Employees: The frontline warriors of data security

News Desk -

Share

Speaking to TECHx Media on how ManageEngine maintains the best cybersecurity policies within the company, Deepa Kuppuswamy, Director of Security at ManageEngine stated that your employees are the frontline warriors for your data’s security. Read on to know more.

TECHx: What are some of the best cybersecurity practices your company has adopted to ensure not only a secure working environment but also a simplified adoption process?

Deepa: We enforce MFA via our in-house Zoho OneAuth app for all our employees accessing business applications and seeking remote access. We also moved away from the conventional practice of periodic password resets. Practices like requiring stronger passphrases, blocking banned and leaked passwords, using password managers, and enforcing MFA improve security hygiene and simplify adoption for end users.

We also adopted Zero Trust as an alternative to VPNs. VPNs were not designed in the context of hybrid work. They do not offer adaptive access controls and they introduce friction to the user experience. Hybrid employees expect a seamless transition from home to office. Our adoption of Zero Trust for accessing our intranet apps and data centres has provided the perfect balance between security and usability.

TECHx: Hybrid work culture is now a reality; how are you protecting your remote workforce from potential cyber threats?

Deepa: Hybrid environments raise the question of appropriate personal device use. BYOD is becoming a norm, with business data being accessed from personal devices that have lower security postures. Hybrid employees log on from multiple locations during the week. At home, work and personal tasks are likely done on the same device. Employees could inadvertently disable the security controls, and the device could become infected.

Zero Trust architecture is well-suited for hybrid work environments because it delivers solid security controls, a seamless employee experience through MFA, and continuous authentication of the users and devices in a network, regardless of where they are located. The key is to establish strict endpoint management, exercise control over corporate devices, and always have visibility into what is happening on devices.

TECHx: The human factor remains one of the most serious threats to an organization’s cybersecurity; in light of this, what kind of security training should employees receive?

Deepa: Your employees are the frontline warriors for your data’s security. Educating them, empowering them, and encouraging the right security behaviour from them are all essential. Our motto has always been to build a sustainable security culture and inculcate the concept that security is a responsibility of everyone in the organisation.

The following measures have worked for us: 

  1. Educate the distributed workforce on the dangers of phishing, ransomware, unsecure usage of collaboration tools, and under-protected home networks.
  2. Provide contextual learning by highlighting security pitfalls and what can go wrong when employees choose a less secure option. This approach provides a better result than traditional security presentations. Simulated security exercises, quizzes, and gamified security challenges should be organised periodically to ensure employees understand the message.

TECHx: What is the best and most immediate strategy for CSOs/CISOs to implement if a data breach occurs in their organization?

Deepa: CISOs should have both a short-term and long-term plan for handling data breaches. The short-term focus is on immediately containing the breach, understanding its impact, and preserving evidence. Have a well-defined strategy for coordinating internal response efforts and swiftly making decisions. Collaborate with relevant departments and keep them informed about the breach’s status. Engage a third-party incident response firm if deep technical expertise is needed.

Honest communication with all the stakeholders is key. Failing to promptly share relevant details could damage the organisation’s reputation. Know the legislation around breach notification and inform the proper authorities.

The long-term focus is on learning from the breach. Do a complete RCA and assess how mistakes could have been avoided. Maintain an incident response playbook for what-if scenarios. Ensure training programs incorporate the lessons learnt.

TECHx: What do you consider to be the most important skills of a modern CSO/CISO?

Deepa: In this fast-paced world, information security must align with business objectives. The goal should be helping businesses grow securely. The role of the CISO is to develop and release secure systems while enabling business progress. To be effective, CISOs must develop a business mindset and fully understand business strategies and risk management.

Effectively communicating with all stakeholders in a way they understand is crucial. CISOs must be able to clearly articulate complex technical concepts and explain how technical vulnerabilities translate into business risks.

The cyber landscape is constantly changing, and CISOs should anticipate the risks posed by emerging technologies. CISOs must embrace constant learning and change.

TECHx: What advice or tips would you give to other CISOs in light of the current global cybersecurity landscape?

  • Align cybersecurity goals with business priorities. Actively listen and understand the goals and pain points of the various departments. Foster a culture where security is not seen as a roadblock. Get involved in your business’ security strategy in the early stages and advise the business on how to operate securely.
  • Security is a team effort. Communication and cooperation are essentials. Build allies across business streams. Learn from the wider community.
  • Build a strong team and continuously improve the skills of your internal talent. Create a security champions program to embed security talent within each business stream to advocate for and implement security practices throughout the organisation.

Leave a reply