When we first wrote this article in 2016, the emerging cybersecurity landscape caused immense concern for CISOs, and others responsible for ensuring compliance in their organization's, were often the frontline response teams- in contexts where an attack had already happened. Today, nearly five years later, businesses remain woefully exposed to cyber threats that are far more advanced, more complex to predict, and can cause harm at an unprecedented scale.
Plus, the pandemic doesn't help. Everyone is discussing digital transformation, but how many businesses are prepared to handle the threats that come with it?
Businesses that have the will and the requisite technology to prevent such an attack and those who stay up-to-date with the current trends and newer threats, as they emerge, are still equally vulnerable in the context of RaaS, state actors and the significantly higher table stakes.
In that context, only information can help us, and prevent us from either overcompensating, or underestimating, the threats that face us today.
How real is the threat of cyber security for your organization? Let’s begin by looking at the numbers.
What the statistics say
The data on cyber threats is distressing, and that’s not just due to the innovative nature of the attacks. The real cyber security threat emerges from the lack of preparation by organizations to stave off potential attacks. And this is where we come face-to-face with the stark reality. Many surveys and research reports highlight this lack of preparation, or sometimes even lack of basic understanding of the issue itself.
Let’s begin with the most recent survey, conducted by Gartner in late 2020, the pandemic has highlighted newer threat vectors of which cybersecurity teams are aware of, but not equipped to deal with. Over 50% of all entities are at immediate risk of a cyber attack today. However, the head of cybersecurity is at least two, sometimes three, reports away from the company CEO. And this is the case with a majority of BFSI companies, with those in other industries faring even worse.
This, then, leads us to conclude that the biggest cybersecurity threat to any organization is the failure of the executives to recognize the lack of cybersecurity as a threat. It is indeed a troublesome thought, one that quite clearly bothers Kiran Vangaveti, CEO at BluSapphire. “I believe Cybersecurity should be a serious board room discussion with proper accountabilities — today, unfortunately; executives aren't owning cybersecurity & customer data integrity, the result being diluted accountabilities & siloed teams completely lost in handling crucial cyber operations.”
Kiran's words cut to the core of the problem, which is that cybersecurity is treated as an IT problem.
Cybersecurity is treated as an IT problem.
Usually, it is relegated to the dark corners of the office, and the technical staff is left to deal with it. This blatant disregard for securing sensitive customer and financial information, combined with management’s lack of initiative, leads to half-baked cyber security measures, as Trustwave’s State of Risk Report suggests. A majority of the organizations surveyed had partial or no methods at all in place to control and track sensitive data.
The nature of the threats
Apart from the aforementioned problems, the nature of the looming cyber security threats is also disturbing. Each year, cyber attacks grow both in number and destructive capability. One would think that attackers would give it a rest when the world deals with a pandemic, but this isn't the case. Instead, threat actors are going after life science and Pharma companies now as a way to arm-twist them into ransom.
On a positive note, however, several companies today are aware of their cyber threat risks and deficiencies, and are genuinely keen to rectify these as soon as possible. Most CISOs and CIOs also recognize that such change cannot be linear anymore, and that any cybersecurity solution they use must adapt to the threat landscape at all times.
This thinking is also encouraging them to explore unified tools that can help them cover their bases end-to-end, as opposed to the current practice of using 50-100 individual tools for various needs, much like a patchwork quilt.
What needs to be done?
This is the big question that all organizations need to answer. Yes, lack of cybersecurity poses a real threat but what can organizations do to prevent security breaches? Fortunately, we have some answers. Here are some of the steps your organization may take in order to prevent, mitigate, and manage cyber threats.
1. Better management
The most significant way organizations need to handle cybersecurity is by getting involved at the top management level. Leaving it for the technical staff to deal with, will not bring you any closer to the solution. In fact, it would do just the opposite. Executives need to step up to the task and take responsibility for their actions. Clear roles must be assigned- a cyber attack is much like a PR crisis, and just as companies have a plan for a PR nightmare, it is important to assume any and all worst-case scenarios when it comes to cyber attacks, and have designated roles and response mechanisms in place.
“Gone are the days when cyber security was considered just an IT issue,” says Stuart R. Levine. “Now, it requires a multi-disciplinary approach for preparedness, oversight and execution. For board members, cyber security preparedness is an enterprise risk management priority, involving both management and the board.”
In fact, our team recently came across a tweet regarding cybersecurity reporting and board oversight, and we stand by what we said there.
Managing a crisis, of course, is one aspect. Preventing it is another, and perhaps the more important one. Because today, preventing a major cyber breach is possible. We have at our disposal the power of Machine Learning that automates the entire threat hunting and intelligence gathering process, not just to study present threats but to predict future ones. What we need then, is a tool that allows business leaders to study these threats in the context of their potential outcomes, and manage, prevent, and mitigate them with minimal intervention, or interference with Business As Usual.
2. Employee training
One of the biggest cyber security threats facing your organization is the carelessness of the employees who handle sensitive information. Having weak passwords, losing mobile devices containing sensitive company information, and clicking on suspicious links are some of the actions of the employees that threaten the security of the company. Indeed, insider threats, known and unknown, account for 60% of all causes of a major cyber breach today. While the individual cannot be blamed for struggling to remember a million passwords (and thereby using the same one across platforms), it is important that they are made aware of the consequences, particularly in the context of a hybrid workplace.
Therefore, companies need to comprehensively train their employees on cybersecurity and the proper way to handle company information. By learning to protect themselves online, the employees can also be better prepared to handle company data in a sensitive manner.
3. Data encryption and security updates
Data encryption and running patch management programs on potentially vulnerable software are two of the most basic steps that you can take to prevent cyber attacks. It is essential not just to encrypt all cloud-based data but to use strong encryption, for instance the AES 256-bit. It is also essential to regularly update and patch all office software to protect them from vulnerability due to latest cyber threat.
The bottom line? Comprehensive cybersecurity measures were needed yesterday, but today isn't a bad day to get started either. With the right cybersecurity platform, it is possible, and indeed desirable, to make cybersecurity a priority that impacts business success, and the bottom line.
4. Building solid security operations framework
Deployment of functionalities which focus on behavior driven threat detection specific to compute devices and infrastructure ensures that there are no siloes being built. Utilization of automation both in threat detection, response and remediation aspects enables swift control over a potential cyber threat. Here are some steps to consider in this context.
- Enable Security Operations Analyst with latest Know-how in the industry and consistently keep the insights of learning more practical.
- Define a solid Incident Response plan and consistently follow Mock drills among business users as well.
- Have solid metrics and processes defined from regular security operations standpoint and Incident response.
- Executive review on Security operations with ownership on continuous due diligence in terms of upgrading security operations base enabling better Cyber resilience.
Typically, cybersecurity decisions are moved, or stalled, on the basis of their Return On Investment or ROI. We know that a good cyber defense strategy is necessary, but how do we know it is worth it? Here's an article that delves into the ROI of cyber defense in various business contexts.