Cyberattacks are inevitable. Find out why experts suggest focusing on cyber-resilience instead of piling on more cybersecurity solutions.
Who’d have thought, “It’s no longer a question of if, but when” would become a time-worn cliche on cybercrime? But it has. Financial losses, scarred reputations, and customer mistrust seem to indicate cybersecurity is a poor gamble and only worth the financial drain to make it difficult for cybercriminals—similar to how door locks keep honest people honest.
Rob Sobers, a software engineer and now VP at Varonis, wrote, “110 Must-Know Cybersecurity Statistics for 2020.” Most reference the success of cybercriminals. For example:
It makes you wonder if being cyber secure is a pipe dream. “Since cyberattacks can’t be avoided, organizations need to become cyber-resilient,” states the authors of the sponsored CircleID article “Being Cybersecure Is Not Enough, Become Cyber-Resilient Instead,” which was written by a team from WhoisXML API, a big data and API company. “In short, they need to be able to bounce back after suffering the consequences of a cyberattack.” The authors offer suggestions on how businesses can become cyber-resilient.
Allocate sufficient money to cybersecurity
The authors agree with the “not if, but when” cliche, adding, “Despite innovations, as evidenced by the development of Threat Intelligence Platforms (TIPs), Security Information and Event Management (SIEM) software, organizations still do not prioritize and allocate enough budget for threat prevention and mitigation.”
The authors admit there is no set rule-of-thumb about how much is the right amount, adding that most allocate less than 1% of their IT budgets for data protection and business resilience, painting the IT personnel responsible into a very small corner.
SEE: 2021 IT budget research report: COVID-19’s impact on projects and priorities (TechRepublic Premium)
Implement zero-trust security
Responsible parties in organizations should bite the bullet and choose security over convenience. For example, zero trust in digital communications means people wanting to communicate with someone within the organization must be verified before any communications will be allowed. This also can apply to remote employees.
“All users who request access to company resources, even those within the network, should be cleared based on variables such as the device used, project type, geographical location, and role,” the authors note. “If anything is amiss, advanced verification has to be done.”
In addition, even with verification, user access should be limited using the least-privilege principle, in which users or processes are only given privileges essential to perform the intended task. For example, there is no need to give a receptionist the privilege of installing software.
In zero trust, those responsible for cybersecurity also need to worry about malicious domains. The authors explain, “To fully implement a zero-trust framework, security teams must perform domain-reputation assessments to prevent access to unreputable domains.”
SEE: COVID-19 has not slowed global zero trust implementations (TechRepublic)
Develop and simulate incident-response plans
The cybersecurity team needs to develop action plans to combat the various types of cyberattacks. These plans often require:
Actionable threat intelligence that can be gleaned from comparisons between internal log data and known Indicators of Compromise from various external sources;
a business-continuity plan that allows the organization to continue despite the damage created by a cyberattack; and
an incident-recovery team that potentially includes security professionals, other IT specialists, lawyers, media-communication officers, and representatives from affected departments.
Something that is often overlooked but vitally important is to include members of affected departments in incident-response plans. “Non-security colleagues may have better ideas than you think,” says Terena Bell in her CSO commentary, “What is cyber resilience? Building cybersecurity shock absorbers for the enterprise.” “Accounting, for example, knows about controls, and they understand the forensic process when something isn’t right in the transaction logs,” she writes.
SEE: Incident response policy (TechRepublic Premium)
Preparation may prevent disaster
Organizations need to prepare because cyberattacks are inevitable. Cyber-resilience enfolds cybersecurity into the process, while including ideas from people who work with the company’s data but are not normally responsible for protecting it. While nobody wants a breach, being resilient when it happens can possibly save your company.