Recently, cybersecurity authorities in the United States, the United Kingdom and Australia released a joint cybersecurity advisory detailing the findings of a report on ransomware attacks in 2021. Aside from there being a general rise in attacks, the report warned that threat actors in the U.S. are moving away from targeting so-called big game targets (“perceived high-value organizations and/or those that provide critical services”) toward midsize victims, while criminals in Australia and the UK continue to attack organizations of all sizes. The report also warned that ransomware groups are increasingly targeting the cloud, managed service providers and the software supply chain.
There’s a good chance that your company has already been a victim. According to “The Global State of Industrial Cybersecurity 2021: Resilience Amid Disruption,” 80% of 1,100 cybersecurity professional respondents were hit with a ransomware attack, 60% paid the ransom, and just over half (52%) paid at least $500,000 in ransom in 2021.
The pervasive nature of these ransomware attacks does come with a silver lining, by raising awareness and creating an opportunity, or having a meaningful conversation with an organization’s c-suite. Leadership groups are being challenged to respond to cybersecurity threats and adopt a stronger security posture across the entire organization.
The critical question is if and how they will respond to that challenge.
Make security part of your game plan
Protecting your organization, employees, and customers from cybersecurity risks takes effort and dedication, and should ideally be part of how you do business.
Industries that are highly compliant, such as healthcare, banking and finance typically have risk management models that are built into their operations and organically align with the requirements of a strong security posture. Cultural norms such as informative HR onboarding processes, security, and compliance training, and clearly defined internal procedures all combine to ensure an organization is best positioned to respond to the variety of new and emerging threats.
Security can also be part of the game plan from day one, as seen in successful, born-in-the-cloud companies that have an appreciation for the threat landscape and have been listening to their customer’s needs and concerns. Defining and implementing operational processes that are inclusive of your security and compliance needs is yet another way to protect your business.
Unfortunately, most organizations find themselves somewhere in between. They do not have the structural frameworks demanded by highly compliant industries, and they may have underfunded security budgets that compete with other business units for investment dollars. The result can be an organizational culture that rejects change, fails to adopt new security initiatives, and is inadequately prepared for that almost inevitable ransomware compromise.
To meaningfully reduce an organization’s exposure to cybersecurity incidents, security must be part of the organization’s DNA along with recognizing that this is not an IT problem. Employees at every level, from the c-suite down, have a responsibility to play an active role in preparing for and responding to an event that could critically impact their ability to do business.
There are several credible organizations, including NIST, CISA, and ISACA, that have a wealth of tools, frameworks and templates all designed to help an organization on its journey to an improved security posture. However, one of the key challenges when faced with this vast array of information can be selecting the content that is most relevant to your organization.
Before tackling any type of framework or template-based approach to developing a security strategy, it is important to understand as an organization what you’re solving for, or more specifically, what you’re protecting against.
As with any business strategy, it is important to find and maintain a balance between your targeted outcomes and your overarching business objectives. A security strategy is no different and needs to be led by a team that understands your organization’s core mission, how success is measured, and how it differentiates from its competitors.
This element may sound obvious, but in the profession of security and compliance it can present an additional challenge. A sophisticated security thinker that understands the deep technical aspect of our current and emerging threat landscape may not always have the best understanding or appreciation for your business objectives. To help strike this balance a security team will benefit from including people from diverse backgrounds that can contribute at a variety of levels, from strategic development to operations.
Finally, it pays to maintain an awareness that your security strategy will change and evolve, potentially faster than your core business strategy. The risks and threats we are all exposed to are rapidly changing and zero-day vulnerabilities are just another reminder of how fast a leadership team may need to realign resources to protect key assets and intellectual property.
The impact of remote work
Evidence of how fast a security and compliance strategy may need to change was experienced by almost all organizations in the face of COVID and the shift to remote work. Many security and IT teams had justifiably built their technical controls on the premise that the majority of people would be working from an office location, backed by a platform managed by IT.
In a lot of ways, this focus changed very quickly. For example, the valid time and effort that may have gone into implementing a segmented local area network was no longer delivering the business value that was originally intended.
The abrupt change to working from home has had a significant impact on numerous technical norms, such as the implementation of the corporate firewall, how broadly you roll out multifactor authentication (MFA) and the durability of your VPN service.
As we all hopefully move back to a state of normalcy it appears that the hybrid work model will be a paradigm that IT and security teams will need to manage for the foreseeable future. As a result, robust training and awareness programs are potentially more important now than ever, and an effective security strategy must drive the message that security is everyone’s responsibility.
Ensuring that people understand what is expected of them and their role in achieving a secure environment can help establish the right element of trust between the organization and its employees. Those expectations should then be formalized and wrapped into policies.
Mitigate risks and learn quickly from mistakes
Organizations must be laser focused on what they’re protecting and why. Time, money, and resources must be dedicated to those elements of your business that support your core mission and its overall success. The effort applied to analysis of your security requirements and prioritization of the supporting initiatives will help maintain focus, and direct your security strategy.
Appointed to Nintex Vice President, Security and Compliance in January 2022, Justin Donato has served as Nintex VP, Information Technology from 2014. Drawing on Justin’s security background, technical acumen, proven track record and extensive knowledge of Nintex’s products and IT infrastructure, Nintex will continue to help organizations to safely and securely transform the way their people work.