How CISOs Can Address Today’s Biggest Information Security Threats
Threats change so rapidly that it’s nearly impossible for the CISO to keep pace with them, let alone get ahead. Whatever tools you and your IT security leaders are using, cybercriminals are also employing. In fact, they may have had them first.
Consider AI, for example. It’s changing every aspect of business operations, including cybersecurity. GenAI takes security-as-code to new heights, making it extremely easy to “bake in” cyber during development. What’s more, AI can detect threats and intrusion attempts with impressive alacrity, and act immediately to thwart them.
But AI has transformed cybercrime, too.
Today, even low-skill hackers can create convincing phishing emails and phony websites so seemingly real that they fool security experts. Imagine how much more easily workers who take pride in being able to spot a phishing typo or grammar gaffe might take AI-generated bait. Pride goes before a fall, it’s said: The Dunning-Kruger effect is a real phenomenon.
Not only do CISO challenges keep shifting, but so do your responsibilities. The answer to the question, “What do CISOs care about?” has expanded beyond blocking attacks on your systems and networks to include:
- Finding and mitigating risks before they become threats;
- Sniffing out would-be attackers;
- Staying on top of technological advancements and how cybercriminals are using them;
- Guarding the data belonging to your enterprise and complying with complex data-privacy regulations;
- Working with your fellow C-suite executives as well as the Board of Directors;
- And much more.
Keeping your organization secure shouldn’t be so difficult – especially now, when a plethora of sophisticated tools and techniques are at your behest. Read on to find out how to address some of the top CISO challenges in business today.
CISO Challenge: Maintaining Customer Confidentiality
In the digital age, data and identity are inextricably intertwined. In many ways, our online actions, interactions and transactions define us. Our most intimate details are nestled in those bits and bytes: our medical history; our finances; our personal hopes, fears, and desires; our lifestyles; whom we love; and much more.
As CISO, you act as the ultimate guardian of this precious data. It’s an awesome responsibility, not only to your enterprise customers and employees, but also to the business. Breaches of sensitive data can damage customer trust, your company’s reputation, revenues, and more.
Compliance with data privacy regulations such as the EU’s General Data Protection Regulation (GDPR) is also a major concern. Nearly three-quarters (71%) of countries have enacted data privacy and protection laws, some of them transcending borders.
A data breach due to a security lapse could violate one or more of these laws, causing your organization to face severe financial penalties.
Think it couldn’t happen to you? Perhaps that’s what the CISO at National Public Data (NPD), a US-based background check company, thought before the company experienced the largest data breach in history earlier this year.
A notorious hacking group exfiltrated NPD’s entire database containing the personal information of some 3 billion people, and published it on the dark web.
One of the breach victims has filed a class-action lawsuit that could prove exceedingly costly: even if each victim were awarded $1, the cost to NPD would be some $3 billion.
CISO Challenge: Creating a security culture
Human error has always been the number one cause of security breaches, but the problem seems to be getting worse, not better. Three out of four CISOs listed it as their top security risk in a recent survey – up from 60% in 2023.
A little training can go a long way. But it won’t solve the human-error problem on its own: cocky people who ace your training, for instance, might fancy themselves infallible, and so be more susceptible to making mistakes – again, the dreaded Dunning-Kruger effect.
Security Awareness Training is most effective as part of a program to support a strong cybersecurity culture. Creating and maintaining this culture can be one of the most daunting CISO challenges for those more attuned with technology than with people. You’ll need to place someone in charge of this initiative with a firm grasp of human psychology, who knows how to foster an environment in which people feel safe speaking up even when they make mistakes – as well as, of course, an understanding of the threats your enterprise may face and how to protect against them.
Tips for creating a strong cyber culture at work, according to the Forbes Technology Council, include
- Consider human psychology when risk modeling. Making authentication processes complicated and time-consuming, for example, will almost certainly inspire employees to devise security-compromising shortcuts or workarounds.
