Written by Simon Church, Chairman, Xalient
As we are in the midst of Cybersecurity Awareness Month, and in the lead-up to our own Secure Connected Future Summit which we are hosting in November, I feel that a lot of the focus when it comes to cybersecurity still tends to be on prevention tactics. However, I would argue that it is not just about having the right defensive cybersecurity tools in place, but it is also about understanding how the organisation will recover from an incident – how quickly and at what cost to the business. The focus should also be on having a robust cyber risk management strategy in place. Here I outline five key tips for organisations to consider when devising their cyber risk and resiliency plans.
- Dry-run your recovery plan
Today, being impacted by a cybersecurity incident is unfortunately almost inevitable, and therefore companies also need to consider whether they can recover, how long recovery will take, whether employees can continue to work, what applications and data they will recover first, and the cost of recovery to the business.
In particular, I would urge organisations to make sure they dry-run their recovery plan, so that in the event of an attack they know they are prepared and understand the process and who is doing what. And I’m not just talking about technology here, but people and processes. For example, what communications about the attack will they share with employees, customers, and other stakeholders? What do they want employees to do? What do they want senior executives and the board to do? All too often I see organisations assume that because they have the technology in place, it will magically and seamlessly recover their systems, but they neglect the fine detail around communications and reassurance. So, it is important to not only have a plan but to dry-run that plan again and again and again.
- Focus on employee security awareness training
One of the biggest risks to an organisation is the human risk, in fact (depending on the sources you refer to) 75-90% of all cyber incidents are human initiated. So, it is very important to focus on having employee security awareness training in play.
Today employees operate in a blended environment, moving seamlessly between work applications and personal apps. Whereas previously they have been prevented from sharing company data outside the network perimeter, in our world of social media we often overshare, which leads to a lot of freely available open-source data, or OSINT.
Cybercriminals use OSINT for social engineering purposes. They gather personal information through social profiles and use this to customise phishing attacks. The most recent MGM breach, for example, was a result of a social engineering attack on an employee who inadvertently gave hackers access to MGM’s systems.
Investing heavily in training to enable employees to make smarter security decisions will help them manage the ongoing problem of social engineering and clever phishing attacks. Performance should also be regularly measured to see how employees are implementing training in the real world, and there must be KPIs around this, that are ideally discussed at senior management or Board level. It is likely that the MGM attack could have been averted if the employee had been more aware and better trained.
- Implementing data-driven metrics
This is where data-driven metrics are utilised to better monitor and manage the environment and to short-cut some of those labour-intensive tasks. What I’m talking about here is understanding what vulnerabilities to prioritise, what incidents to contain, what are acceptable incident response times. Having visibility and context to prioritise the vulnerabilities that need to be scanned and patched. Without it, security teams are flying blind and attempting to triage thousands of possible threats, while they determine the organisation’s exposure.
Additionally, as many breaches utilise a vulnerability or flaw in operating systems’ code, the patching cadence and criticality needs to be agreed and assessed on a regular basis, so that the organisation prioritises patches based on risk to the business. To put this into context, last year there were approximately 20,000 new patches created by software vendors; this year that figure is expected to increase to 22,000. This means that the largest organisations have a backlog of over 100,000 patches to deploy, which is an almost impossible task without clear risk prioritisation.
- Managing third-party cyber risk
And to add to the CISO’s challenges, managing their third parties and any extended ecosystem cyber risk is also critical. It is very difficult from an outside view to determine which third party has strong cyber controls and which ones are already, or likely to be, compromised. Standard risk assessment processes tend to be point in time, involving questionnaires and audits. For cybersecurity, this is a flawed approach that usually leads to risk tolerance or acceptance. Rather than just categorising third parties as high or low risk, organisations should focus on the nature of the relationship and their adherence to the same security policies and practices implemented by the organisation. Do they control sensitive data or have they got access to critical systems?
- The importance of dynamic risk-based policies
And finally, identity has now become a key security control for access policies and places additional emphasis on the user and device authentication process. Not only does this require constant validation of identities and associated permissions, but this must now also be combined with the behaviour of that identity (be it human or a device) in the wider environment. In other words, it needs to be dynamic so that it can adjust and change as required.
From a security technology perspective, adoption of technologies such as Secure Web Gateways and Zero Trust Network Access as part of a wider SASE implementation can help to consolidate the security platforms needed to enforce the company’s security and risk policies, while also reducing the administrative overhead for security teams.
Cybercrime is predicted to be worth $10.5 trillion dollars by the end of the year. If it were a country, it would equate to the third-largest country in the world, in terms of GDP, so it is clearly big business. Having robust security controls, a solid risk management plan, and dynamic risk policies, as well as a tried and tested recovery plan, won’t totally remove the threat of a cyberattack, but it will certainly reduce not only the probability of a breach but also the impact to the business.