Posted on January 19, 2017 by kellyk
With cyber-attacks reaching new heights year after year, organizations all over the world are starting to make security a top priority.
You are likely feeling the pressure to do something, but where should you start?
After all, there are so many security products on the market. From endpoint security and threat intelligence to multi-factor authentication and high-end training, the options seem limitless… and there’s no clear progression from start to finish.
In the coming weeks, we’ll be covering the basics of cybersecurity, including the prerequisites and cultural changes that go along with it.
Here’s How It Should Work
When it comes to cybersecurity, most organizations put the cart before the horse. They assume they need fancy, expensive security products, and end up investing tens or even hundreds of thousands of dollars… before they’ve laid the proper groundwork.
Does that sound like a big deal? It should.
If your organization doesn’t do the basics well, no fancy security product will keep attackers at bay. For example, if you haven’t established a security-conscious culture, implemented a vulnerability and patch management program, or gotten your user access levels under control… nothing else will matter.
But more on that later. For now, here’s what you need to know.
In very basic terms, there are two important metrics to consider: cyber exposure, and cyber maturity.
Cyber exposure is, in essence, how easy of a target and attractive your organization is to an attacker. The larger and more complex your organization is, the higher your level of cyber exposure. Naturally, other factors such as storing large quantities of sensitive data also increase your level of cyber exposure.
Cyber maturity is simply a measure of how sophisticated your organization’s security controls are.
And here’s the thing. These two metrics should always rise together. As an organization grows and its network architecture becomes more complex, its level of cyber maturity should increase at the same rate.
For instance, if your level of cyber exposure is considered to be medium, your level of cyber maturity should be at least intermediate. Of course, most of the time, that doesn’t happen.
In reality, organizations experiencing rapid growth often display massive discrepancies between exposure and maturity, assuming that once their growth spurt is over they can always ‘catch up’. Sadly, this is a potentially catastrophic mistake, and here’s why.
Things are Changing
In the past, security regulation has been somewhat lackluster. Regulatory bodies were in place, but they didn’t seem to have all that much power. Even when they did slap someone with a fine, it really wasn’t a big deal.
But that’s not true anymore.
Across the board, regulatory authorities are starting to find their teeth. Fines levied against breached organizations are rising every year, and the trend is set to continue.
And that’s just the start.
Research shows both the number and scale of cyber-attacks are growing year by year, making this a uniquely bad time to be underprepared. Even before fines, the cost of identifying and cleaning up security breaches can be crippling for companies of all sizes.
As a result of all this, industry regulators have started paying much closer attention to cybersecurity. The FFIEC, for instance, has developed an assessment tool to help financial institutions identify their current levels of cyber exposure (inherent risk) and maturity. If, as is often the case, the tool demonstrates an organization’s maturity is lagging behind its exposure, this can prompt the necessary investment decisions.
In the FFIEC’s own words: “If management determines that the institution’s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing inherent risk or developing a strategy to improve the maturity levels.”
Do This First
As we’ve already mentioned, most organizations fail to establish the basics of cybersecurity before they move on. To help you escape this trap, we’ve followed the FFIEC’s lead and developed a series of free cybersecurity assessment tools.
Based on the NIST Cybersecurity Framework, the de facto standard for cybersecurity assessment, our tools are in web application form, can be completed in under an hour, and do not require any technical knowledge. We’ve developed separate tools for financial, government, healthcare, higher education, industrial, retail, and SEC/OCIE regulated organizations, based on the specific compliance regulations of each industry.
To help you identify the specific areas in which your organization needs to improve, the tools are split into the separate functions of security: identify, protect, detect, respond, and recover. For instance, your organization may be very good at identifying and protecting against attacks, but not so good at recovering from attacks once they have taken place.
You can quickly identify any potential mismatch between your organization’s levels of cyber maturity and exposure in a given area. For instance, in the identification category, your organization may score low for exposure and intermediate for maturity (as shown in the table below). In that case, there’s nothing to worry about.
If on the other hand, your organization has medium or high exposure but only basic maturity, you’ve identified a serious area of risk.
Security is, by necessity, a complex topic. The network architecture of an average 1,000-person organization is far more complex than it was even ten years ago and bears no resemblance to that of a similarly sized organization in the 1990s.
As a result, effective cybersecurity is comprised of a number of different disciplines, each of which must be done well. Depending on the scale and complexity of your organization (your exposure, in other words) not all of these disciplines may be relevant, but all should at least be understood.
In basic terms, the various disciplines of cybersecurity look like this:
Organizational — e.g. Policy, governance, risk, compliance
Basic Hygiene — e.g. Network architecture, vulnerability & patch management
People — e.g. Culture, training, habits
Recovery — e.g. Incident response, attack analysis
Next Generation — e.g. Endpoint security, multi-factor authentication
Enterprise — e.g. Threat intelligence, red teams, internal hunting
Over the next several weeks we’ll cover each of these disciplines in turn, and provide recommendations on how you can start improving your organization’s cybersecurity posture. In the meantime, we strongly recommend you make use of our FREE cybersecurity assessment tools to identify areas of security weakness in your organization.
Cyber-attacks continue to pose a growing threat to organizations of all types and sizes. With TraceSecurity’s Cybersecurity Assessment Tool, your organization can quickly and easily evaluate your overall inherent risk and cybersecurity maturity.