IT and advanced technologies are no longer solely responsible for the security of our digital assets. In fact, cybersecurity needs a powerful strategy that involves technology, people and processes. As Internet users thrive in emerging economies, the problems of misinformation and cyberattack faced by “cyber advantaged” countries will be felt around the world.
The difference between a traditional and a holistic cybersecurity approach
IT and top technical products are no more responsible alone for the security of our digital assets. Cybersecurity now needs a strategy. One that involves technology, the people, and the processes. As internet users flourish in the emerging economies, the disinformation and cyberattack challenges experienced by cyber-advanced countries will occur there, too.
More data will be captured, stored, and used, making policy attempts a more urgent need than ever before. In 2020, as we drive toward the Fourth Industrial Revolution, we look at extensive connectivity and digitization.
But, as the latest technologies support economic progress and convenience, they also bring larger security challenges- both in terms of impact and frequency.
Traditionally, cybersecurity began with antiviruses and ended on special suites of software programs that promised to catch malware of all kinds. Today, as the tech space became more complicated, so did these worms and viruses.
Today, we need more than tools and technologies to keep our digital resources secure. In 2020, over 68 percent of business leaders say that the cybersecurity risks facing their organizations are growing.
To address these risks, business leaders will have to arm themselves with the right tools, knowledge, and skills to address issues of data theft and organizational risks. This could include new leadership profiles on the board, enhanced risk assessment and mitigation, and partnerships with external tools and solutions providers to meet cybersecurity responsibilities.
Gaps in building a holistic cybersecurity strategy
Lack of structure
Boards and committees have more reports than they can handle and comprehend. There are several Key Performance Indicators and Key Risk Indicators. These reports are often poorly structured with inconsistent data and too-high levels of details to lead to any significant result or detection. Research says that since security executives work manually on creating spreadsheets by compiling data from these reports, the result is a dissatisfactory compilation for board members.
Lack of clarity
Most reports fail to clearly state the implications of various risk levels for business processes. Board members rarely make sense out of the clutter with technical jargon and short hands. Consequently, they struggle to get a clear idea of their organization’s risk status. Key executives say risk reports are too technical and beyond them.
Lack of consistent, real-time data
Different departments in the same organization often use different and conflicting information to describe and evaluate aspects of cyber risk. Add to this the fact that the underlying data is often too dated to be of any use in managing or handling quickly evolving cyber risks.
"A holistic cybersecurity strategy can address these gaps and help build overall organizational resilience."
Steps to build a holistic cybersecurity strategy
Here’s how an organization can systematically build a holistic strategy to tackle cybersecurity in a fast-paced risk and threat world.
Get a top management overview
A holistic cyber risk management approach has its pre-requisite in a top-management overview of the enterprise and its multi-layered risk landscape.
Here are a few critical pieces in the puzzle:
- Assets – Clearly define your critical digital assets.
- Controls – Use differentiated controls to balance security with flexibility.
- Processes – Build forward-looking cybersecurity processes focused on effective responses in no time.
- Organization – Hire for the right skills, efficient decision making, and install enterprise-wide cooperation.
- Governance – Invest in operational resilience based on transparency into cyber risks.
- Third-parties – Focus on achieving coverage for the entire value chain, including third-party service providers.
Focus on High-Priority Risks
Mitigate the top risks by following this simplistic approach:
- Identify risks – After your information security officers create a list of critical risks, known risks, and potential new risks, establish your organization’s appetite for the identified risks. The cyber resilience of any organization can be measured by how well secured their critical assets are. Involve top management in identifying these risks and assigning them a priority number.
- Analyze and evaluate – After identifying risks, allow internal and external experts to evaluate each risk for its likelihood of occurrence and potential impact. Based on this analysis, risk owners can prioritize areas for risk mitigation, starting from risks that are most likely to take place with the biggest negative impact.
- Treat the risks – Create an overview of all actions taken to mitigate the risks identified and evaluated. Evaluate risk mitigation initiatives on the basis of their effectiveness in reducing the probability of a risk event and the impact such an event might have. If, after risk mitigation, the risk level exceeds limits, additional mitigation measures should be taken.
