Our always-connected world makes businesses more agile, efficient, and profitable. A connected enterprise also allows near real-time visibility and control over most dimensions of business. Reads like a happy story. There is a flip side to the connected enterprise, however. With almost each new instance and mode of connection, opportunities for malicious intent and cyber risk increase. We frequently hear of big and small corporations being hit by cyber-attacks and suffering consequent financial and reputational damage.
Do these attacks imply that the organizations that were hit did not have cybersecurity set up? Or, did they inadequately prioritize cybersecurity? I am sure the answer is a big "no." Most of them had security setups, tools, outsourcing partners, and processes. They were still hit. The reality is that no one can guarantee bulletproof security. But this certainly does not mean that an organization cannot aspire for a proactive and fit-for-purpose cybersecurity posture.
Where do you Begin?
Corporations today will have shiny security tooling, and most will also have outsourced their security to a strong service provider, giving a sense of being well protected. The moot question is whether they honestly feel they have outsourced their cybersecurity risk to the service provider? And are they indeed getting return on investment on their security tooling and allied frameworks? Believe me, these are tough questions to answer.
Let’s look at the real situation. The security function, in most cases, has grown out of the evolving and expanding IT function and often organizations haven’t really looked at the design of their security organization in view of their business needs and emerging threats. Security, in most cases, is a bolt-on function, and often there is lack of direction in terms of a well-thought-out and articulated cybersecurity strategy and road map. Don’t be surprised to find cybersecurity as a couple of paragraphs or pages of the IT strategy/policy document and a subset of the IT budget. The correctness of the CISO reporting to the CIO has been a point of debate for a while now.
What should be happening is a formal business aligned assessment of the internal and external cyber risks, their prioritization and a cybersecurity vision and strategy document aimed at ensuring the optimal security posture for the corporation covering organization, operations, assets, tooling, compliance, and risk.
Recent cyber-attacks have shown that corporations can come to an absolute standstill when under attack and the period of rebuild and recovery is long. Some large organizations that were hit by WannaCry took three to four weeks to get their IT back on the road and one can well understand the loss of operational productivity and the resultant financial impact. If there was data loss involving PII, the story gets darker.
Consider Your Options
So, what do you do? Just hope that you are not going to be hit? Certainly not. It’s never too late to make an earnest start. There are some options you could consider, let’s take a look:
Tactical: Look at your current set up and just get the basics right.
- Cyber-immunize your enterprise. Undertake patching on a war footing. Ensure a strict employee-awareness program. Do not forget that despite all the tech talk, phishing remains one of the most commonly used attack vectors. Educate and make your employees the human firewall.
- Ensure your endpoint protection is up to date.
- Plug the CMDB inconsistencies between operations and security.
- Check at your incident response procedures.
- Run an internal simulation; you could start with a very basic phishing campaign.
- We all are used to the periodic second Monday of the month fire alarm and drill – why not a small cyber-drill?
Operational: Roll up your sleeves and take a hard look at your defensive posture and start asking tough questions.
- Look at all the security tooling and really ask yourself or your provider whether you are indeed getting true security value from the often-fancy tooling and technologies deployed.
- As an example, look at your DLP solution. How many times has it triggered a possible breach and what really happened when it did? Look at your data classification policy. No wonder the DLP solution isn’t working fine.
- Review configurations on your perimeter security and monitoring tooling. Do you have a process to review rules that may have become redundant? How often do you review your use cases?
- Is someone looking at patterns on your security tooling and asking tough questions related to anomalous patterns? Don’t fall for the trap of someone trying to sell you a new threat hunting solution or some more bodies or shimmy talk on AI and correlation. If you have it, great. Hunting should be routine activity for your L3 security staff.
- If you haven’t already, invest in good threat intelligence.
- Take a hard look at the adequacy and relevance of your security metrics.
- Consider an IR provider.
Strategic: Align with the long-term business vision and strategy.
- Analyze and document external and internal cyber threats that could be detrimental to your business goals. Believe me, insider threat is often not even considered.
- Prioritize your risks and plan on their mitigation. It could mean investing in new tooling, a provider or even cybersecurity insurance cover.
- Align your security strategy with the digital transformation plans of the business and over time, seriously consider unified cyber defense across your varied attack surfaces- application, infrastructure, data, end point, identities and your OT landscape, if in scope.
- Consider tech-driven security enhancements via MDR/EDR/XDR options peppered with AI/ML/UEBA that fit the digital aims and evolution of the company.
- Do, of course, document your cybersecurity strategy and roadmap.
Depending on where you are on your cybersecurity maturity, you need to decide where to begin!
To find out more about how we can help you, visit our Cybersecurity services page.