Mature your cyber security plan
As long as we have the internet, we will have cyber security issues. So, instead of bemoaning the fact, we need to be proactive in our approach to preventing it in the best-case scenario, and certainly mitigating it as the worst-case scenario.
In the SANS 2023 Security Awareness Report, its summary of the key actions to mature your cyber security awareness programme includes:
- Talking to leadership (and your security team) in terms of risk.
- Creating a sense of urgency.
- Communicating the impact.
- Demonstrating the discrepancy between technical and human-focused security.
- Breaking down your needs.
- Developing partnerships.
“Microsoft enables organisations and individuals to cope with the constant evolution of cyber attacks and threats. Not only do they have a full basket of software tools to help prevent and alleviate the impact of any threats, but they also provide free training resources on the Microsoft LEARN site,” says Emil Henrico, CEO at iSSC.
Microsoft believes basic cyber hygiene prevents 98% of attacks. In today’s digital age, companies are increasingly reliant on technology and online systems to conduct their business. As a result, meeting the minimum standards for cyber hygiene is essential for protecting against cyber threats, minimising risk and ensuring the ongoing viability of the business.
The minimum standards every organisation should adopt are:
- Require phishing-resistant multi-factor authentication (MFA).
- Apply zero trust principles.
- Use modern anti-malware.
- Keep systems up to date.
- Protect data.
MFA does not have to be challenging for the end-user. “We suggest that you use conditional access policies, which allow for triggering two-step verification based on risk detections, together with pass-through authentication and single sign on (SSO). This way you don’t have to endure multiple sign-on sequences to access non-critical file shares or calendars on the corporate network when your devices are current with the latest software updates. Users also won’t have 90-day password resets, either, which will significantly improve their experience,” says Henrico.
A zero trust model is a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction; asserts least-privilege access; and relies on intelligence, advanced detection and real-time response to threats.
When you adopt a zero trust approach, it becomes possible to:
- Support remote and hybrid work.
- Help prevent or reduce business damage from a breach.
- Identify and help protect sensitive business data and identities.
- Build confidence in your security posture and programmes across your leadership team, employees, partners, stakeholders and customers.
Use extended detection and response anti-malware. Implement software to detect and automatically block attacks and provide insights to the security operations:
- Move as much of the work as possible to your detectors.
- Automate alert collection.
- Automate alert prioritisation.
- Automate tasks and processes.
- Monitor the key metrics and tune your sensors and workflows to drive incremental changes.
Unpatched and out-of-date systems are a key reason many organisations fall victim to an attack. Ensure all systems are kept up to date, including firmware, the operating system and applications.
Knowing your important data, where it is located and whether the right systems are implemented is crucial to implementing the appropriate protection.
Data security challenges include:
- Reducing and managing the risk of user errors.
- Manual user classification is impractical at scale.
- Data must be protected outside of the network.
- Compliance and security require a complete strategy.
- Meeting increasingly stringent compliance requirements.
“We simply cannot overemphasise the importance of instituting a comprehensive cyber security plan. The reason why we are so adamant about this is conveyed in the statistics below,” says Henrico:
- The average cost of a data breach in 2022 was USD4.35 million.(i)
- The median time for an attacker to access your private data through a phishing e-mail is one hour and 12 minutes.(ii)
- Fifteen percent of lifestyle apps are malicious.(iii)
- There are 4 000 password attacks per second.(iv)
As security awareness is ultimately about managing human risks, companies can go a long way by offering cyber security educational and skilling resources.(v) For example, MFA can prevent 99.9% of attacks on accounts and it starts with educating our teams about the importance of MFA.(vi)
(i) Cost of a Data Breach Action Guide, IBM. 2022.
September 20, 2022.
(iii) Leading malicious mobile app categories worldwide in 2018, Statista. July 7, 2022.
(iv) Microsoft internal data.
(vi) One simple action you can take to prevent 99.9 percent of attacks on your accounts, Melanie Maynes. August 20, 2019.