Creds

Cybersecurity not fully in the picture yet?

The importance of cybersecurity in business continues to increase. It is no longer a question of whether a company will be attacked, but when. Laws and regulations and security incidents are putting cybersecurity on a higher agenda. It is therefore about time that businesses take action.

But where should you start to make your business as resilient as possible? Companies are deploying new technologies more frequently and at a faster pace, but on the other hand, hackers are acting ever smarter and more sophisticated. On top of this, companies are increasingly in danger of losing grip on their cloud security. Thanks to the cloud, information is available anytime, anywhere and that makes systems especially vulnerable.

Developments in laws and regulations

The fact that the Dutch government also recognises the importance of digital resilience is demonstrated by the introduction of the NIS2 directive. Although the NIS2 directive will not apply to all companies, it makes sense to follow it. This is because it provides good guidance for a cyber security policy. Besides, it is expected that more and more companies will have to comply with such guidelines in the future.

Technology and human behaviour

The resilience of a company depends on two aspects: technology and human behaviour. Even if you waterproof your organisation’s IT infrastructure, should an employee accidentally share his password or other sensitive company data with a malicious party, this could still lead to a cyber incident. Even with all possible measures in place, the risk of an incident remains. That is why it is useful to develop procedures in case things do go wrong, such as in case of a data breach. This allows you to minimise any damage.

Where do you start?

In short, as early as possible. Ideally before an application is built or system is deployed. By including security in every sprint at the start of a development project, you can properly test the measures in every phase of a project. In addition, take a close look at the security of your cloud environment. There are major differences between the security measures of cloud service providers. And when using customisation within a public cloud, you need to take extra risks into consideration.

Finally, it is a necessity to continuously train employees in cybersecurity awareness.

Risk classification

Wherever you intend to improve the security of existing systems, a risk inventory is the departure position. This involves proactively reviewing your IT systems and infrastructure. Regular pen tests and assessments reveal vulnerabilities inside systems and networks.

Based on core business risk profiles and crown jewels, you define attack profiles. With these, you subsequently expose attack paths towards your crown jewels. Provide a recurrent overview of all risks that represent potential entry points for malicious actors. Assess them in terms of availability, integrity and confidentiality. You do this, for example, by using the Automated Red Teaming platform CREDS ART.

Prioritising actions

A red team action provides a concrete picture of the security risks from the various actors that apply to your organisation. Based on the recommendations, the desired set of preventive and reactive measures can be implemented to achieve the desired security level. Once you have the right actions in place, the next step is to carefully manage all mitigations and systems.

This includes implementing regular updates on time and anticipating security alerts, for example in case of suspicious login attempts.

Cybersecurity is to keep and be priority

As threats and stricter legislation from the government increase, cybersecurity should be a top priority for business. Unfortunately, its not always the case, which is worrying. When clients, partners and stakeholders get the idea that a company is not seriously investing in cybersecurity, it damages trust and such a scenario leads to loss of business opportunities. The listed recommendations can be useful to take steps in this regard.

In addition, it is good to realise that cybersecurity is never ‘completed’. It is an everlasting cat-and-mouse game, in which companies test and update their security measures and hackers refine their tactics in response. It is high time, moreover, that organisations make cybersecurity their daily priority.