It’s increasingly accepted that the coronavirus pandemic has coincided with an incredible increase in cyberattacks on organizations. Indeed, research from the Cyentia Institute found that approximately 60% of Fortune 1000 companies had suffered at least one breach in recent times, with around 25% of them suffering an attack each year.
This would be bad enough, but Accenture’s State of Cyber Resilience report earlier this year found a worryingly poor state of preparedness for such attacks. The report found that despite a slight increase in investment into cybersecurity, less than 20% of organizations are currently effective in their attempts to prevent cyberattacks. What’s more, organizations are also worryingly slow in responding to the cyberattacks they do face.
It’s perhaps no surprise, therefore, that a recent survey from SolarWinds found that just over half of organizations regard their cybersecurity functions as mature, with budget constraints and a lack of skills and capability to keep abreast of the ever-evolving threat landscape the key barriers to progression. This ongoing game of cat and mouse between hackers and defenders can be extremely challenging to keep on top of, especially if budgets and manpower for cybersecurity are relatively low. There are a few things you can do to improve your cybersecurity maturity, however, that don’t cost the earth and will better prepare you for the growing threat landscape.
Achieving cybersecurity maturity
One of the major factors identified in the SolarWinds research was the relative lack of technological sophistication in many organizations. Even relatively staid and mature technologies, such as endpoint protection, were only present in around 60% of organizations.
Getting this right is a good first step for many organizations, especially as the network perimeter has been expanded by the move towards remote working that has been triggered by the pandemic. Doing endpoint security well can be costly, however, both in terms of acquiring the technology and deploying it throughout your network.
It doesn’t have to be the case, however, and deployment can be made more efficient by a robust construction of risk profiles of the various endpoints across the network. This allows the cybersecurity team to truly prioritize the most important, or the most vulnerable, assets. Teams can also tap into investments in other technologies to help make their budgets go further. For instance, Windows is present in many organizations, so make sure you’re truly utilizing the security functionality present within the platform, especially on lower-risk assets.
You can’t buy maturity
It’s also important to understand that cybersecurity maturity is not simply a case of buying the latest technology. Technologies such as endpoint protection, threat intelligence, and access management are largely foundational technologies, and as with many such technologies, it can be tempting to bypass them in favor of something sexier or to look for features and functionality that are not really required.
A common feature of many of the poorer performing organizations in terms of their cybersecurity maturity is that budgets are tight, so it’s vital that what budgets organizations do have are not wasted on unnecessary things. No organization will have a limitless budget, so a risk-based approach is vital to ensure that the money and talent that is available is deployed in the areas that have been identified as high risk. This is helped by the fact that the market is well stocked with technology that is both capable and cost-effective to help organizations deliver this level of targeted maturity without running after the very latest bit of bling.
One technology that might be well worth considering is automation, especially in a labor market in which cybersecurity skills remain in short supply. The ability to successfully leverage AI and machine learning can allow the talent you do have to spread much further, and truly achieve the ‘augmented intelligence’ so often advertised by the likes of IBM. These automated technologies can perform an array of vital tasks, including threat detection, incident qualification, and prevention of unauthorized movement of data. It’s likely that AI and machine learning will only grow more capable, so in the absence of human talent, this is a key way of making up that shortfall.
A long-term process
With technology such an important part of cybersecurity, it can be tempting to think that achieving security maturity is simply a case of buying technology and forgetting it. While it can indeed be pretty straightforward to deploy the latest technology, or even to give staff a training session on digital hygiene, the reality is that the threat landscape is an ever-evolving one, and true security maturity will require ongoing attention so that gaps are identified and plugged.
There are models and frameworks provided by the likes of the National Institute of Standards and Technology and Energy Department’s Cybersecurity, Energy Security to help you along this path. These help to ensure that the entire organization appreciates the importance of cybersecurity, and works towards it being a part of business as usual.
This culture of cybersecurity awareness will be crucial, as I’ve argued before that technology is nothing without an appreciation of both cybersecurity risk and robust digital hygiene across not only the direct organization, but any stakeholder that interacts with key systems. The SolarWinds survey emphasizes this, as over half of respondents cited insiders, including contractors, as a key threat due to their poor digital hygiene.
There is a growing appreciation of the threat posed by cyber-attacks, but while organizations have been slow to improve their processes, systems, and people to counter this risk, the above should hopefully provide some relatively straightforward ways in which they can shore up their defenses.