With the expansion of the mobile digital workforce, the past two years have seen a period of unprecedented digital transformation. Yet nearly 80% of IT and security executives polled last year said they lacked confidence in their organization's security posture, despite recent increased investments in cyber readiness. Consumers seem to share some of these concerns: Only 21% of consumers trust global brands to keep their personal information secure.
These views make sense when you consider that the Verizon 2022 Data Breach Investigations Report (DBIR) confirms that 82% of data breaches involve the human element. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike. The DBIR defines a data breach as a compromise of the Confidentiality attribute (Confidentiality, Integrity and Availability), and anytime confidentiality is compromised, it begs the question what type of data was involved?
In this context, cyber readiness is an increasingly important way for organizations to identify security gaps and where the threats are located both internally and externally. Having more visibility builds confidence and more assurance that programs and resources are appropriately focused. According to one study, the technology, media and telecommunications (TMT) sector utilizes the highest percentage of its IT budget (26%) for cyber security. That's reassuring news, as long as those funds are directed toward the right areas.
Why cyber readiness is important
At a high level, cyber readiness planning is about mitigating the risk of serious financial and reputational damage that can result from a major security breach. Without effective cyber security assessments and readiness planning, such events are more likely.
Why? Primarily because organizations are far more exposed to threats now than before the pandemic. Large-scale digital transformation propelled many organizations' capabilities forward by several years. They invested heavily in extra laptops and video-conferencing accounts for remote workers, and cloud infrastructure to support new customer-facing digital experiences. But while this helped business continuity during the pandemic, these investments also expanded the corporate cyber attack surface.
At the same time, threat actors have been hard at work in ever greater numbers, probing these weaknesses to identify vulnerable targets. The cyber crime underground offers a ready-made ecosystem for knowledge sharing and trading stolen data and hacking tools. Bad actors leverage this unique economy to exploit vulnerabilities, scan for misconfigured systems, target home workers with convincing phishing attacks and much more.
The following findings are instructive on why cyber readiness is important:
- One vendor detected over 623 million ransomware attacks in 2021, a 105% year-on-year growth
- Breached companies underperformed in the stock market by approximately 5%
- One business process outsourcing firm reported a $42 million loss from a single ransomware incident
- More CVEs were published in 2021 than any previous year
- 2021 set a new record for data breach disclosures in the U.S.
- The proportion of global firms attacked rose from 38% to 43% between 2020 and 2021. Many suffered multiple attacks
- 1 in 6 firms that were attacked said their survival was threatened
What a cyber readiness plan should look like
A cyber readiness plan can provide a clear way to evaluate where risk is most pronounced in the organization and where future security investments should be targeted. It could include a range of activities, from cyber security assessments to real-world simulations, training exercises and more. Consider adding the following to your cyber readiness plan:
- Attack surface risk assessments to cover the following:
- Asset discovery and management to understand what you have
- Continuous vulnerability scans and management
- Continuous configuration management
- Wireless network assessments to understand gaps in policy, procedure and architecture
- Vendors/partners/suppliers cyber risk readiness evaluations to mitigate the risk of supply chain breaches
- Dark web cyber security assessments to scan for stolen data and other threat intelligence, which can improve your ability to respond quickly to a breach
- Cyber security assessments covering policy and procedure to ensure alignment with risk reduction controls
- Identity and access management assessments to align policy and tooling with zero trust principles
- Staff testing and training to evaluate knowledge and improve security and phishing awareness
- Incident readiness/response planning to help minimize the impact of breaches. Plans should be regularly updated and tested
- Security controls assessments to continuously evaluate the effectiveness of your security solutions, from email and endpoints to networks and cloud systems. Cyber security assessments at this level will help to flag critical capability and coverage gaps for attention
Putting the pieces together
Remember throughout that cyber security is a fundamental business driver and enabler. That means cyber readiness planning can't be developed and executed in a vacuum. Start by drawing up a list of executive stakeholders to involve in the process from across the business—potentially including representatives from legal, HR, IT operations and elsewhere.
Your priorities will initially depend on the risk appetite of the organization and the relative level of maturity in each discipline. But these might change once the results of assessments and evaluations start coming in. Additional areas of focus to address may even emerge.
It goes without saying that with so much at stake, it pays to start these conversations with existing trusted security partners, especially those that can offer a broad sweep of security services and cyber security assessments. Quantitative measurement and scoring, formalized reporting, industry benchmarks and practical risk reduction recommendations should be standard.
Sign up to learn more about keeping your business secure and how to create a well-planned response.
The author of this content is a paid contributor for Verizon.