Today’s cyber threat landscape has transformed information security from an afterthought to perhaps one of the most complex and urgent concerns that organizations face. Traditional perimeter defenses far less effective than they were 10 years ago. As a result, organizations are beginning to dramatically rethink their approach to cybersecurity, embracing the reality that breaches are inevitable and developing more robust defenses.
When evaluating and updating cybersecurity defenses for better protection in the contemporary threat landscape, organizations should:
1. Consider a holistic approach to security. A holistic point of view aims to understand the evolving threats within the information ecosystem by creating a security architecture that protects information, advances operational processes and manages security operations. Holistic security solutions are always engaged to detect potential threats and vulnerabilities, deploying the appropriate security controls to mitigate potential threats throughout the ecosystem. Design processes must incorporate security from the start and consider it at the device, platform, application and system level. Organizations must put internal governance in place to foster an effective security culture.
A great tool for developing a holistic approach is the NIST Cyber Security Framework, which helps organizations define a set of cybersecurity goals and security outcomes to best deter and prevent network perimeter compromises.
2. Consider cyber security as a continuous and integrated process. The focus on security cannot begin or end when security tools are deployed and implemented. Cybersecurity is a continuous process that influences every sector of the information ecosystem, and it must evolve and support continuous detection and identification of new threats. Risk assessment and vulnerability analysis, secure coding review and design and, finally, architecture security review and code traceability are all great examples of the ongoing security process. Threat intelligence research is also imperative in developing innovative defense strategies, which will allow organizations to better prevent cyber attacks. In addition, stakeholders must become invested in security as a continuous process to ensure that security does not become a barrier but an expanding capability.
3. Consider using a defense-in-depth approach. This model is based on the military principle that it is more difficult for an enemy to defeat a complex and multilayered defense system than to penetrate a single barrier. This layered methodology leverages people, technology and operational processes and is proven to meet the most rigorous standards of data confidentiality, integrity and availability, while supporting the ongoing security of mission-critical data more effectively than a single, optimized solution. The defense-in-depth approach provides organizations with visibility at the early stages of an attack, reducing the chances of a major compromise.
4. Consider developing a data classification program. Data classification provides a framework for managing data assets based on their value and associated risks and applying the appropriate levels of protection as well as proprietary, ethical, operational and privacy considerations. All an agency’s information, whether electronic or printed, should be classified. A clear understanding of information assets enables organizations to provide the appropriate security resources to protect the critical data in a more intelligent and cost-effective way.
5. Consider robust cyber security training. No matter how many layers of security organizations have in place, a hacker always looks for the weakest link in a system: those employees who leave laptops in parked cars, respond to phishing messages or use weak passwords even when they have administrator privileges. An effective training program should include instruction on detecting and reporting sophisticated email phishing attempts as well as review of data protection and password policies so that employees understand their role in protecting organizational information. Employees should also be trained on workstation, badge, password, infrastructure acceptable use and physical security policies. The program should be integrated into an employee’s onboarding process, and revisited as an annual required training.