When it comes to technology, there's always a tension between the imperative to innovate and the need for stability and security. Because you can't grow and innovate successfully unless you've got a stable foundation on which to build.
After two years of explosive and successful IT innovation driven by the pressures of the pandemic and a revolution in remote work, CIOs have pivoted toward security and other foundational IT concerns.
CIOs are focusing on shoring up the IT structures that need to be robust and ready for future expansion, as well as locking down security for all the new endpoints that have proliferated during the shift to a less centralized workspace.
Cybersecurity is at the top of the agenda, thanks to an environment of escalating threats like cyberattacks and ransomware. Some numbers to back that up:
- According to CIO.com's 2022 State of the CIO research, the No. 1 C-Suite directive for CIOs this year was to upgrade IT and data security to reduce corporate risk, as cited by a third of respondents.
- A study by Gartner found that cybersecurity was the top investment priority for 2023, with 66% of respondents planning to increase their investment.
- Gartner estimates that spending on security will grow 7.2% in 2022 compared with 2021. That's on top of the fact that security spending grew 14.3% in 2021 compared with 2020.
Foundations for Future Growth: Reasons to Get Your IT House in Order
Forward-thinking CIOs see plenty of exciting opportunities on the horizon — and only organizations with a fully modernized system will be well-positioned to take full advantage. Which means that playing offense successfully also requires playing defense well ahead of time.
The CIOs surveyed by CIO.com said that a robust cloud environment will be mandatory to capitalize on the technology trends that are expected to be in play over the next few years — including new horizons like augmented reality, virtual reality, the metaverse and Web3.
The rapid growth of IoT technologies will continue to deliver new possibilities and benefits, but also require new levels of vigilance to keep all those new endpoints secure. As Craig Wright, senior partner for advisory and transformation at digital consulting firm West Monroe, puts it:
“The Internet of Things is going to continue to explode. We’re already in the billions of devices, but we’re talking about trillions (in the upcoming years).”
That means there's no end to the growing deluge of data that will need to be managed in an orderly way. One sign of the scale of the challenge is that we need new language simply to be able describe it.
It's now estimated that by the year 2025, the world will have generated a staggering 175 zettabytes of digital data, according to the International Data Corp. A zettabyte is a figure with 24 zeroes behind it — but even that will prove to be an inadequate yardstick for the future.
So, NPR reports that new prefixes are being added to the metric system to allow us to quantify the downpour of data in the decades to come. The largest, a quettabyte, comes with a whopping 30 zeroes in its trunk.
Strategies for A Secure IT Environment
To get a handle on what's ahead and shore up your fortifications:
-
Embrace Vulnerability Management and Threat Intelligence
Gartner recommends that organizations implement a risk-based vulnerability management process — one that includes an assessment of how much operational risk your organization can take on.
Factors like the severity of the vulnerability, current exploitation activity, business criticality and exposure of the affected system can help you prioritize vulnerabilities based on risk.
From there you can identify solutions that are appropriate to your organizational needs. Gartner notes:
By combining compensating controls that can do virtual patching like intrusion detection and prevention systems and web application firewalls with remediation solutions like patch management tools, you can reduce your attack surface more effectively while having less operational impact on the organization. Newer technologies like breach and attack simulation (BAS) tools also provide insight into how your existing security technologies are configured and whether they are capable of defending against a range of threats like ransomware.
It's important to identify your most sensitive and valuable data, and take extra steps to wall it off from attacks. In many cases that will be customer data because your customers' trust — and by extension, the value of your brand — depends on how well you safeguard that information.
2. Back Up, Don't Pay Up
Having the right backup strategy in place can be the key to coming through a ransomware attack relatively unscathed.
As McKinsey notes, companies often run continuous or realtime backups, which can result in a kind of self-inflicted wound when you need to recover from a ransomware attack. That's because many modern ransomware attacks start by encrypting backup data to prevent it from being restored. So, when you run your backup, you're simply backing up a system that's already corrupted.
An alternative approach is to run backups at intervals, such as daily or weekly backups. And if possible, keep those backups "air gapped" — separate from your main system and thereby inaccessible to attackers.
When an attack occurs, this may give you the time you need to spot the attack and avoid compromising your backup with corrupted data. You can run ransomware-detection checks across your network daily, and once your system is clean, you can proceed with backing up.
Whatever you do, think long and hard about paying off the perpetrators in the case of a ransomware attack. Not only does this encourage future attacks, by both funding and incentivizing ransomware operations — in many cases it won't even get you your data back. According to a report by Sophos, as noted by Financial Times, only 4% of organizations that paid ransoms in 2021 were able to retrieve all of their data. And there's nothing to stop the attackers from selling or leaking the data in the future, regardless of whether you pay.
That may explain why organizations are increasingly reluctant to pay out — which in turn leads to a ray of hope on this subject. After huge increases in 2020 and 2021, US security company SonicWall found a 23 percent drop in the amount of ransomware attempts in 2022 — which it attributes in part to a trend toward organizations refusing to pay off attackers. It comes down to that basic lesson that city-dwellers learn: If you don't want rats to come around, don't feed them.
3. Modernize Your ERP
Moving away from legacy systems, and toward a fully modern cloud-based ERP with a trusted vendor like Microsoft, is the single most important step you can take toward a more secure future.
Partly this is because legacy systems often rely on vulnerable technologies like clear text exchanges or FTP, which provide openings that hackers can target.
And partly it's that modern cloud-based ERPs incorporate tools like artificial intelligence and machine learning that help to prevent, detect and respond to cyberattacks successfully.
They also help you keep your armor up to date by consistently applying the latest patches and updates to ward off known threats, scanning your system for vulnerabilities, monitoring logs for anomalies, detecting suspicious transactions and more.
Securing the Cloud: Microsoft's Red Team Is on the Case
As modern cloud-based ERP systems go, one contender that stacks up well from a cybersecurity standpoint is Microsoft Dynamics 365 Finance and Supply Chain Management.
As part of the premium it places on trust, Microsoft has embraced the Trusted Cloud Initiative, a program of the Cloud Security Alliance (CSA) industry group that helps cloud services develop strong industry-recommended security practices.
Microsoft focuses on data integrity in the cloud with an approach governed by three key principles:
- Security: protecting customers from cyberthreats
- Privacy: giving customers control over access to their data
- Compliance: unparalleled investment in meeting global standards
Microsoft provides a set of customer-managed tools that adapt to your organization and its security needs. You can use the Microsoft 365 Security and Compliance Center to track user and administrator activities, malware threats, data loss incidents and more.
And as a sign of how seriously it takes security, Microsoft employs highly specialized groups of security experts — known as the "Red Team" — to strengthen threat detection, response and defense for its enterprise cloud services.
Microsoft has earned positive notice from Wired Magazine for the efforts of its Red Team initiative for Windows, and it approaches ERP security with the same diligence.
Microsoft says it uses the Red Team and live site testing against Microsoft-managed cloud infrastructure to simulate real-world breaches, conduct continuous security monitoring, and practice security incident response to validate and improve the security of online services.
You can read more about how Microsoft keeps the cloud secure on the Dynamic 365 security page.
Want to learn more about how Columbus can help you fortify your cybersecurity efforts? Get in touch with us today.