Our team at Sungard AS recently published a blog post suggesting that IT Security Requires a Very Particular Set of Skills, explaining how the rapidly changing threat landscape is introducing new challenges for business leaders at all levels. Cybercrime is at an all-time high with more data breaches occurring in 2021 than any prior year.
To follow up as a security expert, I speak with business and IT leaders every day about their cybersecurity concerns, and the accuracy and timeliness of the Sungard AS post deeply resonated with me.
In this post, I’ll share some of the most common questions and concerns I’ve heard from the hundreds of conversations I’ve had in the past 18 months.
Top Cybersecurity Concerns Shared by Business and IT Leaders
- Ransomware – “It’s in the news every day. How great is my risk?”
I’m asked about ransomware on 90% of my calls. The threat of ransomware is very real, and it impacts every company and industry, regardless of size. This year, I’ve spoken with a dentist’s office that was hit with a $1,000 ransom demand, a law firm for $50,000, a software company for $11,000,000, and a hospital system for a 9-figure sum – no one is immune.
Not only that, but the average dwell time (amount of time an attacker is in your environment before you discover their presence and remediate) has decreased from 200+ days to around 30 days, showing how threat actors continue to get more efficient. Remember, cybercrime is a business, and ransomware is the fastest path to profit.
- Questionnaires and redlines – “My cyber insurance is going up, and my customers are sending more and more cyberattack and data integrity related contract redlines.”
I’ve spoken with dozens of company officials who tell me their cyber insurance premiums have significantly increased, despite the fact that they remain incident-free. What’s more, their own customers are sending them questionnaires asking them to elaborate on what they are doing to reduce the risk of a cybercrime related incident.
Vulnerability scanning, endpoint protection, intrusion detection systems, log review, e-mail security, cyber-compromised data recovery, and more are being requested by insurance companies and customers alike. You’d better be ready to make cyber resilience documentation part of your recovery plan.
- Work from Home (WFH) – “Are we doing enough to protect our business and customers?”
So many clients have asked me this question in the last 18 months, and most of them were inadequately prepared for a mass migration to WFH. VPN and MFA usage have had record breaking growth since March of 2020, so businesses have been quick to adapt. However, many are still lagging.
Many companies were forced to relax BYOD (bring your own device) policies due to resource constraints and supply chain issues, like the inability to quickly order enough laptops to support WFH.
This introduces a great deal of risk. Are you using endpoint protection, and conducting vulnerability scans on your endpoints (employee laptops)? What about personal laptops they may use for company business? What about their smartphones? How are they securing their home Wi-Fi networks? Are you regularly training your employees on cybersecurity, and how to remain safe? Have you reviewed your Identity and Access Management (IAM) policies?
- Going Hybrid or Migrating to the Cloud – “Are we secure across all environments?”
According to the 2021 Flexera State of the Cloud Report, 80% of enterprises have a hybrid cloud strategy, and 59% of advanced users name cloud migration as a key initiative. As you plan your cloud migration or hybrid cloud strategy, it’s crucial to keep security top of mind.
When architecting your new environment, make security part of the foundation, not something you “add on” when everything is done. And don’t neglect security in your existing environments, whether private cloud, on-prem, colocation, or another public cloud.
If you don’t have the team or the time to focus on security, consider an option like managed detection and response (MDR). This will enable you to maintain 24x7 coverage across all of your environments, all with a single log-in (no more switching tools and dashboards for different environments).
- Security Skills Gap – “How do I find cybersecurity employees? How do I retain the ones I have?”
According to the Bureau of Labor Statistics, cybersecurity has a 0% unemployment rate, and demand for security analysts is expected to grow 36% by 2029. To say that hiring is difficult is an understatement. I recommend focusing on candidates with the right experience and qualifications and not just a diploma.
You’ll also need an attractive compensation and incentive package that’s focused on more than just the money. Low or no-cost healthcare coverage, 401k matching, and generous PTO allowances (Alert Logic has unlimited time off) are a great start, but don’t forget about training and career development. Covering the costs of licenses and certifications won’t hurt, and neither will offering flexible schedules and WFH policies.
As for retention, these employees want to be a part of a great company culture and to have a voice in decisions that affect them at work. Take care to avoid burning them out and overworking them. And when all else fails, consider outsourcing or augmenting your current security strategy. MDR is a great option to maintain 24x7 coverage with no more worries about talent shortages.
- Compliance – “I am PCI/HIPAA/GDPR/NIST/ISO/ETC compliant. But am I secure?”
Many of us may hate to hear this, but compliance does not equal security. Being compliant means that your company is meeting the minimum-security requirements for specific regulations at a particular moment in time. Remaining free from security threats while operating your compliant infrastructure is being secure.
If you built your security posture by checking the necessary boxes to become compliant, you should revisit it. I recommend determining what your security goals are and viewing your security posture through that lens, as opposed to the compliance lens, in order to find any gaps. The good news is that many of the tools you have in place for compliance will help you be secure if you are using them appropriately.
Here are some conversations that I have all too regularly that help highlight the differences between compliance and security:
Statement: We conduct Vulnerability Scans as a part of our compliance requirements.
Response: That’s great! When was the last scan run? How frequently are you running them? If you aren’t doing them at least daily, why not?
Statement: To be compliant, we collect and retain our logs for a specific period.
Response: That’s a great start. Are you analyzing those logs every day for things like anomalous user behavior? Who in your organization is responsible for this, and what tools are they using to help? How are they parsing and tagging all the logs? How far behind are they? Who takes over if they leave the organization?
Statement: We use an IDS (Intrusion Detection System) or IPS (Intrusion Prevention System) to satisfy a compliance requirement.
Response: That’s a valuable tool that every organization could benefit from. How many alerts are you receiving each day, and who is tasked with validating, triaging, and responding to them? If you have a person or small team responding to hundreds or even thousands of alerts, are you confident that they are giving the appropriate attention to each alert, or do you suspect they may suffer from alert fatigue?
Having the tools does nothing to help you be secure if you aren’t using them and their outputs/data effectively. You should also be constantly reviewing and updating your tool set and the skills of your team to keep up with the pace of change and innovation. But it’s also imperative to recognize that despite the best preventive measures, you need to be ready to respond when an attack is successful. That means having a well-rehearsed cyber incident response plan inclusive of recovering data that has been encrypted, deleted, or altered by a ransomware attack. This typically means specialized plans and capabilities focused on the other DR – data recovery.
- Keeping up with the Joneses – “What is everybody else doing?”
The rise in high-profile cybercrimes has everybody on edge. The threat landscape is constantly evolving, and even experienced security professionals are wondering if they’re doing enough to protect their companies and customers.
Many CTOs are completely frustrated. Imagine spending large amounts of capital on security tools, suffering through lengthy implementations, and hiring and/or training staff, only to feel like you still have unmitigated risk and vulnerabilities and are left open to new and emerging threats.
For some, the answer is moving from a capex model to an opex model, futureproofing, and ensuring they have top security analysts, threat hunters, and PhD level researchers working to protect them. The move to MDR is more attractive than ever.
If you find yourself wondering what everybody else is doing, are looking for some validation of your current security posture, or just want some general guidance on navigating the current threat landscape: I’d love to hear from you.