The challenges are greater than ever. But security pros have learned a lot – and with luck, the right strategic defenses can help even the highest-value targets withstand severe attacks. Credit: AlexSL / Getty Images Marc Andreessen had it right – software has eaten the world. As a result, the world can be hacked.Just look at the past few months. The SolarWinds caper – the “largest and most sophisticated attack the world has ever seen” according to Microsoft president Brad Smith – gave its Russian perps months of free reign across untold US government agencies and private companies. But stupid also works: Last month in Florida, a water treatment plant’s cybersecurity was so lax, anyone could have been behind a clumsy attempt to poison the local water supply. Meanwhile, miscreants bearing ransomware have made hospitals their favorite target; in October 2020, six US hospitals fell prey within 24 hours.Cybersecurity wins the award for Most Dismal Science. But if suffering attacks now amounts to a cost of doing business, then the time-honored approach of prioritizing risk and limiting damage when breaches occur still offers reason for hope. This collection of articles from CSO, Computerworld, CIO, InfoWorld, and Network World delivers specific guidance on best security practices across the enterprise, from the C-suite to developer laptops.Writing for CSO, contributor Stacey Collette addresses the age-old question of how to focus upper management’s attention on security in “4 ways to keep the cybersecurity conversation going after the crisis has passed.” The thesis is that five-alarm debacles like the SolarWinds attack can serve as useful wakeup calls. Collette suggests seizing the moment to convince the board to match the company business model with an appropriate risk mitigation framework – and to use information sharing and analysis centers to exchange information on industry-specific threats and defensive measures. CIO’s contribution, “Mitigating the hidden risks of digital transformation” by Bob Violino, surfaces a problem hiding in plain sight: Digital innovation almost always increases risk. Everyone understands the transformative power of the cloud, for example, but each IaaS or SaaS provider seems to have a different security model, raising the odds of calamitous misconfiguration. Likewise, digital integration with partners promises all kinds of new efficiencies – and by definition heightens third-party risk. And does it even need to be said that launching an internet of things initiative will vastly expand your attack surface area?A second story written by Violino, this one for Computerworld, explores the cybersecurity obsession of our era: “WFH security lessons from the pandemic.” Some of the article covers familiar ground, such as ensuring effective endpoint protection and multifactor authentication for remote workers. But Violino also highlights more advanced solutions, such as cloud desktops and zero-trust network access. He warns that a new wave of preparation will be required for hybrid work scenarios, in which employees alternate between office and home to ensure social distancing at work. The pandemic has proven that remote work at scale is viable – but new solutions, such as pervasive data defense and response platforms, will be necessary to secure our new perimeterless world. That goes for companies with many distributed offices as well. As contributor Maria Korlov reports in the Network World article “WAN challenges steer Sixt to cloud-native SASE deployment, adoption is accelerating for secure access service edge (SASE), an architecture that combines SD-WAN with various security measures, from encryption to zero trust authentication. According to Korlov, for the rental car company Sixt, the result was “a 15% to 20% reduction in costs for network maintenance, security, and capacity planning.” At Sixt’s 80 branch offices, downtime purportedly averages a tenth of what it used to be.In “6 security risks in software development and how to address them,” InfoWorld contributing editor Isaac Sacolick reminds us that modern cybersecurity means secure code, too. An ESG survey cited in the article reveals that nearly half of respondents admitted they release vulnerable code into production on a regular basis. Thanks to Sacolick’s hands-on experience with development teams, he’s able to offer a trove of practical remediations for developer managers to embrace, from explicitly documenting code security acceptance criteria to ensuring version control repositories are fully locked down.The SolarWinds fiasco has proven that enforcing such policies is no longer optional. Coverage of the attack has focused on the backdoor that Russian hackers inserted in SolarWinds’ Orion products, instantly compromising customers who installed the software. Less attention has been paid to the custom malware the hackers created to slip into SolarWinds development process undetected and implant that backdoor. Can any software development shop say with confidence that it can withstand such a sophisticated, concerted effort?Software firms are asking themselves that question right now – while at the same time governments and private enterprises seen as high-value targets are furiously vetting their operations to see if they’ve fallen victim to other compromised code. True, this is merely the latest battlefront against a global horde of cybercriminals, from script kiddies to malicious hackers to state-sponsored masterminds. But no one can accept anything other than the strongest defenses affordable in a war without end. Related content news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security brandpost Sponsored by Microsoft Security How Microsoft and Amazon are expanding the fight against international tech support fraud By partnering with other companies to share vital information and resources, Microsoft is taking the fight to ever-evolving support fraud in 2024…and beyond. By Microsoft Security Dec 05, 2023 1 min Security news analysis Russia's Fancy Bear launches mass credential collection campaigns The campaigns exploit Outlook and WinRAR flaws to target government, defense, and other entities, and they represent a change of tactic for the APT28 group. By Lucian Constantin Dec 05, 2023 5 mins Advanced Persistent Threats Critical Infrastructure Vulnerabilities brandpost Sponsored by Palo Alto Networks Addressing vulnerabilities in OT environments requires a Zero Trust approach Here’s a rundown of why manufacturers are so exposed and how Zero Trust can help solve many security issues. By Navneet Singh, vice president of marketing, network security, Palo Alto Networks Dec 05, 2023 6 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe