Cyber criminals have been a top-level business risk for decades, but the post-2020 business world has seen a resurgence in security incidents and the emergence of new kinds of threats, no doubt due to the fast and widespread surge in decentralized and remote infrastructures.
Zoom, for example, saw 30 times the number of daily users from December 2019 to April 2020 while simultaneously expanding their services to cover additional use cases such as Zoom Apps and Zoom Whiteboard. Shortly after the initial surge of daily users at the outset of the Covid-19 pandemic, Zoom's security practices were called into question. The video conferencing company had to invest significant effort into transforming and scaling their security practices while adapting to rapidly changing business demands.
Last year saw a 40% global increase in cyber attacks. Every week a startling 1 out of every 61 companies experienced a ransomware attack. By the end of 2021, experts calculated that over the course of the year the average organization had been the subject of at least 900 attacks!
In the face of persistent threats, there can be no pause in efforts to prevent, recognize, and mitigate cybersecurity attacks. What's more, these efforts must be woven into the way every organization does business from the inside out.
Cybersecurity risk management is the ongoing prevention, identification, and elimination of cyber threats targeting a company’s IT infrastructure. Like most facets of technology over the past few decades, standards and best practices for cybersecurity have dramatically evolved and changed.
Traditional (often reactive) solutions that sought to identify a threat when it occurred and prevent it from causing major damage are no longer enough. Cyber criminals continually become more sophisticated while complex, decentralized IT environments present them with a constantly growing attack surface.
Companies can no longer view cybersecurity as a tactic or even a set of tactics. They must view it as a high priority strategy permeating the company's culture, operations, and IT processes.
Let’s explore 5 actionable ways you can support this vision in your organization.
The first essential step in cybersecurity risk management is understanding where risk exists and where a threat is most likely to occur.
This requires a comprehensive overview of your IT infrastructure covering all applications, development and hosting environments, and IT components, as well as all the ways they are connected. You have to capture this overview visually, allowing you to see your entire current state architecture in a single snapshot. Among other things, this makes it possible to understand the implications when a vulnerability or even an attack is detected in one particular area.
Creating this overview requires collaboration across your IT team, from your cybersecurity specialists and enterprise architects, to solutions architects, engineers, software developers, and anyone else who manages applications or whose work has an impact on the infrastructure. You can only get all your information in one place if every stakeholder contributes.
Since your IT infrastructure continually grows, your efforts to map and track also need to be continuous. This is also the case when it comes to performing cybersecurity risk assessments. There are two different types of assessments that you need to conduct on a regular basis.
On the one hand, you need to continually assess whether your internal processes for risk mitigation – identity and access management, for example – are not only adequate but also being strictly followed. You need to ensure, for example, that when users leave the company, they lose access privileges. Likewise, you need to ensure that access to certain systems or types of data is restricted to relevant users.
On the other hand, when new security alerts are issued or vulnerabilities identified – as was the case with the log4j vulnerability last year – you need to conduct an assessment of your systems. Is this a threat that you need to be concerned about? Frankly, without a comprehensive overview of your IT landscape, including the services your software depends on, you just can't know!
While a new and/or improved cybersecurity strategy can take time to implement, and the need for risk assessments never goes away, there is something you can always do: minimize your attack surface.
As we mentioned above, this begins with actually understanding where you attack surface is. Creating an inventory of all existing applications is key. SaaS applications, which may be purchased decentrally without IT's knowledge pose a real challenge here. Automated SaaS discovery can be a lifesaver in this instance.
The next step is eliminating the applications you don't need, particularly redundant applications that serve the same business function. If, for example, you have six payroll systems as a result of mergers and acquisitions, reducing that number two one or two, depending on your needs, can drastically simplify your risk mitigation efforts.
Make security a company-wide priority
Given the amount of access — much of it remote — employees now have to company systems and data, it’s impossible to implement any real security measures without appropriately educating and training your staff.
Good communication here is key, and as always, the best way to make an impact is to relate the importance of security back to business value for your stakeholders.
Ask yourself the following questions:
Educating employees on these and related security issues is important. Training them on how to think about cybersecurity and ensure it in their daily activities is likewise essential.
At the same time, these efforts, like your risk assessment efforts must constantly evolve and be constantly reinforced. Don't hesitate to test responses – to simulated phishing attacks, for example – and retrain when necessary
Finally, help your employees practice what you preach by implementing the right processes. For example: Build training into any new access granted to a particular system or database.
When your employees have guidelines and standards to follow, they’re more likely to stay compliant with your cybersecurity risk mitigation standards and less likely to inadvertently create risk.
Cybersecurity is hardly a “set-it and forget-it” aspect of business — it’s an ongoing priority.
An enterprise architecture platform — like the one offered by LeanIX — drives better oversight of your entire IT infrastructure and facilitates seamless collaboration between cybersecurity teams and other employees across your company.
Learn more about LeanIX EAM or schedule a demo today!