Written by Simon Church, Chairman, Xalient
As we are in the midst of Cybersecurity Awareness Month, and in the lead-up to our own Secure Connected Future Summit which we are hosting in November, I feel that a lot of the focus when it comes to cybersecurity still tends to be on prevention tactics. However, I would argue that it is not just about having the right defensive cybersecurity tools in place, but it is also about understanding how the organization will recover from an incident – how quickly and at what cost to the business. The focus should also be on having a robust cyber risk management strategy in place. Here I outline five key tips for organizations to consider when devising their cyber risk and resiliency plans.
1. Dry-run your recovery plan
Today, being impacted by a cybersecurity incident is unfortunately almost inevitable, and therefore companies also need to consider whether they can recover, how long recovery will take, whether employees can continue to work, what applications and data they will recover first, and the cost of recovery to the business.
In particular, I would urge organizations to make sure they dry-run their recovery plan, so that in the event of an attack they know they are prepared and understand the process and who is doing what. And I’m not just talking about technology here, but people and processes. For example, what communications about the attack will they share with employees, customers, and other stakeholders? What do they want employees to do? What do they want senior executives and the board to do? All too often I see organizations assume that because they have the technology in place, it will magically and seamlessly recover their systems, but they neglect the fine detail around communications and reassurance. So, it is important to not only have a plan but to dry-run that plan again and again and again.
2. Focus on employee security awareness training
One of the biggest risks to an organization is the human risk, in fact (depending on the sources you refer to) 75-90% of all cyber incidents are human initiated. So, it is very important to focus on having employee security awareness training in play.
Today employees operate in a blended environment, moving seamlessly between work applications and personal apps. Whereas previously they have been prevented from sharing company data outside the network perimeter, in our world of social media we often overshare, which leads to a lot of freely available open-source data, or OSINT.
Cybercriminals use OSINT for social engineering purposes. They gather personal information through social profiles and use this to customize phishing attacks. The most recent MGM breach, for example, was a result of a social engineering attack on an employee who inadvertently gave hackers access to MGM’s systems.
Investing heavily in training to enable employees to make smarter security decisions will help them manage the ongoing problem of social engineering and clever phishing attacks. Performance should also be regularly measured to see how employees are implementing training in the real world, and there must be KPIs around this, that are ideally discussed at senior management or Board level. It is likely that the MGM attack could have been averted if the employee had been more aware and better trained.
3. Implementing data-driven metrics
This is where data-driven metrics are utilized to better monitor and manage the environment and to short-cut some of those labour-intensive tasks. What I’m talking about here is understanding what vulnerabilities to prioritize, what incidents to contain, what are acceptable incident response times. Having visibility and context to prioritize the vulnerabilities that need to be scanned and patched. Without it, security teams are flying blind and attempting to triage thousands of possible threats, while they determine the organization’s exposure.
Additionally, as many breaches utilize a vulnerability or flaw in operating systems’ code, the patching cadence and criticality needs to be agreed and assessed on a regular basis, so that the organization prioritizes patches based on risk to the business. To put this into context, last year there were approximately 20,000 new patches created by software vendors; this year that figure is expected to increase to 22,000. This means that the largest organizations have a backlog of over 100,000 patches to deploy, which is an almost impossible task without clear risk prioritization.
4. Managing third-party cyber risk
And to add to the CISO’s challenges, managing their third parties and any extended ecosystem cyber risk is also critical. It is very difficult from an outside view to determine which third party has strong cyber controls and which ones are already, or likely to be, compromised. Standard risk assessment processes tend to be point in time, involving questionnaires and audits. For cybersecurity, this is a flawed approach that usually leads to risk tolerance or acceptance. Rather than just categorizing third parties as high or low risk, organizations should focus on the nature of the relationship and their adherence to the same security policies and practices implemented by the organization. Do they control sensitive data or have they got access to critical systems?
5. The importance of dynamic risk-based policies
And finally, identity has now become a key security control for access policies and places additional emphasis on the user and device authentication process. Not only does this require constant validation of identities and associated permissions, but this must now also be combined with the behaviour of that identity (be it human or a device) in the wider environment. In other words, it needs to be dynamic so that it can adjust and change as required.
From a security technology perspective, adoption of technologies such as Secure Web Gateways and Zero Trust Network Access as part of a wider SASE implementation can help to consolidate the security platforms needed to enforce the company’s security and risk policies, while also reducing the administrative overhead for security teams.
Cybercrime is predicted to be worth $10.5 trillion dollars by the end of the year. If it were a country, it would equate to the third-largest country in the world, in terms of GDP, so it is clearly big business. Having robust security controls, a solid risk management plan, and dynamic risk policies, as well as a tried and tested recovery plan, won’t totally remove the threat of a cyberattack, but it will certainly reduce not only the probability of a breach but also the impact to the business.
