Sick of hearing you should “do more with less?” This is the time to “do fewer things better.”
As you plan your security budget, know that your recommendations to improve cybersecurity will be scrutinized more than ever before.
Expect your CFO to ask: “Don’t we already have a tool that does this?” or “How long will this take to show results?” We can’t forget every CISO’s favorite, “How much will this reduce our cybersecurity risk?”
No budget is unlimited. You’ll have to make tough choices among cybersecurity methods, tools, and techniques.
So, how do you improve your company's cybersecurity posture and focus on the fundamentals? Get those in place, and you’ll reduce risks, build momentum, and gain buy-in for your cyber program.
Below, I’ll share my most effective strategies for improving cybersecurity across your organization.
Not every asset in your IT environment is created equal. Some are vital to the ongoing operations of your business, and those are the ones that deserve your greatest attention.
Make sure you know which IT resources (servers, databases, applications, and dependent systems) are involved in critical processes. Know which has confidential, sensitive information. Those systems must be protected with your most robust, rigorous cybersecurity tools and techniques.
Align your cybersecurity program to business goals and financial impact. When you speak the language of the business, you’ll gain a seat at the decision-making table and have greater chances of obtaining the budget you need to improve your cybersecurity posture. Now might be a good time to transform from a focus on cybersecurity to business security.
The cyber skills gap is widening. Finding talent is harder than ever and it’s essential to keep your best folks motivated. Look for opportunities to automate repetitive, time-consuming processes to avoid burnout.
Expose people on your IT and infosec teams to all types of cybersecurity methods so they can be prepared to step into new roles when needed. Investing in your people is one of the top methods to strengthen your business capabilities to respond to cyberattacks and how to improve your cybersecurity readiness.
In organizations, cybersecurity isn’t just the responsibility of the infosec team; it’s everyone’s responsibility. Awareness training is a core method to improve cybersecurity.
To be effective, cybersecurity awareness training must involve more than an annual video and online quiz. Assume that a month or so after an annual training, most people will forget 90% of what they’ve been taught. Keep up the training during the year. For example, educate employees to see if they can recognize and avoid a phishing email. A great technique to get employees to learn is to use gamification and make it interactive.
A company that I assisted a few years ago utilized cartoon storyboards to illustrate how to improve cybersecurity for different types of cybersecurity risks, from phishing threats to plugging suspicious USB drives into computers. This was an effective way to simplify the message, which can sometimes get lost deep in IT policies.
Cybersecurity for Dummies is an easy read that can be downloaded for free and shared with your entire team; this should be required reading for new hires across the organization.
The smaller you make your targets, the less likely the cybercriminal is to hit them. Attack surfaces increase because of the explosion of identities and systems in the organization. People download applications or access SaaS tools that IT doesn’t even know about, typically known as shadow IT. They use different identities for logging into different applications, which creates identity forests that are impossible to reconcile and manage.
To reduce your attack surface, you need an inventory of all privileged accounts so you can eliminate the ones you don’t need. Integration of Identity Access Management (IAM), Identity Governance and Administration (IGA), and Privileged Access Management (PAM) systems allow you to consolidate privileged identities, so they don’t sprawl out of control.
To help you with your inventorying process, I recommend running one of Delinea’s free discovery tools:
Privileged Account Discovery Tool for Windows
Privileged Account Discovery Tool for Unix
Privileged access controls such as PAM have topped the list of analyst recommendations for improving cybersecurity for many years. PAM tools allow you to set granular permissions for users and machines, so they can access only the resources they need to do their jobs when they need to. Instead of broad, standing privileges, users are given limited access, and then rely on just-in-time, just-enough privilege elevation for limited use.
Automated PAM solutions manage privileges according to policies so that users aren’t tempted to rely on risky security practices like sharing credentials or re-using passwords. In fact, they don’t even need to see or remember passwords at all because everything is controlled behind the scenes.
Pen testing and vulnerability assessments discover and prove security gaps in your IT system. It’s always helpful to have a third party conduct pen tests or vulnerability assessments to provide an external perspective on your company’s security posture. They run an attack simulation through the eyes of a hacker, using a range of tools and techniques, and test whether an organization’s compensating controls can effectively block or mitigate the damage.
You can also run threat simulations to see how well your teams respond to incidents and give you confidence that your incident response plan has everything covered.
Even after you’ve put all the cybersecurity methods above in place, you have to assume a cyberattack will happen at some point. For that reason, cyber resilience is key.
Make sure you’re prepared to recover quickly to maintain business continuity. That means regular, ideally automated, backups for key systems, plus a process that makes data recovery fast and accurate.
As you move from basic to advanced cybersecurity, it’s time to layer your defenses to create a defense-in-depth strategy. Layers of cyber defense ensure that if one security mechanism fails, another steps up to thwart the attack. This is especially important as your organization scales and becomes more diverse and complex.
For example, you might have one set of security controls that govern initial access, another to check identities (such as MFA), another to block privilege escalation, and another to monitor everything just in case. By having this spectrum of preventive, detective, and mitigating security controls, you’ll have a better chance of stopping a threat somewhere along the attack chain before any real damage is done.
Now that you know how to improve your cybersecurity posture, here are some great free resources to get you started:
Get our free template: Privileged Access Management Policy Template
Download our eBook: Least Privilege Cybersecurity for Dummies
Check out our free tools: Top 15 PAM Tools
Listen to our podcast, Smart Security Awareness Training with Paula Januszkiewicz: