This is the newest installment of a recurring monthly guest column by Envision's COO, Jason Albuquerque, featured on Providence Business News. In this article, Jason discusses strategies to make businesses stronger, more resilient, and more secure.
Every January, many gurus, advisers and marketers make big predictions and prognostications for the upcoming year. Cybersecurity experts often chuckle about it because we know that many predictions are either obvious or repeats of advice that businesses have made no progress on.
For 2023, I want to begin the year with strategies that make our businesses stronger, more resilient and more secure. As business leaders who need to manage cybersecurity risk, we want less pontification and more reasonable and actionable approaches to keep us safe. On Business Security Weekly, a podcast I cohost, we recently discussed the core functions or “have to haves” for reasonable cybersecurity practices. These are programs that organizations need to have in place to ensure fundamental safeguards that will have the greatest impact on mitigating risk. They are easy to talk about but not easy to execute. They are the critical initiatives that will help shape businesses’ resilient future; what I have coined, “Cybersecurity Say Easy, Do Hard!”
Know what you have. Asset management is a core function of a cybersecurity program, and I consider it to be the center of the security universe. How can organizations protect assets they don’t even know they have? They can’t. Asset management, or inventory, is considered a critical measure in most of the best-practice frameworks. Unfortunately, carrying out a reliable, effective and efficient asset management program has been one of the key struggles of businesses. But the ramifications of inadequate asset management exponentially increase the risks of cyberattacks. There is no better time than now to build or update the inventory and document hardware, software, data repositories, cloud platforms, vendors, partners and people. Assets are not just hardware but are all of the resources in an organization that can introduce risk.
Manage risk. Now that you know what you have, cyber-risk management is an essential program for today’s businesses, especially with how quickly we are adapting and transforming. Large and small businesses must have proactive visibility into what makes them a target and where they could be attacked. Having an active risk management approach, one that focuses on classifying assets and mitigating risks specific to a business, is a powerful tool that can help executives make better decisions about the risks associated with day-to-day operations.
"Recent surveys state that almost 60% of cyberattack victims have reported that their companies’ breaches could have been avoided by installing available updates."
- Envision's COO Jason Albuquerque
Protect and detect. Endpoint detection and response – or EDR – is a modern security technology that monitors all endpoints in a network, such as computers, laptops and servers. It is on these network endpoints where many outside attacks begin. EDR is a set of unified security solutions that combines real-time protection, behavior analytics and forensics while, at the same time, hunting for dormant threats. All with the end game of identifying, blocking any potential security threats and sounding an alert.
Control access. Managing access to an organization’s resources is the ultimate protection against unauthorized admission to systems and data. This starts with having an identity and access management framework that consists of business processes, policies and technologies that give the organization controls to manage its digital identities and access to data, applications, systems and more. Building and effectively managing these policies protects an organization’s data by controlling user access, based on role and need.
Update, update, update. Studies have shown that system and application vulnerabilities are some of the most common external attack methods. Recent surveys state that almost 60% of cyberattack victims have reported that their companies’ breaches could have been avoided by installing available updates. Just as alarming is that more than 30% of those business leaders knew that they were vulnerable but did not address the risks. Patching these exposures with a patch management program is a preemptive strike against many attack methods on your software, systems and applications. Ultimately, it aids an organization in minimizing its exposure and significantly reducing its cybersecurity risk.
Knowledge is power. Be cyber aware. Cybersecurity awareness is not “check in the box” training to show auditors it’s something you completed. It should be built into the DNA of a company’s workforce. Cyber awareness educates and empowers employees to know about and do things to protect a company’s data and assets. When staff members are cyber aware, it means that they can recognize cyber threats and the potential effect an attack could have on the business, and they can take the necessary steps to reduce risk and even prevent cybercrime from taking place.
As I mentioned, these best practices are “say easy, do hard,” but the time to act is now. Many organizations large and small are at a crossroads. Risks from cyberthreats are increasing, regulatory and compliance mandates are constantly growing, and technology is forever evolving. Begin the journey of enacting these core best practices, whether with internal teams and or by leveraging a business partner to assist. No action is still an action that will place a business, its employees and its clients at significant risk.