To build resistance to devastating electronic attacks, organizations must take a resilience-focused approach to cybersecurity. Just as improving a company’s sustainability requires consideration of a myriad of factors from production to supply chain to workforce, improving business resilience he IT environment requires an approach that goes beyond technology purchases. While the “people, process, technology” mantra may sound like the call of the 2000s, it remains relevant in guiding technology efforts in 2022.
One of the most significant positive developments in cybersecurity over the past two decades has been the movement of this topic from the water cooler of the IT department to the boardroom. Most business leaders would consider cybersecurity a concern: it’s a win. As a robust and rapidly growing market for security-related products and services vies for the attention of buyers, it can be difficult to know where to start.
This article offers guidance on a starting point, seen through the lens of the dimensions of people, process and technology.
We start with this dimension because it impacts cybersecurity resilience in multiple ways. When it comes to securing infrastructure and managing operational risk, people really are the most important ingredient.
When pressed to choose between cutting-edge technology, an ultra-robust process, or an experienced veteran of the cybersecurity trenches, I would always choose the latter. Unfortunately, this may be easier said than done given the limited number of qualified and experienced staff relative to demand. Consider where augmenting your internal team with external vendors can fill capacity gaps.
Although you can outsource some functions, avoid the trap of abdicating responsibility for cybersecurity. Make sure there is an internal team member accountable and empowered to focus on cybersecurity, even if it is part of a larger role and not a dedicated security role. Stay engaged with external service providers. One way to do this is to ask your service providers to explain the “why” and the “how” of what they do. For example, refer to a recent attack described in the news and ask them to explain how such an attack would be detected and mitigated in your environment.
Outside of the technology organization, it is important to provide understandable and actionable information to employees, contractors, and others concerned with the organization’s security. The most effective security awareness programs include a variety of content and periodically test employee behavior to reinforce awareness messages. Although it is inevitable that some users will fall victim to attacks, well-designed security awareness programs reduce this risk by lowering this number.
Formalizing cybersecurity policies and procedures improves resilience. Indeed, policies perform an important governance function and set the tone for how the entire organization will view cybersecurity. Processes improve scalability, reduce errors, and smooth friction points between teams. Expect to be asked about policies and processes by auditors, regulators, business partners, customers and insurance companies.
At a fundamental level, make sure your organization has a cybersecurity policy. It should describe the organization’s overall approach to security, designate roles and responsibilities for governance and enforcement, and outline policies for areas such as information classification, management incidents and account management.
Developing a policy does not have to be a long project; Small organizations often find it efficient to start with a template and then quickly customize the relevant parts to suit their environment. The Center for Internet Security provides a comprehensive set of policy templates aligned with the NIST Cybersecurity Framework (CSF) standards.
In support of the overall cybersecurity policy, there are a plethora of standards and processes to consider. Organization-specific factors, such as the nature of the business, the complexity of IT operations, and regulatory requirements, should influence development prioritization and timing. Consider developing and documenting the following areas first, as they address core capabilities:
- Endpoint protection standards (including mobile device encryption and required security software)
- Audit logging standards (to ensure that all systems generate useful audit logs to help administrators and incident responders)
- Vulnerability detection and management process (including external network perimeter scanning for vulnerable or unexpected systems available on the Internet)
- Patch management process
- Identity and access management standards (including ensuring that administrative accounts have strong, unique passwords that are not the same across multiple systems)
- Incident response process
Finally, we came to the dimension where many industry players start the discussion. If you’ve ever attended a major security conference such as the RSA, you might understand the overwhelming feeling that just staring into the trade show can bring. Dozens of service companies. Entire categories of products that are new to you. Is it another EDR provider?
Consider implementing the technologies below first, as they reduce the risk of the most common types of attacks, facilitate incident response, and mitigate damage in the event of an attacker’s intrusion.
- Endpoint Detection and Response (EDR) with Next Generation Antivirus (NGAV) functionality: All servers and end-user systems must have agents installed and blocking capabilities enabled.
- Multi-Factor Authentication (MFA): Protect internet-connected systems, including email and VPNs.
- Privileged Access Management (PAM): Ensure at a minimum that systems have unique administrative passwords.
- Resilient Backups: Isolate archived data from intentional corruption by an attacker accessing the network.
- System, patch, and vulnerability management tools: Ensure that every system can be managed, scanned for vulnerabilities, and remediated quickly.
- Understand your Internet footprint: Make sure available services are protected.
It’s important to remember that resilience is measured on a continuum and incremental steps can have an impact. Prioritize your efforts. Take a holistic approach that considers dimensions beyond technology. Most importantly, start the journey today.