As we are in the midst of Cybersecurity Awareness Month and the lead-up to our own Secure Connected Future Summit, which we are hosting in November, I feel that a lot of the focus on cybersecurity still tends to be on prevention tactics.
However, I would argue that it is not just about having the right defensive cybersecurity tools in place. It is also about understanding how the organisation will recover from an incident, how quickly and at what cost to the business. The focus should also be on a robust cyber risk management strategy.
Here, I outline five key tips for organisations to consider when devising their cyber risk and resiliency plans.
Dry-run your recovery plan
Today, being impacted by a cybersecurity incident is, unfortunately, almost inevitable. Companies need to consider whether they can recover, how long recovery will take and whether employees can continue to work. A key challenge is what applications and data they will recover first and the cost of recovery to the business.
In particular, I urge organisations to ensure they dry-run their recovery plan. It means that in the event of an attack, they know they are prepared and understand the process and who is doing what. I’m not just talking about technology here, but people and processes.
For example, what communications about the attack will they share with employees, customers, and other stakeholders? What do they want employees to do? What do they want senior executives and the board to do?
All too often, I see organisations assume that because they have the technology in place, it will magically and seamlessly recover their systems. But they neglect the fine detail around communication and reassurance. So, it is important to have a plan and dry-run that plan repeatedly.
Focus on employee security awareness training
One of the biggest risks to an organisation is the human risk. Depending on the sources you refer to, 75-90% of all cyber incidents are human-initiated. So, it is very important to focus on having employee security awareness training in place.
Today, employees operate in a blended environment, moving seamlessly between work and personal apps. Previously, they have been prevented from sharing company data outside the network perimeter. Today, in our world of social media, we often overshare, which leads to a lot of freely available open-source data, or OSINT.
Cybercriminals use OSINT for social engineering purposes. They gather personal information through social profiles to customise phishing attacks. For example, the most recent MGM breach resulted from a social engineering attack on an employee who inadvertently gave hackers access to MGM’s systems.
Investing heavily in training to enable employees to make smarter security decisions will help them manage the ongoing problem of social engineering and clever phishing attacks. Performance should also be regularly measured to see how employees implement training in the real world. It requires KPIs that are ideally discussed at senior management or Board level. It is likely that the MGM attack could have been averted if the employee had been more aware and better trained.
Implementing data-driven metrics
Data-driven metrics deliver better monitoring and management of the environment. They also short-cut some of those labour-intensive tasks. I’m talking about understanding what vulnerabilities to prioritise, what incidents to contain, and what acceptable incident response times are.
You need visibility and context to prioritise the vulnerabilities to be scanned and patched. Without it, security teams are flying blind and attempting to triage thousands of possible threats while determining the organisation’s exposure.
Many breaches utilise a vulnerability or flaw in operating systems’ code. It requires the patching cadence and criticality to be agreed upon and assessed regularly. It ensures the organisation prioritises patches based on risk to the business.
To put this into context, software vendors created approximately 20,000 new patches. In 2023, that figure is expected to increase to 22,000. It means the largest organisations have a backlog of over 100,000 patches to deploy. It is an almost impossible task without clear risk prioritisation.
Managing third-party cyber risk
To add to the CISO’s challenges, managing their third parties and any extended ecosystem cyber risk is also critical. It is very difficult from an outside view to determine which third party has strong cyber controls and which ones are already, or likely to be, compromised. Standard risk assessment processes involving questionnaires and audits tend to be a point in time.
For cybersecurity, this is a flawed approach that usually leads to risk tolerance or acceptance. Rather than just categorising third parties as high or low risk, organisations should focus on the nature of the relationship and their adherence to the same security policies and practices implemented by the organisation. Do they control sensitive data, or have they got access to critical systems?
The importance of dynamic risk-based policies
Finally, identity has now become a key security control for access policies. It places additional emphasis on the user and device authentication process while requiring constant validation of identities and associated permissions. It must also be combined with the behaviour of that identity (be it human or a device) in the wider environment. In other words, it must be dynamic to adjust and change as required.
From a security technology perspective, adopting technologies such as Secure Web Gateways and Zero Trust Network Access as part of a wider SASE implementation can help consolidate the security platforms needed to enforce the company’s security and risk policies. It also reduces the administrative overhead for security teams.
Cybercrime is predicted to be worth $10.5 trillion by the end of the year. If it were a country, it would be the equivalent of the GDP of the third-largest country in the world. It is big business. Having robust security controls, a solid risk management plan, and dynamic risk policies, as well as a tried and tested recovery plan, won’t totally remove the threat of a cyberattack, but it will certainly reduce not only the probability of a breach but also the impact to the business.
Xalient addresses the challenges large global enterprises face around networking and security. Headquartered in the UK and with offices in the USA, Xalient counts Kellogg’s, Hamley’s, WPP and Keurig Dr Pepper among its clients. It was established eight years ago to disrupt the traditional markets for secure networking, taking advantage of the huge shift to cloud technology that has created high demand for flexible, cost-effective global connectivity and protection against increasingly complex cyber threats. Combining transformative, software-defined network, security, and communication technologies with intelligent managed services with its AIOps Platform- Martina and driving Zero Trust initiatives that keep the world largest brands more resilient, adaptable and responsive to change.
