2020 has been the most challenging year for data security. Pandemic meant that millions of employees worldwide were suddenly working from home. More severe cyber threats — some from highly sophisticated state actors — threatened company databases. And at a regional level, natural disasters disrupted operations and supply chains.
Most organizations were unprepared for the pandemic and the resulting shift from physical offices to working from home. Companies allowed business and function leaders to make piecemeal, ad hoc arrangements to suit the needs of their teams. As a result, IT and security teams often did not know which devices were being used by employees, the applications that were on those devices, whether they had appropriate security patches, the security of Wi-Fi connections, or the prevalence of other connected devices, such as gaming consoles and smart home devices.
Cyberattacks rose 400% in 2020 compared with previous years, primarily due to nefarious players exploiting ill-secured virtual work environments and IT infrastructures that had been adapted on the fly. On average, these attacks cost businesses hundreds of thousands of dollars to address (but often far more) and are a factor in many small and medium-sized enterprises going out of business. Even with U.S. company losses due to cyberattacks nearing a reported $1 trillion by late 2020, a survey of nearly 1,000 organizations found that only 44% had cyber preparedness and incident response plans in place. Worse, just 32% said the plan was actually effective, and typically the board or the C-suite had not been engaged in developing the plan.
Worldwide, more than 100 billion lines of code are created annually, generating millions of vulnerabilities in computers and servers. Many companies report thousands of attacks each month, ranging from the trivial to the extremely serious. Several billion data sets are violated annually. In 2017, hackers produced around 120 million new variants of malware. The total number of malicious software registered by AVTEST is more than 800 million.
Cybercrime is an attractive and highly lucrative business, cybercriminals take every opportunity to exploit weaknesses for quick cash, to exfiltrate data, or to simply disrupt operations, depending on their goal. Attackers have more and better resources at their disposal than ever — both technical and economic. This allows them to develop increasingly sophisticated attacks. This results in more complex and more dynamic threats, in addition to a greater number of attacks.
Equifax, CCleaner, WPA2, Vault7, CIA, KRACK, NSA, WannaCry, Goldeneye/NotPetya, Meltdown/ Specter, the election hacks… These are some of the very recent protagonists of massive infections, theft, personal data leaks, ransomware attacks, hacked applications to launch attacks against an entire country or carry out attacks directed against large specific companies, and vulnerabilities that affect billions of devices.
New techniques for penetrating defenses and hiding malware are allowing threats to remain in corporate networks for long periods without being detected. Nor can internal threats be forgotten. Personnel attacks with privileged access represent one of the greatest threats to the security of corporate and customer data. Investigations conducted by Ponemon Institute point to hackers and criminal insiders as the main culprits of security holes and data leaks
Cyber attacks can have a massive impact on organizations, as well as their customers, partners, employees and the bottom line. They can damage an organization’s brand, reputation, and future prosperity. No cyber security defence is impenetrable. We’ve recently seen breaches on Acer, Microsoft Exchange and SonicWall. A report from Cybint estimates that, on average, there is now a hacker attack every 39 seconds – and the attack vectors are constantly evolving.
In response, organisations around the world are starting to take a new approach to mitigating their cyber risks. A traditional cyber security strategy to try and stop attacks is no longer enough. Instead, organisations must shift from prevention to an ‘assumed breach’ mentality – operating as though a breach has already happened, and ensuring they can recover fast, with minimal damage to operations. Rather than relying on a protective layer of firewalls, anti-malware solutions and intrusion prevention, businesses increasingly understand the need to build cyber resilience beyond these first lines of defence.
The current state of Cyber Resilience
Cyber-resilience is the ability of an organization to maintain its primary goals and integrity in the face of the latent threat of cybersecurity attacks. A cyber-resilient company is one that can prevent, detect, contain, and recover from a cyberattack, minimizing exposure time and the impact of countless serious threats against data, applications and IT infrastructure. And especially against devices, where the organization’s most valuable assets reside, since reaching them also implies attacking the integrity of identities and users. This is how the latest Panda Security report, defines it: ‘Cyber-resilience: the key to business security’.
A cyber-resilient organisation is one that can bounce back quickly because it has solid security structures in place and a robust response plan ready to enact. And despite all the new defense systems, companies still need about 191 days on average to detect a covert attack, improving somewhat on the 201 days that organizations took to detect the gap in 2016. The damage that an attacker can inflict in that timeframe should not be underestimated. The 2016 SANS Institute Survey on Incident Response revealed that 21% of organizations had an MTTD (Mean Time to Detect) of two to seven days, and only 29% could detect an incident in 24 hours or less. The same study indicates that only 18% of organizations could move from detection to response (MTTR) in a day or less. Worse still, 38% of the survey admitted that, in general, they do not respond in less than a week.
