A strong security posture is crucial in an age of growing cybersecurity risks. Fortunately, businesses need not be helpless in the face of danger. There are many positive and proactive ways to identify and manage risks. Indeed, by taking a methodical and holistic approach to cybersecurity, businesses can ensure they strike a robust security posture.
The first step towards a strong security posture is appreciating the profound dangers that businesses face.
Many modern business practices are opening up new fronts of vulnerability for cybercriminals to exploit and attack:
In addition, the cyber attackers themselves are more varied and adept:
Finally, the consequences of attacks are becoming increasingly severe:
You cannot afford to fall for myths of cybersecurity complacency. As Stephane Nappo of Société Générale International Banking puts it, “It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it”. Avoiding such damaging situations requires a forensic and holistic approach to a company’s security posture.
Your cybersecurity posture reflects the overall level of safety of your entire IT estate. By necessity, it must encompass everything in your IT estate and ecosystem.
For most businesses, that ecosystem is now vast. It includes everything from your hardware and services, to any third-party resources your organization may be subscribed to (e.g. any hybrid technology solutions). If any aspects of your IT estate are left out, these could become potential weaknesses and undermine your posture.
It is crucial to appreciate the different aspects of an effective security posture:
Having identified these five core areas, we can briefly consider a tip for addressing each one.
Each of the five areas above is significant in its own right. Here’s a few ways to get started addressing them.
You cannot robustly defend aspects of your IT ecosystem that are not on your radar. Therefore, an accurate and up-to-date inventory of all your IT assets should be at the heart of your security posture. It is crucial—anything missing could become a weak point in your organization, i.e. a potential entry point for an attacker.
This inventory should list everything in your IT estate. Include all your on-site and off-site IT hardware assets. Capture every network and data storage system. It does not matter whether or not they are internet-facing; they could all be vulnerable (even if only to an insider attack), so include them. Detail all applications and services, whether in-house or externally facing. And include all security tools already in use.
Don’t forget any third-party components of your broader IT ecosystem. While not part of your estate, they interact with it and bring additional complexity. This could open up points of weakness for attackers to exploit. Ensure you understand their use, any security issues they raise, and how they interact with the rest of your IT.
Next, identify the relative importance of each asset. Which are more or less critical? What would be the financial or productivity impact if each was compromised? That will help determine which to prioritize.
Once you have identified all the IT assets in your estate, you should evaluate the cybersecurity risk each one poses.
Consider possible attack vectors for each asset. An attack vector is how a cybercriminal might attack an asset. For instance, phishing emails are an attack vector, as are ransomware, credential theft, encryption, and configuration issues. The likely attack vectors will vary between assets. For instance, your ERP inventory management software will face different risks from those of your ci/cd pipeline.
Take the time to assess the risk across your entire IT estate:
The last point is worth emphasizing. These risk assessments are not static; you should review and update them frequently. You are likely to face an ongoing barrage of attacks which may include multiple types of attacks, that could range from application fraud (using fake details on application forms or over-inflating insurance claims) to phishing attacks.
With robust risk assessments in place, you can be confident you are addressing all the pertinent issues, such as having a secure password management system.
By this point, you have fulfilled two crucial requirements of a strong security posture:
You can now form a detailed picture of all your vulnerabilities. You may hear this referred to as your attack surface: The various ways that a determined assailant could try to breach your organization.
You can then assess to what extent your current security controls protect you. You probably already use a range of measures, including DNS filtering, firewalls to protect your networks, virtual private networks (VPN) for remote access to your networks, and various security tools in your DevOps supply chain. But are these enough to counter the risk?
Be sure to consider any third-party tools that your business uses. For example, what security features does your third-party enterprise-grade VoIP have?
Make a detailed assessment of what each security measure offers to address the risks. But also consider what they do not. There will almost certainly be deficiencies if this is the first thorough review.
Worst-case testing and modeling can probe how well your defenses stand up to various potential encroachments, revealing gaps or weaknesses in your security cover. You may discover, for example, vulnerabilities introduced as a result of a recent shift from monolithic application architecture to a microservices approach. You can then take steps to address any identified weaknesses.
Automation and Artificial intelligence (AI) are becoming increasingly crucial tools for cybersecurity. By embedding automation in your security practices, you can improve the speed and accuracy of your defenses without increasing headcount. For example, it can help identify suspicious behavior. AI can analyze and define the 'normal' behavior of users. Then that learning can power automated, real-time monitoring of all future users.
Another option would be to adopt a system of privileged access management. This is a process whereby employees’ access levels and permissions are restricted to the minimum levels required for them to do their job, thereby lowering the risk of a security breach.
However good your security controls are, you are unlikely to eliminate all the dangers. Even with excellent defenses, attacks may breach them. Therefore, it is essential to have an Incident Response Plan.
It should set out how your business will deal with attacks. It is a set of actions, ready-to-go, as soon as an attack starts. Time is of the essence: Attackers are getting much swifter at carrying out their activities once they have gained access. A strong plan means everyone involved in the response knows what they should do and with whom to liaise. Of course, for all this to work, the Incident Response Plan also needs collective buy-in and support from all key participants.
There should be a focus on lesson learning in the plan. During and after an incident, identify any mistakes made. Investigating what goes wrong will help to refine future responses. However, positivity is crucial. It is about improving future responses, not blame. And it should identify successes, not just missteps.
5. Ongoing collaboration and training
Consider assembling a dedicated IT team to oversee security posture. They should be aware of any changes within or beyond the business that might have an impact. They should be fully involved in the live Incident Response Plan - ready to leap into action should an incident occur.
However, a strong posture requires everyone across the business to play a part. Many cyber attacks succeed due to human error: Employees are tricked into sharing security credentials (e.g. by a social engineering attack) or unwittingly opening an unsafe attachment (via a phishing attack). Well-trained, sensitive employees are some of your best defenses against such dangers.
Put cybersecurity at the heart of your business. By striking a strong security pose, you not only protect your infrastructure, operations, and finances. You are also protecting your customers and their data. Robust security should be a fundamental component of offering good customer service. Indeed, the reputation of your brand may depend on it.
And do not be content with a plan from yesterday. Adapt your security measures to address changes both within and beyond your organization. Keep on top of the changing dangers. How will you ensure that your posture will evolve to meet any new challenges? What have you learned from any recent mistakes? With a proactive and determined approach—and with a close eye over your entire IT ecosystem—you need to grasp tomorrow's dangers today.