The list of companies that experienced cyber breaches in 2022 reads like a Who’s Who of global brands: Apple, DoorDash, Facebook, Marriot, North Face, Toyota, Twitter, Uber, Verizon – the list goes on and on. These days, no business is immune to cyberattacks.
The leading indicators of cybercrime evolve over time, but right now the top three, according to Gartner, are:
Growing attack surface – With 60% of knowledge workers working remotely and about 20% unlikely to return to the office, your network perimeter has atomized and your attack surface is larger.
Rising credential theft – Misuse of credentials is now a primary means for attackers to infiltrate your systems and exfiltrate your data.
Increased digital supply chain risk – The Sunburst hack, in which attackers breached organizations through a software update, shone a light on supply chain risk. In the next two years, 45% of organizations will experience an attack on their software supply chain.
Each of these threats calls for a multi-pronged response. Taken together, they involve such complexity that they require renewed focus on a proven but often-overlooked strategy: defense-in-depth (DiD) cybersecurity. Here’s why you need DiD in 2023 – and how to make DiD work for your firm.
Defense in Depth (DiD) for Your Cyber Team
DiD is an approach to cybersecurity that applies a portfolio of policies, practices, and technologies to optimize the integrity of your networks, the availability of your systems, and the confidentiality of your data.
DiD acknowledges that there’s no single solution to cybersecurity – and that complete elimination of cyber incidents isn’t realistic. Instead, layers of protection work together to meaningfully reduce cyber risk. In the face of cyberattacks, what one layer fails to deflect, another blocks, ensuring that your data remains protected.
For your IT department and cyber team, that means deploying the most effective cybersecurity technology. But simply throwing technology at the problem can become an expensive and ultimately ineffective tactic. Instead, start with a cybersecurity framework that dictates the policies, procedures, and technologies your firm requires to meet your unique needs.
The Center for Internet Security (CIS) offers a set of critical security controls that can help you prioritize your cyber defenses. That includes proper configuration of existing systems and protections to help you get the most from current investments. Crucially, the CIS controls enable you to score protections for a quantitative approach to security.
From a technical perspective, virtually every firm requires these DiD layers:
Vulnerability management – To strengthen defenses, you need a clear picture of deficiencies. Vulnerability assessments and penetration testing identify current and potential security weaknesses in your systems, networks, applications, and endpoints. Look for malware, misconfigurations, hosts communicating with botnets, webservices linking to malicious content, and other issues that require remediation.
Security information and event management (SIEM) – As cyberattacks proliferate, cyber teams are inundated with data and alerts. You need a way to separate the signal from the noise, and that’s the role of SIEM. Firms are increasingly turning to a managed SIEM service for real-time analysis of security data to identify anomalies and patterns that indicate risk.
Endpoint detection and response (EDR) – EDR equips PCs, laptops, and mobile devices with antivirus protection, intrusion detection, and alerts to continuously secure your endpoints.
Credential management – Cyber breaches often start as account takeovers (ATOs), and ATOs often begin with stolen credentials. Dark-web monitoring continuously scans the internet to identify stolen credentials and reduce ATOs in your firm.
Cybersecurity training – An incredible 82% of data breaches involve human error, misuse, or social engineering, according to the Verizon 2022 Data Breach Investigations Report. That makes training an essential part of your DiD strategy. In particular, phishing training, testing, and reporting can significantly reduce the risk of social-engineering attacks.
DiD for Business Decision-makers
Business decision-makers should approach DiD somewhat differently than their IT counterparts. If you’re setting strategy for how cybersecurity will drive business continuity, enable regulatory compliance, safeguard customer information, and sustain your firm’s reputation, think about DiD in terms of overall risk management. With these factors in mind, your DiD layers should involve:
Cybersecurity governance – Your security standards should be based on industry best practices and your business goals. Key aspects of governance include acceptable use policy, access rights policy, and a detailed business impact analysis of a cyber breach.
Risk assessment and management – You need a clear understanding of external threats and internal weaknesses to understand how cyber risk affects your firm. Perform regular vulnerability scanning, cyber-control reviews, and other cyber risk assessments, and then prioritize remediations based on your risk profile.
Policy reviews and updates – You can’t protect sensitive data, comply with regulations, and ensure business continuity without first establishing clear policies. And because cyber threats and business goals change, you need to review and update those policies regularly.
Vendor risk management – Suppliers and business partners can be a source of cyber risk. Conduct regular assessments of vendor risk, categorize vendors accordingly, and work with partners to address weaknesses.
Incident response planning – No matter how strong your cyber defenses, attacks can get through. You need a plan for responding to incidents and minimizing the fallout. Conduct real-world tabletop exercises so that you’re prepared to respond to events such as malware attacks, network breaches, or data theft.
Ultimately, DiD helps you approach cybersecurity in a holistic way. Prioritize your DiD efforts by identifying your most crucial IT resources and your biggest security gaps. You can then strengthen protections incrementally, maintaining metrics to prove to regulators, customers, and yourself that you’re making progress.
Smaller firms can find DiD daunting, and even large, mature firms recognize the value of expert guidance. A growing number achieve DiD through managed security services – including outsourcing the chief information security officer (CISO) role. CISO as a service can enable your firm to consistently and cost-effectively achieve DiD cybersecurity – while focusing your resources on serving customers and achieving business growth.