- Monitor – Monitoring capabilities are the most critical instruments to bring in cybersecurity discipline throughout an organization. The report generated after monitoring activities should be concise, well-written, and free of technical jargon for the convenience of the board members.
As a strong example, we would like to share the works shared by the National Cybersecurity Agency of France (ANSSI). They published a toolbox called “EBIOS Risk Manager” for assessing and treating digital risks which can helps at handling these issues.
Break down silos
Most organizations fail to transform their cyber risk arrangements because of the many disparate functional units or silos that obstruct any change. At many enterprises, data owners and line managers limit their operations to the data pool or business unit for which they are responsible, not looking left or right toward the bigger picture.
The reports that emanate from a wide variety of siloes frustrate decision-makers as they fail to address the bigger picture and keep talking about nonsensical stuff that might not matter in the larger perspective.
This situation can be dealt with by creating a holistic, unified dashboard to reflect the current state of cybersecurity across all critical digital assets. Such a dashboard can force everyone to stick to a common language, common ways to denoting risks, and common guidelines of assessment. But, what if this kind of dashboard was not linked to the ground and to the reality of your security, from a technical point of view?
In order to create a good dashboard, interest groups need to collaborate, harmonize definitions of KRIs, threat levels, and compliances. When talking about holistic cybersecurity, it’s not possible by the individual efforts of a team of tech wizards or business experts.
For real comprehensive cybersecurity, interest groups must come together to comprehend the business implications of technology and the technological requirements of business goals. It’s important to note that holistic cyber risk reporting is as much about the people involved as it is about technology and dashboards.
Successful transformation happens when business owners and key executives are involved from day one and are willing to make tradeoffs to strike a balance between productivity and protection. To aid these decisions, executives will need experienced managers who will ultimately become the carriers of the same ideology of holistic cybersecurity.
Ensure cybersecurity doesn’t prove a roadblock to innovation
Organizational leaders might need to rethink enterprise structures and governance to enable a more robust cybersecurity posture. This is where they need to pay due attention. While cybersecurity is an essential undertaking for businesses of all sizes, it must be integrated into an enterprise from the bottom up such that it does not become a deterrent for innovation and transformation.
For holistic cybersecurity to be feasible for enterprises, it’s important that it supports technological change and advancement and not hinder it.
Invest in cyber insurance
An increasing number of businesses now realize that cyberattacks are an expenditure they need to mitigate. The cost of cybercrime can be calculated as per four disparate cost components- detection and escalation, notification, response, and the cost of customer loss.
A critical part of a holistic cybersecurity strategy is to mitigate the risk of a cyberattack. It’s been estimated that by 2030, the annual gross written premium for cyber insurance will increase by 200 percent, from USD 2.5 billion to USD 7.5 billion.
For large organizations, the cost of a cyber data breach could easily add up to USD 2 million in losses. As businesses get increasingly connected, cybercrimes will not only impact their data and systems but also those of their partners and customers.
This is why many experts encourage companies to explore getting businesses cyber insured. But of course, it will not protect infrastructures, from a technical point of view.
The pre-requisites to a holistic cybersecurity approach
A holistic cybersecurity approach works as an advantage to any organization if it’s taken as a shared responsibility by everyone and not just as a job for a select group of security experts.
We need no statistic to say that people are part of the biggest security risks in any organization. Therefore, it is important to let your people know what needs to be done in a particular security incident.
Business risks can be largely reduced by bringing in this shared responsibility into an enterprise’s culture. To address the human aspect of cybersecurity, foster a security-conscious culture where employees feel encouraged to follow certain procedures.
Managers should convey that security is an organization-wide activity, and the pro-security attitude should be passed from the top of the organization.
Employee training and education can also go a long way in helping your workforce understand potential threats and their duties to follow procedures and processes that help prevent security events.