- Keep it simple. Your people should be using their brainpower to do their best work for you, not to puzzle out whether a link or attachment are malware in disguise. Use tools that weed out phonies as much as possible so employees don’t have to. And put “least privilege” guardrails around information so they’ll see only what they need to do their work.
- Train your executives and board, too. Top-down is the only direction that works for workplace culture.
- Communicate, communicate, communicate. Engage employees often about cyber. Put up posters. Send weekly cyber newsletters. Invite them to participate in contests and quizzes around security. Be creative, with an eye toward getting your people to think “cyber.”
CISO Challenge: The growth of AI
The bad news is that generative AI tools like ChatGPT make it easy for even novice hackers to launch attacks. The good news is that they appear to be using the tool mainly to optimize their targeting and tasks – so far. And the bad news, again, is that they are only getting started.
Fighting fire with fire means using AI to defend your organization against AI attacks, as well as facing the AI security problem head-on.
That cocky employee who’s proud of their eagle eye for spotting typos and phony website links will be especially challenged to find them in the age of AI. It’s possible, but more difficult now. But guess what? AI defense tools don’t have this difficulty. They can spot what human eyes more easily miss.
At the same time, security awareness training, too, must be more sophisticated in the AI age.
CISO Challenge: Addressing Insider Threats
Human error is hard enough to tackle. Intentional compromises by malicious employees can be nearly impossible to spot and stop. Your people need a certain amount of autonomy to do their jobs, after all.
Not all insider threats are born of malice, though. Someone might share files with someone in another department to make it easier to collaborate – but that person isn’t authorized to see them.
Someone might email company files to their insecure personal email to work on at home.
Or an employee who has resigned from the company might decide to download your CRM’s database of contacts to use or sell.
Or, perhaps someone didn’t get that promotion or raise they wanted, and decides, in revenge, to sabotage your systems or data.
Prevention is the best cure for all these problems. Tactics for stopping insider threats before they start include:
- Thoroughly screen candidates for positions in your company before hiring them, including conducting thorough background checks;
- Routinely check the risk potential of existing employees. A bank or wire fraud conviction, for instance, should raise red flags;
- Limit your employees’ access to only the information they need to do their jobs. Use “least privilege” principles to categorize and restrict the ability to enter certain areas of your company. A software developer doesn’t need to access employee personal data or company intellectual property, for instance.
Microsoft Copilot and insider risk
If you’re using Microsoft Copilot for 365, you could be increasing the likelihood that sensitive data will fall into the wrong employee’s hands – not because of the AI tool, but because you haven’t configured it properly to restrict data to authorized eyes only.
Adding injury to injury, an improperly configured Copilot could also cause your company to violate data protection regulations such as GDPR. To manage the risk, you need to manage your Microsoft 365 permissions – not an easy task.
CISO Challenge: Managing your 365 permissions
Managing file permissions in your Microsoft 365 suite can be complex, frustrating, and time-consuming. Proliferating and always changing compliance regulations add to the challenge, as well as new innovations like Copilot.
Doing nothing, however, heightens your risk of security breaches and noncompliance penalties, as well as lawsuits.
Managing permissions effectively can help mitigate these risks. Implementing robust access controls and continuously monitoring permissions ensures that only authorized users have access to sensitive data, thus reducing the potential for breaches and ensuring compliance with various regulations.
Take Back Control of your Data Security with 365 Permission Manager
Hornetsecurity’s 365 Permission Manager Tool is a scalable tool that works with Teams, Sharepoint and OneDrive to set and manage file access permissions. Simple to use, it enables CISOs to ensure that sensitive information is only accessible to authorized personnel, thus enhancing data protection and compliance.
The tool provides a centralized management interface to apply policies, find deviations from them, and remediate over-permissioned access issues in bulk. As an added feature, 365 Permission Manager prevents Microsoft Copilot from surfacing sensitive information like salary details or confidential reports to unauthorized users.
With the right tools and strategies in place, CISOs can navigate the complexities of today’s cybersecurity landscape and protect their organizations effectively.
Request a demo today and see for yourself how 365 Permission Manager can help secure your organization’s data.
