As we quickly approach the last quarter of the year, it’s a good time to reflect on what’s happened thus far in 2019, and where we should focus our energy for 2020.
Recap of 2019 trends and projections from the beginning of the year
Towards the end of last year, Forbes released its list of 2019 cybersecurity projections, as many organizations do. Central themes included predictions on the growth of nations involved in cyber warfare, supply chain attacks, board-level attention to cybersecurity, and an emphasis on the need for holistic enterprise security. Let’s discuss a few:
- Cyberwarfare: From concerns regarding election tampering to the alleged use of social media to influence mass opinions – last year’s events led to a prediction that cyber warfare between countries such as Russia, China, and the United States would increase. How has this prediction faired reality? It was spot on.
- Supply Chain Attacks: Several incidents and breaches over the last few years have highlighted the risk of supply chain attacks, such as the Target breach, which occurred through the companies HVAC vendor. Supply chain attacks have indeed been a more significant problem in 2019 as third party breaches have continued to occur.
- Board Level Attention: Cyberwarfare, supply chain attacks, new cyber regulations, and many other risks led to greater visibility on the importance of security within organizations. These risks have the potential to impact a company’s operations and bottom line; many businesses now consider cybersecurity a top threat to livelihood. As such, the concern has been raised to senior executives and boards within organizations. Technology leaders are now taxed with finding creative ways to align and engage these audiences on cybersecurity.
- Holistic Enterprise Security: The final prediction is that companies will take a more holistic enterprise approach to cybersecurity. Good security takes layers of technology, processes, and the right people to pull it all off. It’s proven to be a necessity, yet many companies are still struggling with establishing the right security strategy. This is especially the case in smaller businesses. Attackers know that smaller companies tend to have more lax security controls and thus become easier targets for successful attacks. Meanwhile, a concerning portion of these organizations remains oblivious to cybersecurity risks and how they may impact their organizations.
Where should we focus in 2019?
Whether you aren’t confident in your cybersecurity strategy, do not yet have one, or have one that you believe is stellar – start by thinking about what holistic enterprise security should look like within your environment. As you think about how we want to finish the year, as well as begin strategizing for 2020, here are some key questions to ask:
- What are my most critical objectives as a company? This is a fundamental question. A holistic security strategy must start with the objectives of the business. Most security professionals are taught that their mission is to protect confidentiality, availability, and integrity of essential systems and data. While this is true, a fundamental next question is which systems you should focus on safeguarding? What data? To figure out what you need to protect, you must understand what is vital to your business. Is it the safety of your customers? Operational reliability? Customer satisfaction? Whatever the business priorities are, start with an outline of those. This isn’t the time to only think about what objectives are essential for cybersecurity, think holistically for the entire business.
- What functions support those objectives? Now that you have all of the objectives, the following steps drill deeper into the layers of the organization to get you closer to understanding where you should focus. What functions support each of those objectives? These shouldn’t be long sentences. These should be two to three-word components that exist within the company to enable you to meet your goals. Once you have the list of objectives and functions, you’ll need to outline which ones are most important. Think about which functions, if removed, would be detrimental to your company or result in a level of impact considered unacceptable?
- What assets (people, processes, and technology) support those functions? Once you have a list of the most critical functions in the organization – the real work begins. For each function, which assets are necessary to make it happen? Most companies approach this step purely from a technology process that can create blind spots in security strategy. Instead, think about each asset in which processes are involved in delivering this function. Then think about which people and technologies are included in those processes. You’ll find that even in smaller companies, this will result in a complicated web of assets, including some that may overlap. This is where most companies need help untangling the web of assets into manageable buckets, whether through technology or consulting services. Whichever path you choose, this insight will give you what you need to start the discussion of risk and what you need to protect.
- What threats and risks apply to those assets? The best approach to this question depends on the companies level of maturity and understanding of cybersecurity. The idea is to take each of the assets or asset categories identified in step 3 and brainstorm potential risks and threats. It may help to start by creating a list of cybersecurity risks and trends that apply to a wide variety of industries and then funnel your list through it to see what applies.
- How are the assets protected from those risks? The final question is, now that you understand what the risks and threats are to your company – how are you protecting against them? What you’ll get from answering this question is a combined understanding of how you are protecting, or not protecting, what matters most to your company. You’ll start to understand where your gaps are to ensure they are addressed in your 2020 strategy.
No matter how large or small a company is, asking these five questions can help serve as a quick gut check on whether you have a solid handle on security in your organization. Without seeking answers to these questions, no matter how much you invest in cybersecurity – you’ll leave expensive blind spots potentially unprotected and exposed.
As you close off the year, spend some time thinking about these questions. If you already have solid answers to them all, then you are in great shape! If you don’t, it’s hard to claim you are taking a holistic enterprise approach to cybersecurity. At which point, you may want to spend some time this year thinking about these questions as you start to plan for 2020.
Do you already know you have blind spots in your strategy when it comes to Insider Threats, Ransomware, or Employee Monitoring? Check out some of Veriato‘s leading-edge technology products, including Cerebral and RansomSafe.
Not sure where to start and need help with your strategy?
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.