Mitigate Cyber Risk by Building a Security Program Focused on the Basics

Cyber threats are top of mind for many individuals, businesses, and public entities. The Global Risks Report 2024 version from the World Economic Forum identified “cyber insecurity” as the 4th most severe short-term and 8th in the long term risk, as just one indication of its worrisome global presence. The repercussions of insufficient cyber security can be critical to any individual or organization with the imperatives to protect sensitive data, fulfill legal obligations, maintain operational uptime, and limit financial or reputational damage caused by cyber incidents.

In previous years, cyber security was a literal afterthought: how do we undo the impairment from the attack we just incurred with minimal repercussions? As many have discovered through misfortune, it is not always possible to emerge from an incident unscathed. Fortunately, all parties from individual users to international corporations have, in recent years, become more proactive and engaged in safeguarding their digital assets before an attack. Despite this, there is still a general sense of insecurity with respect to cyber maturity and the evolution of cyber risk.

To address this present situation, Dan Ackerman , Cyber Risk Solutions Architect for Zurich North America , Zurich Resilience Solutions, was invited to share his insights regarding some of the most common questions we have been asked regarding how to navigate the current and future threat landscape.

Question: Businesses and individual users are justifiably concerned about cyber threats and general cyber insecurity. What can both businesses and individual users do to strengthen their cybersecurity posture and lessen the risk of being victimized by threat actors?

Response: Speaking with insureds and prospects, a good portion of the conversation is around basic cyber hygiene. In looking at some of the latest cyber events, a lot them come down to the same initial threat vectors that we have been dealing with for years: unpatched or unknown vulnerabilities, stolen credentials, and social engineering. I try to focus our conversations on making sure all organizations, regardless of size, are prioritizing the basics that I refer to as the “blocking and tackling” of cyber security. Following the basics will go a long way towards detecting malicious activity.

• Are you utilizing Multi-Factor Authentication and, in general, what is the state of the credential management program?
• What is the state of the vulnerability management program?
• Are you performing regular vulnerability scanning? If yes, what tool(s) do you use?
• How does this integrate with the patching program?
• How are employees being trained and tested on cyber security?

Q: People often ask which is a “better” program to follow for an enhanced security posture, prevention or active detection & response: how do you respond to that question?

R: Much attention is given to preventing an event from ever taking place, when the reality is we need to focus on detecting and responding to malicious activity. Prevention would be great, but it is not always possible given the constant evolution of threat tactics and technology. To successfully detect and respond to cyber threats, we really need to focus on 2 main things:

1. Enhancing Visibility: Does the organization have visibility into all of the device and user activity on their network?
2. Preparation: Is the organization prepared with an appropriate and effective response plan when something inevitably is detected?

Q: With the plethora of software, tools, services, and providers on the market, it can be overwhelming to simply get started with this process. How would you respond to a business or individual who is new to developing their cybersecurity program?

R: This is a great question. I would start by asking a follow-up question: What is the state of your cyber security program? If they are new to cyber or new to the organization, they may not know answer. In that case, this is the perfect question.

My advice would be to start with a controls assessment linked to a common framework or benchmarks, including the NIST CSF or CIS Benchmarks. The proper choice can be dependent on the industry and regulatory requirements of the organization and is best to determine in consultation with an experienced cybersecurity team. Are they in finance and do they have PCI [payment card industry] requirements, as an example?

If the client is not following any specific guidance, I would start by guiding them down this path of discussing their regulatory requirements to help them determine the best way to assess and improve their current controls and security posture. They need to determine their current state, their desired state, and how to effectively measure their program.

Q: A common refrain in the cyber world is that the landscape is ‘constantly evolving’. How can businesses and individuals better ensure they are keeping up with this evolution when they are not cybersecurity experts themselves?

R: I think this all comes down to the same items I mentioned above. They need to establish an effective way to measure and communicate the maturity of their cybersecurity program. This comes down to building a program that suits your organization's needs based on controls and frameworks that have been proven effective. The most important things to remember are enhancing visibility and preparing for a potential cyber attack.

In the United States, Zurich Resilience Solutions managed security services are provided by SpearTip, LLC.

Copyright ? 2024 SpearTip, LLC