By Adam Palmer, Chief Cybersecurity Strategist, Tenable
The COVID-19 pandemic has brought a host of new security challenges for business leaders across the globe. Many businesses continue to operate with a traditional cybersecurity mindset that assets inside the corporate network are safe, while everything else is unsafe. With employees now forced to work at home, using unsecured personal devices and networks, nearly everything is outside the corporate perimeter. This is a new challenge for organisations to improve security in a radically changed risk environment.
A recent commissioned study conducted by Forrester Consulting, on behalf of Tenable, showed that 96% of UK businesses suffered one or more business-impacting cyberattacks in the past year. There continues to be new risks and vulnerabilities on numerous new device types and platforms, so perhaps, it’s unsurprising that the same study found 63% of respondents in the UK witnessed a dramatic increase in the number of business-impacting cyberattacks over the past two years. The expanded threat landscape has been compounded by the pandemic. Forty-one percent of global decision makers report that their firms have experienced at least one business-impacting cyberattack related to COVID-19.
Despite the prevalence of business-impacting cyberattacks against organisations, business and security leaders are struggling to be aligned. Only four out of 10 security leaders say that they can answer the fundamental question, ‘How secure, or at risk, are we?’ with a high level of confidence. Since the pandemic hit, while 96% of respondents in the study said they have developed response strategies to the COVID-19 pandemic, only three quarters (75%) of business and security leaders say their COVID-19 response strategies are only “somewhat” aligned. This puts organisations at a huge disadvantage.
How can business and security leaders successfully align to support operations and reduce cyber risk? At a time when organisations are experiencing unpredictability and financial strains, here are some tips for success:
A generic checklist won’t be enough: While the pandemic has given organisations many similar challenges, each business will have unique needs specific to its own new way of working. Business and security leaders cannot afford to take the easy way out and rely on a generic checklist to scan their extended network. Businesses must align on a risk-based vulnerability management approach that focuses on actual flaws being exploited, not generic lists of potential risk.
Understand new patterns: Understanding what is happening in a remote work environment is one of today’s biggest business challenges, particularly as the user base connects from multiple private and public networks, using multiple known and unknown devices, and at unpredictable hours. There is also the complication that employees may have had to relocate from their normal home, or even to a new geo-location. To gain complete visibility of the extended enterprise network, organisations should utilise authenticated agent scans that register and profile all assets being used. This will help the leadership team truly understand the vulnerabilities that have been created by distributed and remote work at home practices.
Identify what is a real versus a theoretical risk: Everything can feel like a priority in times of crisis. The first task is for the leadership team to combine tools and resources to prioritise the most critical risk points and vulnerabilities that exist within the expanded enterprise. Prioritisation focuses resources to the right area, in the right amount, and in the right sequence. This is vital during unpredictable circumstances when resources are short and everyone is overloaded with demands.
Speak in business terms: No matter what industry, the Board of Directors will always want to know what risks the organisation is exposed to, and more importantly, what is being done to address them. By adopting a risk-based approach, security leaders can accurately assess and quantify their exposure level. This allows the Board to comprehend the impact to the business should any mission-critical areas be adversely affected. This also allows for business leaders to compare to the cost of implementing controls to reduce the risk.
There is no magic cybersecurity bullet: Under pressure, organisations might be tempted to purchase additional tools, hoping that a single purchase order will alleviate the overall risk levels of the organisation. Unfortunately, a magic cybersecurity bullet simply does not exist. Consider using managed service providers to reduce day-to-day overhead of monitoring risks and vulnerabilities, and also consider utilising training budgets to boost the skills capability of the internal team to use existing tools and be more effective. It’s imperative that teams better understand the risk environment, and systematically demonstrate reduction of risks based on the prioritisation of vulnerabilities, rather than chase an elusive unicorn.
Ultimately, business leaders who align to implement these basic security risk management practices will find they deliver successful results. According to the Forrester study, organisations with business-aligned cybersecurity leaders are eight times more likely to be highly confident in their ability to report on their organisations’ level of security or risk and over three times more likely to have a holistic understanding of their organisation’s entire attack surface. This is vital data in today’s challenging environment with additional uncertainty likely ahead.