Keep your eye on the basics as your cybersecurity strategy evolves
Cybersecurity strategies can rely on advanced technologies to combat complex threats. But sometimes, basic precautions are neglected, leading to breaches that could have easily been avoided.
Cyber criminals are constantly changing and fine-tuning their attack strategy, and we’re seeing many organizations evolve their protection strategy to keep pace with the escalating sophistication of attacks. But a key trend in cyber criminality currently involves exploiting weaknesses at a basic level.
The cyber criminals’ strategy is to attempt to acquire sensitive information via multiple approaches over time until successful. This then leads to a much bigger attack. Attacks are custom-built, planned and executed in stages, each with very specific goals. Yet, among all the sophistication, the hackers are still including very simple techniques that they know will work – because some organizations are neglecting the basics of cybersecurity.
Recognizing the initial approach
You may not know it, but your organization is constantly under attack. Persistent attackers build a profile of who and what is vulnerable in the organization, and where the weaknesses are. For example, a small percentage of externally facing internet provider (IP) addresses could easily be probed if security patches aren’t updated quickly enough.
Here are some of the key areas where your organization may need to tighten up.
- Phishing and spearphishing: some people might be surprised to think that a random phishing, hoax email, or a targeted spearphishing hoax email, is still a legitimate threat. But in a recent test we conducted with a client, 40% of their employees clicked on a dummy phishing email – and not even a particularly sophisticated one. That represents a huge attack surface. And a recent EY survey showed that only 38% of organizations assess the phishing attempts they get, so the majority are not paying attention to where these are coming from and how many there are. However, the same survey showed that organizations reported that phishing was the largest cause of their most significant cyber breaches in a 12-month period.
- Waterholing: this is a technique that could rely on email, social media posts or apps, encouraging people to click on a link that promises, for example, a free prize draw. People often fall prey when they are not at work and using social media. It is a major issue if they are using the same device for work, especially if they connect it to the organization’s network.
- Distributed denial of service (DDOS): this is where a coordinated group of hackers bombard a website with so many requests that it falls over. While this is not a way to steal data, it’s largely a diversionary tactic to take attention away from a much bigger coordinated attack.
- Malware: we tend to think of this as a problem that our antivirus software deals with. But the code used to propagate malware is cropping up in much more sophisticated attacks, as there are growing libraries being reused. Organizations see the risks as having increased significantly in the past year; for nearly 50%, it is the first or second priority. Paying for off-the-shelf anti-malware software can create a false sense of security, especially if it is not regularly updated – vigilance must be maintained.
- Devices: every device is exposed to cyber risk, so all devices that an employee uses to perform any part of their work present a risk to the organization. Likewise, every piece of technology used to run your business is vulnerable to attack.
Using your people as a line of defense
One key part of addressing the basics is keeping all your people informed. Otherwise, they can present a significant weakness that cyber criminals are desperate to exploit. Every week, employees are likely to receive several phishing emails or encounter the other techniques described above. Even the highly intelligent guardians of sensitive data may be duped by an equally smart hacker. In our recent survey, only one-third of organizations thought that awareness levels around cybersecurity processes were mature. And when over half of organizations say that a lack of skilled resources is a barrier to achieving effective cybersecurity, it makes sense to utilize every member of the workforce so that they can play a role.
So for all these reasons, everyone in the organization should be included in communications about cybersecurity risks and the evolving strategy to address them. They should also be given compulsory training frequently so their knowledge is kept current. This is an easy win that has a wide impact for a relatively low cost – but for too many organizations, it is not standard practice.
How to address the base-level vulnerabilities
Back in 2014, EY’s Global Information Security Survey (GISS) report identified the hallmarks of organizations that have not moved beyond the lowest level of cybersecurity controls:
- Bolt-on cybersecurity – the organization’s cybersecurity has been added on to business processes and activities, but is not yet integrated into the business. It is seen as a cost that must be controlled rather than an added-value activity.
- A focus on safeguarding the current environment – this starts with addressing the risks the organization is already aware of, based on prior experience.
- A static approach – the cybersecurity strategy is about enabling the business to carry out its day-to-day functions securely. The organization will be rule-based and compliance-driven, relying on metric-driven reporting – there is no anticipation of change.
If this sounds familiar, there are things you must do now:
- Conduct a cyber threat assessment, define a target state and identify gaps on the road map toward it
- Get board-level support and understanding for a security transformation
- Review and update security policies, procedures and supporting standards
- Establish a security operations center (SOC)
- Develop monitoring of known cases and incident response procedures
Now there’s a new base level
Cyber criminals are highly agile, continually changing their approach. This means that there are always new angles you need to consider. So there is now a new base level that every organization should recognize and activate:
- Built-in security – cybersecurity is considered and involved in everything the organization does. Changes in the business are immediately assessed from a cybersecurity perspective, and changing requirements are built in to all business processes.
- A focus on the changing environment – the cybersecurity program continually adapts its risk assessments to ongoing changes in the business and its environment.
- A dynamic approach – the cybersecurity approach is flexible, agile and under constant revision. It continually adapts to better protect the business.
If your organization’s cybersecurity strategy doesn’t meet these criteria, you need to take action:
- Design and implement a cyber threat intelligence strategy to support strategic business decisions
- Define and encompass the organization’s extended cybersecurity ecosystem, encouraging cooperation
- Identify the organization’s most vital cyber assets and understand their value to cyber criminals, then re-evaluate plans to invest in security
- Use forensics and analytics to analyze where the likely threats are coming from and when
- Ensure everyone understands what’s happening, so employees act as the eyes and ears of the entire organization
By making sure your sophisticated cybersecurity strategy covers all these bases, it will be truly fit for purpose.