FAQ: Measuring Your Security Posture: How Prepared Are You for Cyber Risks?
Published: Dec 13, 2018
Author: John Loveland
For too long, cybersecurity practitioners have reacted to the evolution of threats by throwing more technology and people at the problem. Too often the strategy leads to a false sense of security without corresponding risk reduction. To really strengthen your security posture, you need a clear focus on the risks facing your organization and an integrated plan to manage them. A recent Forbes article supported that notion by pointing out how important it is to be on top of cyber threat trends. Here are answers to the most commonly asked questions regarding risk assessments and how to build a solid security posture.
1. What are the biggest security threats my organization is facing?
While much of the answer here will ultimately depend on the nature of the data and infrastructure you are trying to protect, looking to common industry patterns is a useful place to start. For instance, in accommodation and hospitality, 90 percent of threats are POS intrusions, while in education social engineering scams are more prevalent. Data theft is a serious problem in the retail and information sectors, while cyber-espionage involving phishing, installations and backdoors is the public sector’s biggest cyber headache.
2. Should I worry more about internal or external threats?
Both. While internal threats are more common in some industries than others – 56 percent in healthcare vs. 10 percent in retail and one percent in accommodation – every organization needs robust defenses against both. In aggregate, more than one quarter of attacks (28%) involve organization insiders, and 73 percent are the work of outsiders. It takes only one employee to click an infected attachment or get unauthorized access to sensitive data to cause a serious breach.
3. What is the likelihood my organization will suffer a breach?
No organization is immune from a cyber-attack. While it’s hard to predict breach likelihood for any one organization, cybersecurity experts often say there are two types of companies: those that know they’ve been breaches and those who don’t. For a sense of how pervasive cyber risks are, consider this: Verizon’s 2018 Data Breach Investigations Report (DBIR) documents 53,308 security incidents, 2,216 data breaches in 65 countries. The best way to stay out of these statistics is by assessing risk and taking strong, decisive steps to protect your organization’s data and people.
4. How can my organization achieve 100% security?
Realistically, you can’t. Threats grow and change all the time as threat actors identify new vulnerabilities and refine their methods to prey on unsuspecting victims through phishing and social engineering. Rather than aim for 100% security, organizations should focus on risk management. Conduct a comprehensive risk assessment to expose the probability of a breach and develop a plan to prevent, mitigate and transfer risks by prioritizing the organization’s data assets.
5. Why is ransomware such a serious threat?
Ransomware is now the most pervasive malware threat. It appears in 39% of malware cases. It is such a successful attack method because even cybercriminals with modest technical skills can perpetrate an attack by downloading exploit toolkits on the Dark Web. Some variants exploit software vulnerabilities, but often ransomware gets into networks through phishing by goading users to click infected URLs or attachments. Ransomware attacks can bring operations to a halt when file servers, databases and machines get infected.
6. How much time does my organization have to react to a breach before it causes major damage?
Not much. It takes only seconds or minutes for some ransomware infections to start shutting down systems, so you must be ready to react immediately and effectively to a security alert. Most breaches (68 percent) take months to discover. By then, attackers probably already have stolen plenty of corporate data. Even more troubling, often a third party such as a law enforcement agency or partner notices it first, which is embarrassing and hurts an organization’s reputation.
7. What steps should my organization take to strengthen its security posture?
Keeping in mind no plan is 100 percent foolproof, you can take multiple steps to build solid defenses. It starts with vigilance and awareness: Monitor all movement in your environment and teach employees safe computing practices, so they know to avoid clicking suspicious attachments and URLs, and not to share passwords. Sensitive data should be available only to those who need it for their jobs. Security patches must be applied as soon after release as reasonably possible because they address vulnerabilities that attackers often exploit. Also consider encrypting sensitive data to make it unreadable if stolen.
8. How do I measure my organization’s risk and security posture?
For best results, you have to look at risks from all angles –outside in, inside out, and through a 360-degree scan. For an outside-in perspective, you need data gathered from public sources, while an internal evaluation – a sort of MRI for the enterprise – looks for malware, unwanted programs and dual usage tools within your endpoints and infrastructure. A 360-degree scan adds to the internal and external views by looking at the security culture and processes within your organization for a holistic view of your security posture.
9. What is a security posture score?
Your security posture score quantifies how prepared your organization is to deal with the cyber-risks it is facing. Risk scores are built on data-driven insights that help you measure your security ROI in much the same way you would try to quantify your return on any business investment. Having this information at hand helps you decide how to balance your security investments to get the best risk management results.
10. What solutions or tools are available to help measure my security posture?
We’re glad you asked. Verizon provides two extremely useful tools to help determine your security posture. One is the Data Breach Investigations Report, which has become a must-have for cybersecurity professionals looking for detailed information on current threats. It helps you gain a solid understanding of what your organization is up against.
The second tool is the Verizon Risk Reporting Service, which offers a self-serve assessment against the security risks your organization has, providing clear recommendations on where to focus your cybersecurity investments to help reduce your exposure. Results are updated on a daily basis enabling you to see how your security posture improves over time.
Learn more on how you can help protect your valuable data with the Verizon Risk Reporting Service.
John Loveland leads cybersecurity strategy and marketing for Verizon Enterprise Services. He is a seasoned technology industry executive and entrepreneur with 20+ years' experience in leadership positions with public, private and start-up companies. A pioneer in the information risk management disciplines, John has founded companies and built practices in the areas of cyber risk, electronic discovery, regulatory compliance, data privacy, and enterprise information governance.