How to Secure Your Organization Against Cyberattacks

With cyber-attacks reaching new heights year after year, organizations all over the world are starting to make security a top priority.

You are likely feeling the pressure to do something, but where should you start?

After all, there are so many security products on the market. From endpoint security and threat intelligence to multi-factor authentication and high-end training, the options seem limitless… and there’s no clear progression from start to finish.

Here’s How It Should Work

When it comes to cybersecurity, most organizations put the cart before the horse. They assume they need fancy, expensive security products, and end up investing tens or even hundreds of thousands of dollars… before they’ve laid the proper groundwork.

Does that sound like a big deal? It should.

If your organization doesn’t do the basics well, no fancy security product will keep attackers at bay. For example, if you haven’t established a security-conscious culture, implemented a vulnerability and patch management program, or gotten your user access levels under control… nothing else will matter.

In very basic terms, there are two important metrics to consider: cyber exposure, and cyber maturity.

Cyber exposure is, in essence, how easy of a target and attractive your organization is to an attacker. The larger and more complex your organization is, the higher your level of cyber exposure. Naturally, other factors such as storing large quantities of sensitive data also increase your level of cyber exposure.

Cyber maturity is simply a measure of how sophisticated your organization’s security controls are.

And here’s the thing. These two metrics should always rise together. As an organization grows and its network architecture becomes more complex, its level of cyber maturity should increase at the same rate.

For instance, if your level of cyber exposure is considered to be medium, your level of cyber maturity should be at least intermediate. Of course, most of the time, that doesn’t happen.

In reality, organizations experiencing rapid growth often display massive discrepancies between exposure and maturity, assuming that once their growth spurt is over they can always ‘catch up’. Sadly, this is a potentially catastrophic mistake, and here’s why.

Things are Changing

In the past, security regulation has been somewhat lackluster. Regulatory bodies were in place, but they didn’t seem to have all that much power. Even when they did slap someone with a fine, it really wasn’t a big deal.

But that’s not true anymore.

Across the board, regulatory authorities are starting to find their teeth. Fines levied against breached organizations are rising every year, and the trend is set to continue.

And that’s just the start.

Research shows both the number and scale of cyber-attacks are growing year by year, making this a uniquely bad time to be underprepared. Even before fines, the cost of identifying and cleaning up security breaches can be crippling for companies of all sizes.

As a result of all this, industry regulators have started paying much closer attention to cybersecurity. The FFIEC, for instance, has developed an assessment tool to help financial institutions identify their current levels of cyber exposure (inherent risk) and maturity. If, as is often the case, the tool demonstrates an organization’s maturity is lagging behind its exposure, this can prompt the necessary investment decisions.

In the FFIEC’s own words: “If management determines that the institution’s maturity levels are not appropriate in relation to the inherent risk profile, management should consider reducing inherent risk or developing a strategy to improve the maturity levels.”

Do This First

As we’ve already mentioned, most organizations fail to establish the basics of cybersecurity before they move on. To help you escape this trap, we’ve followed the FFIEC’s lead and developed a series of free cybersecurity assessment tools.
Based on the NIST Cybersecurity Framework, the de facto standard for cybersecurity assessment, our tools are in web application form, can be completed in under an hour, and do not require any technical knowledge. We’ve developed separate tools for financial, government, healthcare, higher education, industrial, retail, and SEC/OCIE regulated organizations, based on the specific compliance regulations of each industry.

To help you identify the specific areas in which your organization needs to improve, the tools are split into the separate functions of security: identify, protect, detect, respond, and recover. For instance, your organization may be very good at identifying and protecting against attacks, but not so good at recovering from attacks once they have taken place.
You can quickly identify any potential mismatch between your organization’s levels of cyber maturity and exposure in a given area. For instance, in the identification category, your organization may score low for exposure and intermediate for maturity (as shown in the table below). In that case, there’s nothing to worry about.

If on the other hand, your organization has medium or high exposure but only basic maturity, you’ve identified a serious area of risk.

Addressing Deficiencies

Security is, by necessity, a complex topic. The network architecture of an average 1,000-person organization is far more complex than it was even ten years ago and bears no resemblance to that of a similarly sized organization in the 1990s.

As a result, effective cybersecurity is comprised of a number of different disciplines, each of which must be done well. Depending on the scale and complexity of your organization (your exposure, in other words) not all of these disciplines may be relevant, but all should at least be understood.

In basic terms, the various disciplines of cybersecurity look like this:

Organizational — e.g. Policy, governance, risk, compliance

Basic Hygiene — e.g. Network architecture, vulnerability & patch management

People — e.g. Culture, training, habits

Recovery — e.g. Incident response, attack analysis

Next Generation — e.g. Endpoint security, multi-factor authentication

Enterprise — e.g. Threat intelligence, red teams, internal hunting