Today’s complex cyberthreat landscape is a risk to all enterprises. Combating these threats requires an enhanced, coordinated and sustained national effort across industry and government. A determined, well-resourced adversary can penetrate any network. However, there are cost-effective steps that organizations can take to reduce risk and recover from an attack more quickly:
- Provide executive leadership—Core responsibilities of corporate leaders are identifying and addressing business risk. They must look at changing business conditions to understand where the organization is vulnerable. Unfortunately, cyberrisk responsibilities are sometimes delegated to a single person specializing in IT who likely lacks the necessary authority and/or budget. Leaders must instead instill a culture of security by gaining an understanding of the cyberrisk to their organization and driving a strategy to mitigate that risk.
- Update your software—Much like armies look for vulnerabilities in opposing forces, attackers look for vulnerabilities in a target’s network. Often these vulnerabilities are found in software or applications. Quickly patching vulnerabilities increases security. To the extent possible, updates should be automatically deployed as they are released by the vendor. In complex environments, organizations need policies to guide the prioritization, testing and deployment of patches. The Common Vulnerability Scoring System (CVSS) helps enterprises understand the potential severity of individual vulnerabilities.1 Behavior-based antivirus and antimalware tools, endpoint detection and response solutions can help protect against zero-day attacks.
- Create unique passwords—Passwords should be complex and unique. Reusing the same passwords for multiple accounts can jeopardize all accounts if even a single one is compromised. Password managers are effective tools for easily managing unique passwords.
- Deploy multifactor authentication—Multifactor authentication (MFA) requires a user to confirm their identity in multiple steps. If a hacker were to gain access to an account’s login credentials, the account would still be protected due to the extra layer of security. Text message-based MFA is good; application-based is better.
- Back up files—If your organization were to suffer an attack, you would want to recover normal business operations quickly. Ensuring that files are backed up in real-time is essential for business continuity. Online backup systems are easy to use, but can be costly. On-premises backups should be segmented from the network, replicated and stored in multiple locations. If possible, securely store copies of your backups off-premises. Backups should always be encrypted.
- Engage with peers—Active participation in information sharing forums is a cost-effective way to scale your organization’s defense capabilities. Through an information sharing forum such as an information sharing and analysis center (ISAC), you can engage with analysts from peer organizations who face similar challenges and collaborate on mitigation strategies.
The scope of the cyberthreat is immense and, unfortunately, it is not possible to address every security issue at once. For additional tips on how to better prepare your organization to manage cyberrisk, the US Cybersecurity and Infrastructure Security Agency’s Cyber Essentials Toolkit,2 the Information Technology-Information Sharing and Analysis Center (IT-ISAC) blog and the National Institute of Standards and Technology (NIST) Cybersecurity Framework are valuable informative resources.3, 4
Enterprises should use these resources to take meaningful and cost-effective actions, building out capabilities as resources permit. They should also ensure that security is made a priority throughout the entire organization so that all employees know how they can assist with the security management effort. Take action today—the cost of inaction is too great.
Editor’s Note
For more information on measuring, assessing and reporting on enterprise cyberrisk, learn more about ISACA's CMMI Cybermaturity Platform, designed for large corporations and government entities and aligned with industry frameworks and best practices.
Endnotes
1 FIRST, Common Vulnerability Scoring System (CVSS)
2 Cybersecurity and Infrastructure Security Agency, “CISA Releases New Cyber Essentials Toolkit,” USA, 29 May 2020
3 Algeier, S; “Simple Solutions for a Complex Threat,” IT-ISAC, 29 October 2020
4 National Institute of Standards and Technology, “Cybersecurity Framework,” USA
Scott C. Algeier
Is the executive director of the Information Technology–Information Sharing and Analysis Center (IT-ISAC). Algeier facilitates cyberthreat information sharing among leading technology companies and partners. He also oversees the daily management of the organization, including implementing enhanced information sharing and analysis processes and capabilities.