DXC manages mission-critical systems for thousands of large organizations around the world, giving the business great insight to understand cyber attacks and how they happen. What you see quite often is that the biggest enemy is the enemy within: highly complex, poorly implemented or poorly maintained IT environments. DXC also found that IT environments become less secure as services and connectivity increase.
Hughes, a security leader for more than 20 years and a former chief information security officer, joined DXC in 2018. His post has been lightly edited.
1. Understand your IT environment
Cybercriminals are opportunists. They typically use known malware and look for known vulnerabilities within their environment. However, when defending against ransomware and other critical threats, many organizations are unaware of the external exposure they face.
Most organizations assume they have good security control frameworks in place, but fail to patch known vulnerabilities or make necessary configuration changes. First of all, you need to get the security basics right.
2. Focus on who can access your systems
An attack always starts with an initial entry point, and quite often it starts when one of your own employees or even a contractor clicks on a phishing email. Spear-phishing, targeting users with an email from a known or trusted sender, is more common these days and can be very effective at bypassing access controls. Attackers can start with low-level access, but once they get a foothold, they can collect more credentials and use them to move laterally within your environment.
In large companies, security teams are often a long way from making decisions about which employees, contractors, and subcontractors need access to systems. This can lead to unforeseen access control problems. Unfortunately, many organizations don’t necessarily understand who has access to what or what has access to what. The good news is that only you can provide access to your environment, and tools like multi-factor authentication can help prevent unauthorized access.
3. Assess the risk posed by third-party software
Just as third-party contractors pose threats, third-party software can also pose vulnerabilities. From a threat actor’s point of view, if they can exploit a vulnerability within a piece of software that is used ubiquitously in many organizations, then that one-to-many approach becomes an efficient way to gain numerous points of attack. support. This type of threat is emerging with increasing frequency in everything from basic ERP systems to open source ancillary products.
Given the ubiquitous nature of SaaS and third-party software in enterprises, this is an area that will continue to add complexity and place an increasing onus on organizations to understand what they are running and the risks associated with it. Be very deliberate in knowing the risks that third-party software may present in your environment and how well the software is maintained. This is why reliable threat intelligence is so critical to the success of security programs.
4. Incorporate security into business transformation
Most organizations today are undergoing a massive transformational shift, whether it’s moving on-premises assets to the cloud, supporting virtual-first workplaces, or embracing new business models around digital services. In many cases, these changes are creating more complex hybrid IT environments that are more difficult to defend. There’s nothing wrong with well-designed cloud and hybrid IT environments, but the problem I see is that many organizations are trying to operate the same way they used to, with the security team far removed from key decisions.
Security obviously offers an important check and balance in IT, but security professionals are in separate organizations and often lack context of who really needs access to new systems or how outsourcing partners are operating within the environment. By incorporating security into transformation initiatives, security teams can apply controls in a more seamless and collaborative manner and, more importantly, better understand the context of the signals their security tools are sending.
5. Simplify your toolkit for a more secure future
Over the years, businesses have been inundated with security tools: endpoint protection, monitoring, network firewalls, data loss prevention, cloud security, vulnerability management, and antimalware, to name a few. Large organizations not only have more complex IT environments, they also have security tool sets that are growing in complexity. While a best-in-class approach may make sense, the big questions are: Do your tools work with each other? Are they helping you focus on what’s important or are they just creating more noise? Can you act on what they are telling you?
Looking ahead, the best answer for many organizations may be to simplify security tools. Cloud providers like Microsoft, AWS, and others have made great strides in platform-native security controls. Microsoft is investing $20 billion in its integrated security tools over the next five years. In fact, a single Microsoft license can replace up to 26 siled security tools. This trend toward simplification will help organizations avoid the friction of deploying tools, optimizing investments, and defeating the enemy within.