A culture of responsiveness, reporting, and openness rather than that of blame, shame, and fear can help enterprises build more resilience into their operations to mitigate and limit any damage.
Holistic technologies for a holistic approach
Most companies, even cybersecurity startups, often focus on only one technology vertical. These businesses only try to defend themselves against malware and other immediate threats. Solving one part of the equation without thinking about the complete picture.
Let’s say, a company builds an EDR (Endpoint Detection and Response) strategy. While EDR is an important piece of the cybersecurity puzzle, it isn’t enough in and of itself. EDR enables companies to identify security incidents, investigate them, and remediate them on endpoints. That should be one of your first line of security inside the operating systems, combined with your EPP (Endpoint Protection Platform, antivirus).
A sophisticated EDR might give you the following options to respond to a threat:
- Terminate running malicious processes
- Put specific files in quarantine zones
- Halt process execution on the basis of path, name, argument, parent, etc.
- Block processes from communicating on the network …
This gives a deeper level of visibility into endpoints as EDR identifies and interprets anything unusual living on an endpoint.
Some EDR will also have full rights on all endpoints, which can become extremely dangerous, especially when they can be managed from the Active Directory. That would become a leverage for in depth hacking after an AD get compromised. Of course, it’s not the case with TEHTRIS EDR, as we propose a stronger level of security. But we recommend CISO and Cybersecurity staff to have a look at the risks of adding dangerous powerful agents on all devices, linked to weak points in your infrastructure.
So, EDR offers visibility into your endpoints. But there are limits.
First, EDR alone has blind spots (unless it’s connected to a holistic solution). Second, EDR needs a security staff trained in detection and response, plus skills and time for the integration of the solution. While this is feasible for large enterprises, SMBs might want to check-in on their budgets. And training will not help alone if nobody tries to configure the EDR properly during the integration phase. And then, you also have to maintain these configurations. What if there is a new path of a new product with new Authenticode to analyze, new behaviors of processes? if you have thousands of EDR agents deployed, what will happen if they have no efficient policy to fight against all unknown threats? Even the new ransomware of the day will remain a huge problem.
Finally, EDR doesn’t focus on some details, like network insecurity in your organization. Example, what if all the traffic is allowed from everywhere to everywhere in your organization with a flat network infrastructure? or what if remote accesses easily exist because of compromised VPN? Therefore, threats can come in through a network and move laterally across the network and talk to a remote server, uninhibited. EDR will help, and you definitely need them, as your first weapon. Combined to your EPP (antivirus and endpoint protection), EDR+EPP will not be able to handle everything.
Therefore, now you also need network monitoring and system or application security. If your industry is heavily regulated, you might also need a data and application security system to safeguard your information from data hackers.
To go further, there’s Security Information and Event Management (SIEM). This acts as a hub to integrate flow logs from various sources like systems, networks and applications monitoring logs together under one purview.
In order to go certain steps further in ensuring cyber resilience, you also might want to explore the applications of
- Honeypots (Deceptive Response),
- Network Traffic Analyzers (NTA, NIDS, Flow analysis),
- Security Operation Center (SOC) and Managed Detection Response (MDR),
- Artificial Intelligence and enhanced algorithms (Behavior Analysis),
- Cyber Threat Intelligence (Databases, Sandboxes) and tools with IoC, Hunting,
- Security Orchestration Automation and Response (SOAR)
And then you might think it’s too complex or too expensive? It’s not. It depends on the technology and products you’ll choose.
TEHTRIS XDR Platform is a smart put-together service offering by TEHTRIS to build your holistic cybersecurity program. Efficient, smart and easy. Already deployed in more than 50 countries. It works. We blocked state-sponsored hackers, unknown ransomwares, etc.
The bottom line is, in order to handle global threats, we need a global outlook on cybersecurity, and tools that can help us reach a level of intermediate if not high cyber resilience.
At TEHTRIS, we have a clear understanding of your best cybersecurity strategy and implement it for you.
Any business is as cyber-strong as its weakest link. What are you doing to ensure cyber resilience?