It’s been a tough time for cybersecurity professionals, and not just because of the financial belt-tightening underway at many companies. Even as organizations are economizing on everything from desk space to free coffee — and sometimes on cybersecurity, too — cyber threats are consistently getting worse. Seventy-six percent of respondents to a survey in the U.S., Canada, U.K., Australia and New Zealand said their organization suffered at least one cyberattack in 2022 — up from 55% in 2020. And no one expects the threat landscape to improve this year.
The reasons more and more organizations are getting hit are twofold: first off, attackers are more sophisticated, organized and well-compensated when they succeed. Many enjoy state sponsorship. Nation-state cyberattacks doubled in 2022, according to Microsoft's Digital Defense Report 2022. Yet secondly, and perhaps most importantly, most organizations are not nearly as ready for cyberattacks as they think they are — despite all their not-insignificant investments in preparation.
With cyberthreats and cyber liabilities more severe than ever before, why are companies still unprepared to handle inevitable cyberattacks? Here are remedies to five key factors driving cyber-unpreparedness:
Use an intelligence-driven approach
Many companies are surprisingly under-informed about the threats they face.
Threat landscapes are evolving, and cybersecurity is no longer one-size-fits-all. Attackers targeting specific sectors or verticals operate according to different modus operandi. An intimate understanding of attacker intentions and methods offsets risk dramatically by helping security leaders focus cybersecurity resources where they are most likely to have a positive impact. Use strategic intelligence to understand attacker motivations, operational intelligence to understand their tactics, techniques and procedures (TTPs) and tactical intelligence to prevent and detect these TTPs. By gaining a 360-degree view of the landscape, security leaders increase both readiness and resiliency.
Adopt sound threat IT hygiene
Cyber hygiene is a bit like dental hygiene: everyone knows what they should do. But there’s a big gap between people knowing that they should brush after every meal and actually brushing.
There are plenty of lists of cyber hygiene best practices. But to get started, make sure there is a top-notch patch management program in place, use least privilege access control whenever possible, implement a strict software usage policy (blacklist/whitelist) and remove unnecessary services or software not used for ongoing business.
Reduce the attack surface
The attack surface is made up of any hardware assets, software systems, business applications and devices directly connected to the internet. Due to the incredible complexity of most organizational digital ecosystems, it is distinctly possible that the threat actors targeting an organization understand the attack surface better than security leaders do.
Change this situation by thoroughly mapping and analyzing the attack surface. Then use intelligence to prioritize cybersecurity efforts based on adversary TTPs. Make sure to remove nonoperational users and their credentials, along with unneeded services. Use network and host-based firewalls, eliminate workstation-to-workstation traffic and adopt a zero-trust approach.
Focus on visibility
Visibility — knowing what assets need to be managed and protected — is fundamental to any cybersecurity strategy. Cyber visibility is more than just knowing what to protect — it also encompasses what to protect it against. As discussed above, identifying threats and understanding them is cyber mission critical.
To ensure maximum visibility of potentially exposed cyber assets, start by deploying a sound audit policy for both local and cloud assets, and rolling out network and endpoint tools like EDR and NDR. Make sure to ship logs to a centralized location and closely monitor the supply chain. Invest in building or buying a SOC for ongoing detection and response.
Define clear policies and procedures
Cybersecurity policies define each person's responsibilities for protecting systems and data. Procedures set the standards of behavior for digital activities and delineate standards for digital activities like introducing new systems and technology.
Policies and procedures are frequently codified at great effort…and even more frequently ignored to great detriment. So, make sure that the policies and procedures are actually implemented. Define user behavior policies, define a clear data classification policy and conduct ongoing employee cybersecurity awareness training. Then, test yourself by adopting periodic red team engagements to test overall security posture.
“Be prepared” is an apt motto for Boy Scouts and the cyber-vulnerable alike. By reviewing cyber exposure and cyber defenses using the most advanced tools available, organizations can ensure that their level of preparedness in practice aligns perfectly with their level of preparedness in theory.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.