We recently hosted an industry lunch to discuss shared challenges businesses are facing with the increase in cyberattacks. Following the event, I thought it worth sharing a few points you should be considering based on the conversations we have had, to help you consider your approach and hopefully help speed up the adoption of change.
I think it is fair to say that most organizations acknowledge the threat cybercrime presents and have already invested significantly (in money and in effort) to reduce the risk of cyberattacks in recent years. Despite businesses choosing from over 3,000 security providers and spending nearly $170 billion globally per year (2022), cyberattacks are still causing huge losses, growing from $3 trillion in 2015 to an expected $10.5 trillion by 2025. This highlights the need for businesses to find better ways to use security tools and build on their capabilities. Businesses need to move to more effective security operations and disrupt the trajectory of cyberattacks.
In one discussion around cyber response, a customer’s made a poignant comment: “After a cyber incident, we won’t be measured on our response but rather on what wasn’t protected”.
I think this is a good summary of the dilemma most businesses face and a good starting point on how to expand the conversation. Two areas Lexel is focused on are:
– Security Challenges
– How to improve effectiveness
Let us break down what each involves:
Security Challenges
From industry best practices and my experience on this topic, I would say the security challenges can be broken down into five primary areas:
1. Malicious activity
Self-explanatory really, all attacks have nefarious intent.
- Cybercriminals are paid to breach your security setup and steal data they can hold for ransom – it’s their job.
2. Compliance drivers
- Often driven by changing regulations.
- Business partners may prescribe minimum security requirements (see Embrace Security Operations below).
- If a breach takes place, fixing the issue is no longer enough, Auditing the Failure is key.
- Assessment of Gaps is a constant requirement. There needs to be: A unit of measure A process to expedite change requirements at a board level Understanding by businesses what the risks truly are (there is nowhere to hide anymore).
- Legal and compliance requirements are increasing and will continue to do so. The time to get your house in order is now.
3. Security dissatisfaction with current tools/approach
Most businesses are operating with good intent. Even when significant investment has been made in tools to protect that business, for many, the cyber threat still exists. This is because of:
- Security dysfunction from the cost of the tools i.e. spending money on multiple tools but not realising the true potential of each.
- It has become too complex to manage.
- Too much noise – simply too many false positives from the tools which makes it exceedingly difficult for businesses to react to genuine threats.
4. Resource Constraints
There is a talent shortage in this space and in reality, one resource is not enough. To effectively protect a business, “eyes on glass” 24/7 is a requirement, not just a “nice to have”. To properly resource a SOC 24/7, you would typically need between 8-12 Security Analysts (depending on size) to account for sick leave, annual leave, shift times. Additionally, “eyes on glass” effectiveness for any resource is generally no more than 4hrs in a single session.
5. Cyber Insurance Gaps
There is often uncertainty as to what is covered by insurance and under what circumstances claims will be paid. Many businesses either have insurance but are not confident claims will be paid or have found it too difficult to get suitable cyber security insurance based on the terms specified by insurance companies. In summary businesses operate under:
- Reduced coverage
- Increased rates
- Ransomwares carve outs (those exclusions of cover introduced by insurance companies)
How to improve effectiveness
Once there is a sound understanding of the Security Challenges above, there is a well-established process that can be followed to improve your current position. This can be broken down as follows:
Optimise:
- Make sure all current security investments are being fully utilised
Leverage your existing data:
There is often significant information available from existing tools set up in a business that you can leverage. By fully understanding what information you already have about your network, you can make more informed decisions about what you need. Ask yourself the following questions:
- Am I generating real value from the information already?
- How am I measuring this success?
- How is success being measured?
- How does the business Embrace Security Operations?
Find a standard that meets your commercial requirements:
If your business has not found a standard to compare against, this should be high on your priority list. There are well-established frameworks like Essential Eight and NIST (National Institute for Standards and Technology) you can investigate. These frameworks will help your business to succeed. Terms to focus on are:
- Identify
- Protect
- Detect
- Respond
- Recover
- In addition to the above, cover all attack surfaces, identified as: Endpoint Network Cloud Identity Human
- Build Resilience
Build an effective Cyber Threat Response:
What is important to note is this is not a single project you set and forget. The art of building a resilient Cyber Threat Response includes:
- Sustain improvements, this is not a single event, rather a lifestyle change
- Add Expertise, this is one of the biggest challenges for any business
- Implement 24×7 protection “eye’s on glass” – arguably the hardest part of the response plan
- Getting ahead of the threat requires applying tactical and strategic actions. This is part of your Cyber Threat Response plan
- There needs to be a mindset that this is a journey not an event. You should strive to constantly elevate and adjust their security posture
In Summary
Managing your cyber threat environment is not about finding one vendor that does everything. Having the ability swap out aspects from time to time is important. Having a Cyber Threat Response is more a process and a construct rather than a specific product.
A Cyber Threat Response should include:
- Prevention
- Detection
- Creating and following a Cyber Respond Plan
- Evaluating and updating to remain compliant and build resilience
If you’d like to discuss further or find out more about how you can set up your own Cyber Threat Response, get in touch with us here.