With global vaccinations finally being deployed, it appears that early 2021 will be a decisive moment in the battle against Covid-19.
If only CISOs could feel equally confident that a similar turning point is looming in the context of cybersecurity.
While physicians and pharmacists are armed with novel new vaccines and therapeutics, CISOs are facing an expanded attack surface and significant shadow IT problems. The Covid-19 pandemic radically accelerated the shift toward telecommuting, disrupted on-premises security testing schedules and created enormous ambient anxiety for attackers to exploit with pandemic-themed attacks.
All of this creates massive new headaches for CISOs and their teams who are tasked with protecting organizational security environments.
Fortunately, there is a prescription for profoundly improved cybersecurity in 2021. And, in many ways, it parallels the same strategy we are executing to beat back the pandemic.
Better hygiene and "cyber vaccination."
The Cost of Inertia
Consider this scenario: You walk into the office on a day much like any other. Except on this day, your team discovers something that makes your stomach drop: An external attacker has penetrated your system. The hours and days pass by in a blur as you attempt to identify the scope of the damage and remediate. You realize this breach will cost the organization millions of dollars and incalculable reputational damage. You're absolutely gutted -- yet you also now realize that your misfortune was not only preventable, but utterly unremarkable by today's standards.
Some 36 billion records were exposed globally by attackers in 2020, according to the 2020 Q3 Data Breach QuickView Report. The average cost of a data breach in 2020 is $3.86 million, according to a new report from IBM and the Ponemon Institute.
CISOs still consider zero-day threats one of the most prominent threats they face. Yet adversaries are using them much less frequently. In truth, the vast majority of cyberattacks are relatively unsophisticated. In fact, they are so simple that the NSA reports 93 percent of them could be prevented just by incorporating some basic best practices.
That's the cost of inaction -- and following status quo thinking about modern threats. So what's the solution?
First, it's critically important to double down on cyber hygiene. Just as it's difficult to break the transmission chain of a virus without personal hygiene, it is exceedingly difficult to maintain organizational security without sound cyber hygiene. As mentioned above, most cyberattacks are unsophisticated attempts to exploit poor cyber hygiene.
Let's take a look at a few things you can do immediately to help ensure this nightmare scenario doesn't unfold on your watch.
Incorporate multi-factor and strong password management. Every security leader understands the value here, but not everyone makes the extra effort to ensure that employees remain compliant. Doing so is one of the most straightforward ways to tighten defenses.
Implement application whitelisting to eliminate unauthorized executable files from doing damage.
Tighten up admin privileges. Periodically review who truly needs them. In this case, it's not good to be generous.
Control Bring Your Own Device (BYOD) practices. Obviously, this is much more difficult to implement when so many people are working remotely, but keeping a tight rein on this can control data leakage and unauthorized downloads and uploads.
Enable full disk encryption. By doing so, you don't have to worry about users deciding which files to encrypt.
Most importantly, invest in more rigorous cyber hygiene training. Human fallibility -- rather than any specific cyber threat -- is the eternal challenge that defenders face. The best way to limit human error is through the development of sound routines. Just like washing hands and brushing teeth become ingrained habits, so should smart password management, for example. The real challenge here, however, is to train people in a way that promotes vigilance. That's not easy, given that most people believe "it won't happen to me" -- right up until the moment it does.
Pairing good cyber hygiene with "cyber vaccines"
With a foundation of sound cyber hygiene in place, you can fully "vaccinate" your organization by integrating security testing tools that allow full visibility into the state of your systems while providing automated and continuous protection.
The tools that best fulfill this objective are breach and attack simulation (BAS) software platforms.
A risk-based VM/VA platform using advanced BAS technology can continuously identify and help remediate the high priority exposures affecting the cyber hygiene of an organization's public and private cloud critical business assets. They work by launching non-stop simulated attacks on security environments, using the same paths and tactics most likely to be chosen by adversaries. By doing so, these platforms can quickly pinpoint vulnerabilities and allow for fast, prioritized remediation.
If you think that sounds like a red/purple team or a pentest, you're right. There is one key difference: Unlike expensive manual testing which is conducted episodically, BAS technology is deployed continuously. This means no "black box" periods in-between tests when new attacks can occur. Instead, you have full visibility, always.
Think of it like this: If a vaccine only allowed you to activate antibodies and t-cells periodically, it wouldn't work. A vaccine must help marshal an immune response any time a threat is present to provide continuous protection.
Testing operates on a similar principle. If it's not applied continuously, you simply don't know what might be evading your defenses and nesting within your systems, networks and applications, jeopardizing your crown jewel assets.
Automated and continuous testing is the gold standard for protection.
The prescription for a safer 2021
Improving cyber hygiene and incorporating cutting-edge security testing is the best way to "vaccinate" your organization in the coming year. Get these two things right, and your business will stay safer while you sleep easier -- with no visit to the doctor or painful needle jab required.
Gus Evangelakos, Director of North American Field Engineering, XM Cyber