The question is not ‘if’ your organization will face a cybersecurity threat but ‘when.’ The bad news gets worse: suffering one attack does not immunize you against future breaches. Therefore, your approach to improving your organization’s cybersecurity resilience should not only be avoiding all attacks—an unrealistic goal—but enhancing your ability to respond and recover quickly when the inevitable happens.
Improving cyber resilience requires a combination of technology and people power. However, recent research reveals that many organizations fall short in the latter. Fortunately, there are four steps any organization can take to address its people-related security challenges.
The research discovered a troubling mix of executive apathy, staffing shortages, and inconsistent security practices at organizations worldwide. Only 43% of survey respondents are confident in their ability to manage cyber risk. That number swells to nearly half (48%) of small- and medium-sized businesses (100-2,500 employees) who expressed low confidence in their security readiness.
One common challenge among smaller organizations is implementing company-wide security policies such as authentication measures and access controls. Half (49%) of the smaller to mid-sized companies surveyed listed this as one of their top two governance challenges, compared to about a quarter of large companies (2,501-5,000 employees). That disparity suggests that smaller organizations struggle with resource limitations and are more vulnerable to management oversight failures.
Thirty-five percent of smaller organizations report that their management teams fail to recognize cyberattacks as a significant risk or are uninformed about their organizations’ threats. This gap underscores the need for security professionals to educate leadership on a cyber incident’s potential impact on brand reputation and the bottom line. They need to make clear this is not just an IT issue that falls only on the security team’s shoulders. It’s a business priority that requires leadership’s full attention and support.
Skills Gap and Supply Chain Risks
One of the most pressing challenges for larger organizations is the shortage of skilled IT security professionals. Thirty-five percent of respondents with large companies cited this lack as a top concern, closely followed by budget constraints (38%)—both are hurting their ability to respond to incidents effectively.
Securing the supply chain is a concern for organizations of all sizes, with approximately one-third of our respondents acknowledging it as a top challenge. The risks stem from incomplete inventories of third parties with access to sensitive or confidential data and the technical challenges of securing these expansive networks. The risk increases as the supply chain extends beyond a company’s immediate security perimeter, especially to partners and vendors from regions with lax security regulations.
In the Shadows
Compounding these challenges is the Shadow IT phenomenon—the unmanaged use of software and applications. When employees access and deploy software tools without IT’s knowledge, including those that host marketplaces for third-party apps and plugins, they may inadvertently provide unauthorized parties access to sensitive data.
Poor Incident Response Readiness
Despite recognizing the critical nature of the cybersecurity threats they face, many organizations admitted that incident response readiness remains a weak spot for them.
Encouragingly, approximately half of all businesses surveyed reported they have a formal organization-wide incident response plan in place, and more than half of that group tests their plans at least once a year.
However, about a quarter (23%) of large companies admit they have never tested their incident response plans, and about one in ten don’t have incident response plans. In the event of a breach, these organizations are much more likely to be uncertain of what to do or, worse, take incorrect actions that exacerbate the situation compared to those that rehearse their response plans.
One effective approach to testing a response plan is holding a ‘purple team’ exercise. A ‘red team’ launches a mock attack, and a ‘blue team’ coordinates incident response simulations. This enhances an organization’s capabilities to detect, respond to, mitigate, and learn from security incidents, ensuring a more resilient cybersecurity posture.
However, holding exercises and simulations is only half the battle. Security professionals should implement regularly recurring employee education and training programs.
Improving Cyber Resilience: A Four-Step Approach
Along those lines, the recently updated cybersecurity framework from the U.S. National Institute of Standards and Technology (NIST) can serve as a helpful resource. It organizes cybersecurity outcomes into six high-level functions: Govern, Identify, Protect, Detect, Respond, and Recover and it sets clear cyber resilience milestones and deliverables.
To demystify that process and make it more accessible to employees, senior executives and board members, here’s a four-step checklist to help everyone understand their role in improving cyber resilience:
1.Threats: Identify the circumstances or events that could potentially harm organizational operations, assets, or individuals. The goal is to educate everyone on what can go wrong and the various forms of threats, whether cyber-attacks, system failures, or data breaches.
2.Vulnerabilities: After pinpointing the threats, the next step is to assess the weaknesses within the organization that these threats could exploit. Vulnerabilities might include outdated software and inadequate (or nonexistent) security policies or employee training programs.
3.Likelihood: Evaluate the probability that a given threat will exploit a vulnerability and lead to a cybersecurity incident. That will help you prioritize which risks need immediate attention.
4.Risk: Assess the potential impact of an adverse outcome resulting from the threats exploiting the vulnerabilities. This step combines the elements of threat, vulnerability, and likelihood to provide a comprehensive overview of the potential risk.
Following this checklist will help your entire organization become more proactive in responding to and recovering from cyber attacks more quickly and effectively. Championing this unified approach throughout the organization ensures that cybersecurity becomes a collective responsibility and improves your cyber resilience.
Ad