2020 was quite a year. Cyberattacks against organizations like Twitter, Marriott, Finastra, and MGM showed that tactics such as social engineering, ransomware, and denial of service continue to succeed. The recent SolarWinds attack highlighted the vulnerability of organizations relying on third parties, while COVID -19 provided a reminder that resilience planning is key.
While the lessons learned over the past year are not radical, they command our attention because for an organization to develop cyber resilience, they must get the foundations right.
Maintain cybersecurity hygiene
It may sound trite, but cybersecurity basics are some of the most important things that an organization can do to protect critical data. Initiatives such as ensuring network segmentation, implementing a strong patch management plan, installing anti-malware software correctly, implementing policies for access control — such as multi-factor authentication and strong passwords — can improve an organization’s overall security posture. In addition, whether the security operations center (SOC) is internal or outsourced, it is essential that the right tools are in place to detect an incident, such as security information and event management (SIEM), network detection and response (NDR), and endpoint detection and response (EDR). The speed of detection and response can make a big difference.
Manage vendor risk
As part of an overall governance and management program, it is imperative that vendor risk management is covered. Organizations frequently rely on supply chains to operate. They need to have strong legal documents that address what data is being held and by whom; how it is stored, monitored, and used; and which third and fourth parties have access to an organization’s network. Managing third-party accounts responsibly also is critical to ensure that partners are off-boarded when contracts terminate.
Update business continuity and disaster recovery plans
Unexpectedly, the global pandemic in 2020 turned out to be a huge security event. Organizations had to learn to operate in a mostly remote environment almost overnight. Plenty of organizations were unprepared to make a fast transition and struggled with operational issues while being hit with increased attacks that took advantage of the chaos. To build and sustain cyber resilience the board can trust, organizations need to ensure that all incident, disaster, and business continuity plans are documented, communicated, accessible, and well-rehearsed where necessary.
Create a security culture
Social engineering was the most common attack vector last year, according to ISACA’s State of Cybersecurity 2020 study. Security awareness programs are valuable, but not enough to change patterns of employee behaviors. To really improve security, the culture needs to change. Obtaining executive support, effectively communicating and enforcing security policies, having a secure development cycle, continuously training security professionals, and creating opportunities for security to partner with other areas of the business will go a long way toward reinforcing security as an organizational priority.The year 2020 reinforced that it is critical for organizations to sharpen their security practices and mitigate cyber risk, drawing upon resources such as ISACA’s CMMI Cybermaturity Platform. While improved encryption practices, continuous training for security professionals, monitoring, thorough incident planning, and improved culture may not sound glamorous, these areas can make a major improvement in an organization’s security posture.