Alpha Diallo, senior manager of security at Resilience, shares the top four tactics that risk managers can employ to reduce the likelihood of a successful cyber attack on their organisations
From ransomware and data breaches to insider risks, cyber events remain significant sources of financial loss and disruption for companies of all sizes.
Reducing this risk requires understanding a company’s major business priorities, and how you would continue to deliver value to your customers, even during a serious cyber incident.
Building this concept of cyber resilience for your own company is no easy task, as it requires a coordinated effort across an organisation’s risk, cybersecurity, and financial leadership.
But in today’s world of sophisticated cyber adversaries, it is critical to ensure your organisation can take a digital hit, and survive.
Against a dynamic risk such as cyber, a “set it and forget it” approach is not sustainable as cybercriminals continue to find new ways to exploit vulnerabilities.
There are several best practices that we see proving effective, however, in narrowing cyber exposures and improving organisations’ resilience to cyber risk.
Current best practices that cyber insurance underwriters like to see, and which cyber criminals don’t, include:
Security awareness training
In cyber risk management, ironically humans are often considered the weakest link in the cybersecurity chain. KnowBe4 even puts phishing success benchmark rates as high as 33.2% in 2023.
However, with appropriate security awareness training, employees can also become an organisation’s sentinels and identify threats early on.
Training helps establish behavioural expectations and exposes staff to real-world scenarios, showing them what they should look out for, and what to avoid.
“Building a security culture in any organisation is not possible without increasing staff awareness”
Security awareness training is also a good way to discover where in an organisation’s systems users are susceptible to cyber threat vectors, and which behaviours make them more susceptible, allowing the organisation to put in place additional technical controls or training specific to the employee’s role to help minimise impact.
Building a security culture in any organisation is not possible without increasing staff awareness. Training can inform and enable everyone in the organisation to take responsibility for increasing cybersecurity as security cannot be the sole responsibility of the security department.
Identity and access management (IAM)
Identity and access management has become the new perimeter in cyber security.
One reason phishing is still a leading vector for harvesting credentials is criminals’ understanding that the right identity and access privilege is equivalent to holding the keys to the castle.
A digital identity can belong to a human as well as a non-human – that is, software or another system that an organisation permits to access its network.
A holistic IAM program is essential to managing all identities within an organisation.
Three tactics have proven especially helpful in strengthening IAM. These are:
- Multi-factor authentication (MFA). This tactic uses hardware tokens or additional means of verifying a user’s identity, such as an alphanumeric code sent to an authorised email or mobile phone. MFA has been demonstrated to stop an attacker who has phished account details or stolen access credentials.
- Privileged access management (PAM). This form of access management can monitor, manage and automate privileged user accounts. PAM is a far better way of prioritising system access than simply assigning “local admin” access to multiple users. A zero-trust or least-privilege environment, which is becoming more common in larger networks, requires privileged access management.
- Lifecycle management. The processes in place for managing identities are important as organisations may struggle with handling identities as users move within the organisation to different roles or leave. The current climate where layoffs are occurring has created some risk for organisations that have not been managing their identities well, as there may be users that are no longer with an organisation but still have access to resources. From a financial perspective, especially for organisations that heavily utilise Software-as-a-Service (SaaS) applications, having a good lifecycle management process in place is important so that when employees do leave or switch to a different role, their access to the SaaS application would get removed, reducing the number of users the organisation has to pay for.
In a physical location, doors and windows are considered vulnerabilities because they can provide a ready means of access.
The “doors and windows” in a digital network take the form of open ports, such as the Remote Desktop Protocol, and vulnerabilities and weaknesses that may exist through connected devices or software.
For an organisation reducing its external footprint, limiting the open and accessible doors and windows they have open, is essential.
A comprehensive vulnerability management program includes vulnerability scanning, vulnerability assessments and penetration testing, end-of-life system identification and remediation, and patching or hardening systems.
”There are thousands of vulnerabilities out there, so organisations need to ensure they have a process in place to identify the ones that pose the most risk”
Segmenting critical and older systems within one’s network is vital as well.
As organisations are dealing with vulnerabilities found from vulnerability scans, vulnerability assessments, and penetration tests, they need to think through the risk that the vulnerability poses to them and not rely on just the severity rating of the vulnerability to determine whether it should be fixed.
There are thousands of vulnerabilities out there, so organisations need to ensure they have a process in place to identify the ones that pose the most risk otherwise they may spend time remediating vulnerabilities that don’t pose a big risk to them, while ignoring the ones that do.
Uninterrupted access to their data is critical for virtually all organisations. That is a reason ransomware remains a major threat vector in cyber.
Good backups of data not only offer peace of mind but also strengthen an organisation’s position when it experiences a ransomware attack.
Good backups that are readily accessed can make a difference in deciding whether to pay a ransom demand.
Any backup strategy should be sound and tested.
Recommended tactics for backups include multiple copies and locations, if managing one’s own data backup; regularly backing up critical systems; protecting backups by limiting access, encrypting, scanning for malware, and ensuring the files are immutable – cannot be altered or deleted.
”There is no replacement for a strong security culture and that starts at the top.”
Regularly testing backups to ensure they are ready when needed is also strongly advised.
These best practices have proven helpful in reducing cyber risk and obtaining better cyber insurance coverage, but they are only a starting point.
There is no replacement for a strong security culture and that starts at the top.
Aligning senior executives and the entire organization around what threats are most critical to ensuring operations helps everyone stay alert for an attack and respond quickly so an incident doesn’t become a crisis.
Alpha Diallo is senior manager of security at Resilience, a company with operations in Europe, the United Kingdom and the United States that helps financial, risk, and information security leaders continuously improve their organizations’ cyber resilience.