Based on a survey of more than 4,600 enterprise security practitioners around the globe, Accenture’s Third Annual State of Cyber Resilience study explores the extent to which organizations prioritize security and the efficiency of their efforts. This is called cyber-resilience in infosec circles, and it refers to an entity’s ability to deliver the intended outcome despite adverse cyber events. The poll included 4,644 executives from companies with annual revenues of at least $1 billion in 24 industries and 16 countries spread evenly around the globe. Despite investing more in advanced cybersecurity technologies over the past three years, only 17% of those surveyed are effectively stopping cyberattacks and finding and fixing breaches fast enough to lessen the impact, the study showed.
Surveyors applied detailed modeling of cybersecurity performance to identify these elite champions that “achieve significantly better results from their cybersecurity technology investments than other organizations.” The top three measures of cybersecurity success for leaders emphasize speed. Leaders prize how quickly they can detect a security breach, how quickly they can mobilize their response and how quickly they can get operations back to normal. Leaders also measure the success of their resiliency—how many systems were stopped and for how long—and precision—improving the accuracy of finding cyber incidents. A second group, comprising 74% of the respondents, was identified as “non-leaders.” These organizations were average performers in terms of cyber resilience.
Leaders were four times more likely than non-leaders to detect a breach in less than a day. When defenses fail, nearly all the leaders fixed breaches in 15 days or less, whereas 64% of non-leaders took 16 days or longer to remediate a breach, with nearly half of them taking more than a month. The report identifies several more key differences in cybersecurity practices between leaders and non-leaders, including that leaders are nearly three times less likely to have had more than 500,000 customer records exposed through cyberattacks in the last 12 months (15% vs. 44%). Leaders were also more than three times as likely to provide users of security tools with required training for those tools (30% vs. 9%).
To increase and maintain their resilience to cyberattacks, companies must adopt a new stance: comprehensive, strategic, and persistent, with a new approach to their security program that can protect without imposing undue restrictions on their business. And this new stance must be based on strengthening preventive defenses, assuming that they can be overcome by the attackers or that they are already present in the organization.
In order to become cyber-resilient, the new approach to security must cover at least the following points:
Cybersecurity must be treated as a corporate risk management problem, and not as a purely IT-based problem. Rather, as data becomes more pervasive across company operations and functions in improving business performance, organizations need a comprehensive approach to cyber resilience. To manage this, companies need to carry out tasks like prioritizing the most valuable assets in the organization, finding out the most relevant threats and adversaries, adopting an ongoing crisis stance, or continually implementing initiatives to minimize risks.
They need to limit the impact of cybercrime to a company’s brand, finance, legal, and customer trust obligations. While these areas typically receive limited attention, resources, or executive focus, they are significant elements in the case of a real threat.
Prioritize and mitigate risks at all levels of the organization. Companies must take advantage of managed tools, products, and services that automate these functions to profile, catalog, monitor activity (human, data, and infrastructure), and learn from them so that security systems are predictive and accelerate the prevention and/or early detection of adversaries by reducing the level of organizational risk without incurring disproportionate costs, especially operational ones. Manage cyber risk through comprehensive and collaborative management.
Cyber-resilient companies also have to assume that, sooner or later, they will be compromised by a cyberattack. To correctly manage their cybersecurity, organizations need to understand and adopt the ‘cycle of resilience’, whose key phases are:
- In the pre-incident phase, they will have to do so through the ability to better prevent and resist threats, making use of advanced cybersecurity technologies that can detect known and unknown, or zero-day malware.
- During the incident, the resilient attitude is implemented by quickly reacting to sudden threats with detection, containment, and response. For this, it’s necessary to make the most of the new paradigms that are arising as a result of the monitoring and visibility capabilities that Endpoint Detection and Response (EDR) solutions provide.
- The post-incident phase is developed by absorbing impacts while strategic security objectives are still met and the operative environment is reconstructed, in such a way that future sources of threats are eliminated.
Cyber resilience starts with nailing the cyber security basics; at Salesforce, we call it “doing the common uncommonly well.” This includes patching vulnerabilities, detecting and mitigating threats, and educating employees on how to defend company security. But we need to be doing these things continuously, not just once a year, says Jim Alkove, Chief Trust Officer, Salesforce.
