Managing cyber risks is an increasingly difficult challenge. Even as businesses generate more and more data and adopt new technologies and processes, cybercriminals are busy developing new attack strategies and more sophisticated malware. It is little wonder that the number of data breaches has increased by 67% over the last five years, as reported in a study by Accenture and the Ponemon Institute. Indeed, security sprawl and its impact on risks management are constantly discussed at industry events such as Infosecurity Europe 2019, demonstrating that the professional community is quite concerned about how to efficiently manage cyber risk today.
In my line of work, I get to speak with dozens of companies every month, all of which spend considerable time and money in pursuit of enterprise data security. The following are the best practices that I have seen help these organizations successfully manage cybersecurity risks in complex IT environments.
1. Make cybersecurity a strategic business goal.
Organizations often consider cybersecurity to be a technology issue rather than a business concern. This perspective leads IT teams to invest in hot technologies to address urgent security issues, rather than take a strategic approach to cybersecurity. Moreover, there is often a lack of effective communication between the IT department and C-level management; neither side knows how to articulate their needs and work together to reach a decision that supports business goals. As a result, organizations purchase siloed solutions, increasing complexity and making it even more difficult for IT teams to manage cyber risks.
Organizations should change this underlying mindset and establish a dialog between IT teams and non-IT management. One goal of this dialog should be to better prioritize security investments. A person responsible for IT security should provide line-of-business leaders with risk information, highlighting the areas that are the most risky. This will enable the business leaders to prioritize investments and give the IT department a defined direction for future investment. The second objective of the dialog should be to integrate security throughout all the organization’s business processes. This involves many different areas, from the development of adequate security policies in accordance with a security-by-design framework to educating employees and establishing a security-centric culture. Only through such conversations can organizations align cybersecurity with business strategy and ensure that security acts as a business enabler rather than a roadblock.
2. Maintain a unified security posture.
A critical strategy for reducing cybersecurity complexity is unifying your security posture. Organic growth, mergers and acquisitions (M&A), and other business changes often leave behind a fragmented set of security tools and a hodgepodge of legacy IT systems that likely contain vulnerabilities. A textbook example of M&A cyber risk is Marriott, which recently reported a massive data breach that began years earlier at Starwood, a chain Marriott acquired, evidently without properly taking an inventory of its IT assets. The attackers had gained access to the Starwood guest reservation database, which was merged with Marriott’s reservation system after the acquisition. Another example is Equifax, whose aggressive growth strategy resulted in a complex IT environment with custom-built legacy systems. This made IT security especially challenging and led to the highly publicized data breach.
Organizations that maintain a unified security posture rather than siloed systems have a better chance of detecting vulnerabilities and data breaches in their early stages, when the damage is entirely preventable. To achieve this, organizations should regularly inventory their systems, delete duplicate technologies and replace standalone solutions with cross-system applications. This approach will provide IT teams with a birds-eye view of risks across the IT infrastructure and simplify risk management. It can also reduce costs, since a unified solution is often cheaper than a set of siloed technologies that often have excessive or redundant features.
3. Identify your most sensitive data and monitor activity around it.
Experts predict that by 2020, 83% of enterprise workloads will be in the cloud. Therefore, there will be more and more data flowing between on-premises and public, private or hybrid cloud storages. Any sensitive data, such as PII, PCI or PHI, that pops up in any insecure location will be vulnerable to both insider and outsider threats, which can result in data breaches and fines for non-compliance.
To avoid security incidents, organizations should regularly locate the data they have, classify it according to its sensitivity and implement security controls consistently, starting with the most sensitive data. It is crucial to regularly assess and mitigate data risks like improper configuration and access settings. It is also essential to monitor activity around sensitive data and get alerts about anomalous behavior so suspicious sessions can be terminated quickly.
4. Empower IT teams to be proactive rather than reactive.
Perhaps one of the most difficult challenges in protecting against cyber threats is the scarcity of cybersecurity talent. (ISC)2 predicts that Europe will face a shortfall of 350,000 cybersecurity professionals by 2022. Without skilled people on board, IT teams struggle to combat evolving cyber threats and meet increasingly tough compliance regulations, especially when they are already overwhelmed by mundane daily tasks like resolving user lockouts, resetting passwords, and keeping systems and applications patched. As a result, IT departments cannot effectively manage cyber risks.
Automating as many routine tasks as possible will free up IT teams to focus on more strategic matters, such as keeping abreast of the threat landscape, improving cyber risk management, and reducing the time to detect and respond to incidents. Moreover, enabling existing staff to be more effective will help the organization weather the current shortage of skilled cybersecurity professionals.
There is no doubt that both data volumes and IT system complexity will continue to grow. The best way to mitigate the associated cybersecurity risks is to follow proven best practices. Great first steps are to align technology to your business; regularly inventory your security solutions to ensure integration and remove duplication; secure your most important data first; and automate routine tasks to improve IT team efficiency.