What Business Leaders Need to Know About Cybersecurity Preparedness

Joseph Cortese
Author: Joseph Cortese, A-LIGN Technical Knowledge Leader and Research and Development Director
Date Published: 8 April 2022

Editor’s note: The following is a sponsored blog post from A-LIGN:

Many cybersecurity incidents occur when organizations think they’re doing the right thing. Strong antivirus software is in place, employees are using multifactor authentication, and all systems seem to have been properly configured. Despite feeling secure, this is actually a perfect time for disaster to strike.

It’s common knowledge that cybersecurity attacks are not a matter of if an incident occurs, but when. “Why would we invest significant time and resources into improving cybersecurity if that is only delaying the inevitable?” you may be wondering. The truth is that taking a proactive approach to enhancing your organization’s incident prevention and response capabilities can make the difference between encountering an intrusion that is quickly snuffed out and a full-blown data breach.

Recent research from IBM indicates that the average total cost of a data breach has grown to US$4.24 million, and a study from the Ponemon Institute found that companies’ stocks drop an average of 5% on the day that a data breach is announced. As you can see, the negative financial impact of a severe cyber incident is serious business. 

Here are three essential concepts to help your leadership team better understand the components of an effective cybersecurity program and get everyone on the same page:

Recognize the Rapidly Evolving Threat Landscape
There’s a common misconception that one big push to shore up cyber defenses means your business will be protected for years to come. The unfortunate reality is that threat actors have become incredibly sophisticated in their techniques, resulting in a rapidly evolving threat landscape that requires dedicated resources, tools and processes, to appropriately address. A combination of all three are needed to sufficiently protect your organization as they are mutually important.

Because security is a moving target, organizations must keep their ear to the ground to understand and combat emerging threats and methodologies on an ongoing basis. Usually, only larger organizations and enterprises can justify the cost of a dedicated threat intelligence team. Small to medium-size businesses should purchase tools to help fill these gaps and be sure they are correctly configured. Correctly configured technology, coupled with cybersecurity experts, will help your organization safeguard against the latest tactics hackers are using.

That’s why there is great value in leveraging a team that lives and breathes cybersecurity to conduct penetration testing (pen testing) — an exercise in which ethical hackers carry out a simulated attack to identify weaknesses in servers, applications, end-user workstations, wireless networks, and more. Pen testers use new information regarding vulnerabilities and exploits to simulate an attack on an organization by a malicious actor. Regular pen testing is crucial for keeping up with the rapidly changing threat landscape and exercising your business’s incident prevention measures.

Commit to Practicing Cybersecurity Antifragility
I believe that setting a goal of resilience in cybersecurity isn’t enough. Statistician and risk analyst Nassim Taleb (founder of the “black swan” concept) coined a term called “antifragility” which is used across various disciplines to describe systems that become stronger as a result of stress or upheaval. “The resilient resists shocks and stays the same; the antifragile gets better,” he says.

Businesses across all industries should be thinking about how to become more antifragile when it comes to cybersecurity. Consider these three potential outcomes of a security incident:

  • Unprepared (Negative): The incident results in significant damage that takes the business months, or even years, to recover from. In a worst-case scenario, this can cause a business to go bankrupt or shut down.
  • Resilient (Neutral): The incident shocks and disrupts the business to a mild or moderate degree, but it is able to bounce back and resume business as usual. There may be some amount of lasting impact including financial loss, reputation damage, and/or legal problems.
  • Antifragile (Positive): Events proceed similarly to the “resilient” scenario, except the organization takes greater care to analyze all the events surrounding the security incident. This results in a list of lessons learned from the incident, which helps IT and security teams determine how to strengthen areas of weakness.

Having the right technology and processes in place is key to practicing antifragility. Threat actors may leave behind a digital footprint that must be closely examined in the aftermath of an attack. Proper logging plays a big role here. If you aren’t gathering logs, even the best cyber forensics team may not be able to accurately recount all the details of the incident, such as the timeline of events and insights into how the hackers were able to move laterally throughout different parts of the network.

Accurate logging, on the other hand, enables your organization to develop strategies on how to catch suspicious activity as early as possible in order to prevent similar attacks in the future. Setting up automatic alerts in a tool such as security information and event management (SIEM) software will let your security team know when something unusual is going on so it can be investigated as soon as possible.

Understand When (a Lack of) Knowledge Is Power
I always recommend that organizations leverage an established and trustworthy framework, such as the NIST CSF, to serve as a “North Star” for their cybersecurity program. However, I often find that businesses — even those that have been using and building upon a cybersecurity framework for years — have significant gaps that aren’t being addressed. Maybe they took shortcuts early on in the program development, or they decided to use parts of the framework but not all of them. 

In any case, there are hundreds of little things that can accidentally be overlooked in a company’s cybersecurity program, and the rapidly shifting threat landscape only adds to the complexity. Instead of trying to backtrack and determine what individual rules or guidelines weren't followed correctly, IT leaders need to have a “take stock moment.” Start by asking, “What does my environment look like right now? How would I rate my environment security on a scale of one to 10?”.

The best CISOs and CIOs are honest about what they don’t know and areas where there is uncertainty. They are open to identifying missing components, filling knowledge gaps, and updating outdated practices. A number of high-profile news stories over the past few years have drawn attention to the fact that even large, well-known organizations that dedicate a great deal of resources toward cybersecurity can fall victim to a major attack, such as ransomware.

Acknowledging that there may be hidden flaws in your organization’s cybersecurity posture is quite empowering because it opens the door for valuable third-party analysis and feedback that can prevent your business from undergoing the next headline-grabbing security incident.

Build a Culture of Continuous Security Improvement
By working to keep up with the evolving threat landscape, adopting a mindset that turns incidents into growth opportunities, and admitting what you don’t know or what you could use help with, all contribute to a culture of continuous security improvement. Cybersecurity is a year-round endeavor, and odds are it will only get more difficult in the years to come. The good news is that finding the right strategic cybersecurity partner that can assist you across all of these areas will prepare your systems to stand up against cybersecurity incidents.