A mature cyber resilience approach should be flexible, adaptable, and continuously improving. The businesses need to strengthen the four key pillars: prevention, detection, Threat Hunting, and containment and response and reduction of the attack surface. Adapt continuously to the new techniques and tactics of hackers and other attackers. Being resilient implies that this adaptation has to be carried out in the minimum time interval, at the maximum speed, even in real time.
To achieve this, cyber resilience must rest on people and processes, as well as a combination of technologies. When assessing their security posture, businesses should look for gaps in their security capabilities from a people, processes and technology perspective, and take steps to address these. For example, if staff lack security know-how, can this be fixed by hiring or developing dedicated security experts? And how can we use training to build enhanced security awareness throughout the organisation?
Finally, technology solutions must be able to properly support both people and processes. Organizations should evaluate whether they have adopted the right solutions, whether they are using them to their full potential and how technology could be harnessed more effectively. Many cyber resilience issues are in fact not technology based. Cyber resilience hinges primarily on people and processes. Technology investments come second, and they should be made based on the needs of people and processes, not vice versa.
In addition to well-established cybersecurity practices, cyber resilience encompasses incident response, as well as business continuity and disaster recovery (BCDR). Incidents will almost certainly happen, and the focus is on keeping systems up and running during recovery, to speed up restoration, reduce downtime and minimise the overall impact of an attack.
Management consultancy Accenture recommends organisations follow five key steps.
- Construct a strong defence. This means being alert to the dangers of attack from within and outside the enterprise, putting commensurate measures in place to combat them and preparing a detailed response plan, in the event infiltrators detect a chink.
- Challenge your defences. The only way to tell whether the measures you have in place are adequate is to put them to the test regularly. Contracting this activity out to a third party, regularly or occasionally, can provide an objective perspective on what’s working and what needs to be fixed fast.
- Keep abreast of new technologies. Hackers and cyber-criminals are nothing if not innovative. For enterprises looking to stay a step or several ahead, using the latest technologies – think Artificial Intelligence and machine learning – to speed the threat detection and response process is imperative. Leaders use the technologies that help them achieve their main measures of cybersecurity success—speed of detection, recovery and response—ranking Artificial Intelligence (AI) and Security Orchestration Automation and Response (SOAR) technologies highest. They use advanced technologies to achieve other measures of cybersecurity success—like fewer successful attacks (where Next-Generation Firewall ranks highest), reduced breach impact (where AI ranks highest) and cost reduction (where SOAR ranks highest).Leaders train more. Organizations best at training are 2X better than the rest at defending attacks, faster at discovering and fixing breaches and protect more of their organization with their cybersecurity program.
- Get smarter with intelligence. Resilient organisations are less likely to be blindsided by an attack because collecting and analysing data on network behaviour isn’t an ad hoc activity; it’s part of their regular modus operandi. Solutions which give a clear view of the entire enterprise should be a component of the protection strategy, for organisations which hope to be able to withstand and overcome attacks from anywhere.
- Appoint a Chief Information Security Officer who can sell the case for an enterprise-wide security strategy to the enterprise at large. This is key to ensuring cyber-security is viewed as a business issue, not a technical problem for the ICT team to solve.
The May 2021 Presidential Executive Order states that: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” It calls for a public-private partnership to make the bold changes necessary to protect hybrid cloud infrastructures.
Cyber security frameworks can be useful guidelines for achieving security objectives that lead to risk reduction and cyber maturity. Businesses can use specific aspects or combinations of frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the Centre for Internet Security (CIS) Security Controls, to meet their cyber resilience goals.
The CIS Controls cover a prioritised set of actions to identify and protect organisations and their data from known attack vectors. From this list, the most essential controls to implement include inventories of hardware and software assets, continuous patch management, controlled use of account privileges, secure system configuration baselines and the maintenance, monitoring and analysis of audit logs.
Most of these can be achieved with technology that is already in place, by creating new security processes. The CIS controls also map directly to the NIST framework, which compiles industry standards and best practices into a cohesive format to help organisations better manage their risks. This framework is based on the five key functions required for cyber resilience: identify, protect, detect, respond and recover.
The organization’s processes, technologies, tools, and security services must be reviewed and adjusted as threats evolve, as part of a continuous improvement process based on wariness. Being resilient means that this adaptation needs to be carried out as fast as possible, or even in real time. It’s also necessary to create a full register of all assets, from data to applications, and monitor all actions that are carried out with them.