cannot be replaced by AI. We still need to invest in people and train them on security best practices so AI can be used as a tool and not as a default security measure. While training your employees is always a good investment, you need to focus on your culture as well. This means investing in and creating internal relationships on your team as well as across departments. This type of relationship will create the buy-in you need to implement the controls you’ve so carefully designed.
Outside of your own organization, consider offering internships or mentorships to aspiring cyber professionals. Share your knowledge and make sure that the next generation of IT and cyber professionals knows the importance of these controls and processes even in light of new cool tech. Recruiting talent you can trust is hard enough, so why not invest in young professionals and help them be the best they can be while in turn creating talent worth hiring.
Get Back to Basics
This day at Secure Miami was a great reminder that no matter what flashy new tech comes our way or attack threatens our business, we can prepare to face it with core security principles. Proactively planning how we will defend our data and respond to a breach with well-trained people helping us will always be the top trend in our industry.
While we may have boiled this day down into 5 takeaways, we understand that implementing these things can actually be really overwhelming and challenging. If you’re feeling that way, reach out to one of our experts at KirkpatrickPrice. We’ve been in your shoes and know how challenging implementing these controls can be. But we’ve worked with over 1,200 clients to issue 20,000 audit reports and are passionate about helping organizations get the assurance they deserve. We’ll help you create the controls you need to secure your unique environment.
Connect with one of our experts. We promise that cybersecurity and compliance will no longer be a mystery.