Organisations are naturally at a disadvantage in the fight against cybercriminals, but building a mature cybersecurity program can help overcome those problems - at least according to Empired.
Mark Blower, national business manager, Networks and Security at Empired, says that criminals concentrate on finding ways to attack businesses 24/7 in what is a highly lucrative industry. The problem is, not every organisation does the same.
"Too many businesses have inadequate protection against these well-funded, highly-motivated attackers. It’s essential to build a mature cybersecurity program to mitigate the risks," he says.
A program should deliver five core functions:
1. Identify: understand and prioritise the components that need protection and determine how that protection can best be provided.
2. Protect: implement processes, policies, and technology to protect assets.
3. Detect: keep in mind that attacks are inevitable, so it’s essential to be able to detect when the attack is occurring, may occur, or has occurred.
4. Respond: this requires a combination of people, processes, and technology.
5. Recover: have the ability to quickly recover from a successful attack
But how do organisations start building a cybersecurity program?
“By taking these six steps, businesses can achieve a cybersecurity program to protect the business," Blower comments.
Prioritise, scope and orient
It’s important to identify business mission objectives and high level organisational priorities, then determine the scope of systems and assets that support those prioritised business lines or processes. The business should also identify related systems and assets, regulatory requirements, and the overall risk management approach.
Create a current state profile
Next, businesses should identify a framework to reference cyber control definitions, then develop a current profile against the framework by indicating what cyber controls currently exist in the organisation and their maturity.
Conduct a risk assessment
Understanding the risk is key. A cybersecurity risk assessment should be guided by the organisation’s overall risk management process. Using the information gathered in the initial stage, the team should identify potential threat vectors and analyse the operational environment to discern likelihood of a cybersecurity event and its potential impact. It should then evaluate the most likely and most dangerous threat scenarios that could occur.
Create a target state profile
The business needs to understand its ideal state. This profile should focus on the assessment of the identified controls, describing the desired cybersecurity outcomes at full maturity. It’s important to be pragmatic and aim only for what suits the organisation’s actual needs, not the perfect state according to best practices, as this is likely to be prohibitively expensive and resource-intensive.
During this step, the business should consider the influences and requirements of external stakeholders such as sector entities, customers, and business partners.
Determine and prioritise gaps
By comparing the current profile with the target profile, businesses will be able to determine the gaps, then create a prioritised action plan that draws on mission drivers, cost benefit analysis, and understanding of risks. Then the team can determine what resources are required to create treatments or mitigations.
Implement the action plan
The final step is to determine what actions to take, then monitor cybersecurity practices against the target profile, measuring progress and always mapping it back to the risk, which is changing constantly.
“Simply focusing on compliance and ensuring tools and technology are updated will not help businesses overcome the persistent, advanced threats posed by committed cybercriminals. It’s essential to clearly understand the risks and how to mitigate them," Blower comments.
"Businesses should invest in a variety of technologies and tools to develop a mature cybersecurity posture that minimises the chances of a successful attack.”