Throwing more technology and people at evolving cyber security threats is a failed strategy. It has often led to a false sense of security without corresponding risk reduction. The better approach to strengthening your cyber security posture is a clear focus on the specific risks facing your organization and an integrated plan to manage them.
Below are answers to commonly asked questions about risk assessments and building a solid security posture. The statistics below are drawn from Verizon’s 2020 Data Breach Investigations Report (DBIR).
1. What are the biggest security threats my organization is facing?
While much of the answer here will ultimately depend on the nature of the data and infrastructure you are trying to protect, looking to common industry patterns is a useful place to start. For example, web application attacks were among the top four attack patterns for all 15 industries covered by the 2020 DBIR. However, where web application attacks top the financial and insurance industry’s list, crimeware (including ransomware) was tops in the healthcare industry.
2. Should I worry more about internal or external threats?
Both. In aggregate, nearly one third of data breaches (30%) involve organization insiders, and 70% are the work of outsiders. However, internal threats are more common in some industries—48% in healthcare versus 5% in construction. It takes only one employee to click an infected attachment or to get unauthorized access to sensitive data to cause a serious breach.
3. What is the likelihood my organization will suffer a breach?
No organization is immune from a cyber-attack. While it’s hard to predict breach likelihood for any one organization, cybersecurity experts often say there are two types of companies: those that know they’ve been breached and those who don’t. For a sense of how pervasive cyber risks are, consider this: Verizon’s 2020 DBIR documents 157,525 security incidents, 108,069 data breaches across the globe. The best way to stay out of these statistics is by assessing risk and taking strong, decisive steps to protect your organization’s data and people.
4. How can my organization achieve 100% security?
Realistically, you can’t. Threats grow and change all the time as threat actors identify new vulnerabilities and refine their methods to prey on unsuspecting victims through phishing and social engineering. Instead, organizations should focus on risk management. Conduct a comprehensive risk assessment to expose the probability of a breach and develop a plan to prevent, mitigate and transfer risks by prioritizing the organization’s data assets.
5. Why is ransomware such a serious threat?
Ransomware is a pervasive malware threat. It appears in 27% of malware cases, up 2.6% since last year’s DBIR. It is such a successful attack method because even cybercriminals with modest technical skills can perpetrate an attack by downloading exploit toolkits on the Dark Web. Some variants exploit software vulnerabilities, but often ransomware gets into networks through phishing by goading users to click infected URLs or attachments. Ransomware attacks can bring operations to a halt when file servers, databases and machines get infected.
6. How much time does my organization have to react to a breach before it causes major damage?
Not much. It takes only seconds or minutes for some ransomware infections to start shutting down systems, so you must be ready to react immediately and effectively to a security alert. More than a quarter of breaches take months to discover. By then, attackers probably already have stolen plenty of corporate data. Even more troubling, often a third party such as a law enforcement agency or partner notices the breach first, or in the case of ransomware, the attacker announces the breach. In both cases, it hurts an organization’s reputation.
7. What steps should my organization take to strengthen its security posture?
Although no plan is foolproof, you can take steps to build solid defenses. It starts with vigilance and awareness. Monitor all movement in your environment. Teach employees safe computing practices, so they know to avoid clicking suspicious attachments and URLs, and not to share passwords. Sensitive data should be available only to those who need it for their jobs. Security patches must be applied as soon after release as possible because they address vulnerabilities that attackers often exploit. Also consider encrypting sensitive data to make it unreadable if stolen. Beyond best practices like these, you have to start assessing risk.
8. How do I measure my organization’s risk and security posture?
For best results, you have to look at risks from all angles—outside-in, inside-out, and through a 360-degree review. An outside-in evaluation assesses data gathered from public sources. An inside-out evaluation is an internal look at your enterprise to find things like malware, unwanted programs, and dual use tools within your endpoints and infrastructure. A 360-degree review adds to the other two views by looking at your organization’s security culture and processes. Together, they produce a holistic view of your cyber posture.
9. What is a security posture score?
A security posture score is the result of synthesizing security data from a broad array of internal and external sources to generate a numerical score that stakeholders and decision-makers can all understand and influence. Like a credit score, a risk posture score is a presentation layer for all the security data that goes into its calculation. And like a credit score, the risk score can inform decision-making. For example, overextend your debt, and your credit score goes down; properly resource your vulnerability patching efforts, and your risk posture score goes up.
10. What solutions or tools are available to help measure my security posture?
Verizon offers two free tools to help determine your security posture.
The first is the annual Data Breach Investigations Report (DBIR) mentioned at the beginning of this article. Now in its 13th year, it has become a must-have for cybersecurity professionals looking for detailed information on current threats. It helps you gain a solid understanding of what your organization is up against.
The second is the Verizon Security Assessment Tool, which offers a self-serve assessment against the security risks your organization has, providing clear recommendations on where to focus your cybersecurity investments to help reduce your exposure. Results are updated on a daily basis enabling you to see how your security posture improves over time.
Learn more about improving your security posture with Verizon’s Cyber Risk Monitoring service.
David Grady is an ISACA-Certified Information Security Manager (CISM) and Chief Cybersecurity Evangelist at Verizon Business Group.