It does not account for the latest legislation
Things change quickly in cybersecurity. That’s partially due to how online criminals regularly update their attack methods, pushing the boundaries of what’s possible and committing increasingly devastating and widespread attacks.
The changes also occur because many business operations and individual responsibilities require at least some degree of internet usage. Relatedly, cybercriminals know they can orchestrate specific attacks that can substantially disable an enterprise’s operations for weeks.
These combined challenges shed light on why European countries are collectively focusing on new cybersecurity legislation. The NIS 2 Directive — currently in force — represents an update to rules first introduced in the European Union (EU) in 2016.
Some of the requirements in the NIS 2 Directive include forming a group that promotes information sharing across all member states, fostering a security culture across societally and economically essential sectors and ensuring all member states are appropriately equipped to handle cyberattacks.
The Directive also requires particular sectors — including energy, digital infrastructure and health — to deploy specific risk-management measures and meet reporting obligations for alerting the appropriate parties to cyberattacks. Regardless of if your company operates in a critical industry that must be incredibly stringent with cybersecurity measures, now is an excellent time to become more familiar with the NIS 2 Directive.
At the same time, review the details of cybersecurity legislation in effect elsewhere, such as in the United States. If your company has clients there, you may need to meet specific requirements associated with state or national regulations, including those related to data-handling practices.
Abiding by a cybersecurity strategy that does not match what current legislation requires could put your company at risk of fines and reputational damage. It’s best to get in compliance now before incidents happen that threaten your company.
It does not protect your company from the newest threats
As mentioned briefly above, cybercriminals regularly orchestrate new attacks, especially as IT security experts learn better ways to protect internet infrastructures. For example, a fairly recent practise called malvertising involves cybercriminals embedding malware into internet ads. People encountering those ads may accidentally install malware by scrolling past the advertising content. In other cases, they must click on an ad before that happens.
It’s also important that people design cybersecurity strategies while recognising some technologies that generally improve internet usage and convenience can simultaneously elevate cyber threats. Consider, for example, how Gartner predicted 70% of companies would have cloud-based office capabilities by the end of 2022. Cloud computing has taken off significantly, but the increased usage makes the technology a target for more cybercriminals.
CrowdStrike’s 2023 Global Threat Report mentioned a 95% increase in cloud-related exploitation and a year-over-year tripling of incidents involving “cloud-conscious” cybercriminals. There’s a good chance your company uses some cloud-based technologies now, but does your cybersecurity strategy cover how to do that safely? If not, it’s time to update it. Otherwise, it’ll be much easier for hackers to target your cloud infrastructure, increasing the chances they’ll get access to sensitive company data.
If your cybersecurity strategy relies heavily on traditional passwords, it may need updating. Many people do not follow good password hygiene and their credentials get compromised. Perhaps that’s why 2022 data from Forrester indicated more than 66% of European businesses had started building a zero-trust process. The zero-trust model eliminates implicit trust and continuously validates a person’s access rights as they move through a company’s infrastructure.
The changes mentioned in this section show why people must treat any security strategy as a “living document” of sorts. That’s the best approach to take so its content stays relevant.
It does not reflect the risks associated with distributed workforces
Statistics from the EU indicate more workers prefer the option to work remotely at least part of the time. Those results are similar to studies that show many employees like working remotely and are more likely to stay with companies that allow it.
Such work options were not widely available before the covid-19 pandemic. But when the health crisis proved remote work was a viable option for many people, some wondered why returning to their offices was necessary. Many workers can indeed do their jobs just as well from home. Although some people lack an appropriate environment for at-home work or just dislike it, others thrive. However, when people get work done from more places, cyberattack risks can rise, too.
One 2022 study of IT professionals found eight in 10 respondents believed there’s conclusive evidence that remote working introduces new cybersecurity risks. Moreover, three in four people said their workers use personal devices to access sensitive company information.
These findings reinforce the need to update your cybersecurity strategy if it does not recognise remote working risks and include practices for reducing those threats. For example, a potential policy to explore involves requiring all employees to have IT team members verify the security of their remote working setup before they start clocking in from home.
Moreover, the company should consider distributing security reminders to employees who work remotely at least part of the time. Some people are more likely to forget cybersecurity best practices while working remotely. But, if they have reminders to refer to regularly and quickly, they’re less likely to make mistakes that could put their employers under the threat of successful cyberattacks.
Review your cybersecurity strategy often
This overview shows your cybersecurity strategy can become outdated faster than you might have previously thought. That doesn’t mean its content is wholly useless now, but the most practical way to make it more effective is to schedule frequent checks. Your IT team can remove anything that’s no longer relevant and update the rest of the material to reflect current trends, challenges and internal practices.
It’s also a good idea to look over the cybersecurity strategy after your business goes through a major change, such as creating a new department, completing a merger or acquisition, or hiring a significant number of new team members. Those events can cause company stress and may necessitate changes to cybersecurity policies.
The main thing to remember is to never treat your cybersecurity strategy as something you create only once and only make minor tweaks to after that. Keeping it current protects your company when many enterprises face progressively more cybersecurity challenges.