Fall brings with it the opportunity to slow down and refresh – but not for IT and security teams. In fact, in the past few years, fall holidays have been synonymous with bad actors targeting organizations while employees are away.
As businesses gear up for another risky fall holiday season, visibility, control and security hygiene remain paramount for success and stability. Risks emanate from all over as employees work while on fall travels, and the endpoint landscape continues to widen and evolve (hello AI-enabled devices).
But shoring up one’s security posture is always easier said than done. For organizations struggling with where to focus their security efforts this fall, here are a few ways to avoid cyber traps while preparing for new waves of bad actors.
It’s important to start by defining the worst-case scenarios for your organization. Is it ransomware, data theft, or your CEO getting compromised and ending up on the news? So many things can go wrong in IT and security today that already under-resourced IT and security teams can quickly become overwhelmed and lose sight of what matters most. But by pinpointing nightmare scenarios and understanding the business implications, you can build a cybersecurity strategy tailored to your biggest risks.
For example, if your organization’s biggest concern is ransomware, (as is the case for 62% of executives), you need to be asking: Where is the data that you care about being ransomed stored? Is it on employee’s workstations, in the cloud, or SaaS applications? From there, understand: How that data is accessed, by what users or services, and from what locations or infrastructure. And finally answering: How could an attacker obtain the permission and access required to deploy ransomware on the systems or data we care about?
Once you’ve outlined your worst-case scenarios and defined the risks for each, you can get a better sense of what attack vectors are most likely to be exploited and the impact if successful.
Next, define your organization’s minimum threshold allowed when it comes to operations – so you can know where and how strict your security protocols and policies should be without infringing on the business.
For example, one of the easiest ways to protect your organization is to have everyone turn their computers off. Right? No computers = no risks! But then no one would be able to do their job.
While your company may not exist for security (most do not), it’s the job of IT and security teams to ensure that the organization is both operational and secure – which includes understanding the applications and infrastructure requirements of the business and implementing access and controls that follow the principle of least privilege.
Lastly, while organizations and CISOs are investing more in proactive security controls (implementing configuration best practices, limiting who has administration access, and proactively patching devices), striking the right balance between proactive and reactive security practices remains a challenge.
It’s the nature of the beast. A new critical vulnerability comes out, a user has a sign-on they aren’t aware of, or a remote employee’s laptop gets compromised. These are all very real and pertinent threats. And while it’s important to be able to quickly react and respond to these threats in real-time, it’s also important to maintain proactive momentum.
Using the critical attack vectors and operational business requirements IT and security teams can build and execute, a roadmap of controls to reduce the likelihood of a successful attack while ensuring the business is not impacted. These controls should prevent, detect, or limit the impact of a compromised user, device or application.
While there’s sure to be a lot of risk floating around this fall, understanding your organization’s unique security risks and operational requirements, and implementing proactive security controls to minimize the likelihood and impact of a breach are surefire ways to ensure that when bad actors come calling, your organization – and your IT team – don’t get burned.