It’s important that, before any web application goes live, companies perform appropriate cybersecurity tests. This can happen either when it’s initially developed or after significant changes are made. Ideally this testing would involve experienced cyber analysts experienced in testing against applications based on the Open Web Application Security Project Top 10 for web applications and APIs.
Most off-the-shelf enterprise applications that organizations use today have security controls built in. The challenge is to implement those controls properly. It’s important to do that once a new application is implemented so that you get the full security benefit of the features.
Potential disruptors facing organizations are concepts used to secure our federal information systems moving into the private sector, like zero trust. Zero trust means giving users no access until they can prove why they need it.
While many organizations may not fully adopt a zero-trust approach, using some parts of this concept helps improve posture and protect sensitive data and unauthorized system access.
Organizations will see regulations with an increased focus on privacy laws, ensuring that they maintain the privacy of their customer data. We’ll also see an increase in state-level cyber regulations.
We’ve also seen a recent expansion in scope for some organizations with requirements for GLBA, that require penetration testing, vulnerability scanning and continuous monitoring of servers and endpoints.
By 2025 more than 75% of the world’s population likely will be covered by privacy laws. These laws include General Data Protection Regulation in the EU and privacy laws by states in the U.S. to protect consumer data.
Department of Defense contractors will be faced with what’s known as the Cybersecurity Maturity Model Certification. CMMC, as it’s also known, will be a requirement for all DoD contractors doing business with the federal government.
The DoD realized it’s critical that vendors in the defense industry implement security controls to protect sensitive data belonging to the federal government.
They instituted the CMMC requirements, which likely will go into effect by mid-2023. All DoD contractors will be required to comply at some level with a cybersecurity maturity model certification. They also will be required to have a third-party audit attesting to their level of cybersecurity maturity in accordance with the CMMC model.
In addition to third-party audits, organizations should engage with professionals to help them get ready for their CMMC audit. It’s no secret that CMMC compliance will require a significant amount of time, resources and effort for organizations to maintain compliance.
Users continue to be the weakest link in the cyber security chain. Organizations must focus on routine training and awareness of their end users and IT personnel related to cybersecurity risks and threats.
They also must align their IT controls with their manual or financial internal controls. This helps mitigate risks such as financial fraud resulting from business email compromises as these attacks continue to rise and result in lost funds.
Organizations also should focus on engaging their senior leadership and boards of directors in their cyber risk management programs. A challenge we often see is organizations making investments in cybersecurity tools and systems, but not making investments in the resources they need to manage them.
Cyber threats will continue to evolve, and breaches will occur more frequently. It’s important for organizations to develop a proactive cyber risk management program to effectively test for and mitigate these risks.
Brad Pierce serves as the chief information security officer for HORNE and leads cybersecurity programs and initiatives. He also manages cybersecurity operations for the firm and its clients, collaborating with executive leadership teams to strengthen their security systems.