In view of the increasing threats and the ever-dynamic threat landscape, organizations continue to increase their spending on cybersecurity. Companies also look set to increase spending on cyber security as part of the overall IT budget as they seek to comply with various privacy laws such as the GDPR. A report by consultancy firm EY points out that as many as 70% of the organizations say that they require up to 25% more funding and the rest require even more than this. However, only 12% expect to receive an increase of over 25%, says this year’s Global Information Security Survey (GISS) for 2017–18.
And, it is quite true. Organizations continue to be faced with a wave of attackers with differing levels of sophistication, as the previous few years have shown. The past few years have not been good for cyber security as major cyberattacks have taken place such as ransomeware attack and DDos attacks on companies like Equifax, Delloitte, Uber, etc. Organizations can and must fight back with a multilayered response.
In a measured response to the increasing threat perception, there are a few elements which need to be in place: employee awareness, building cybersecurity consciousness and password discipline throughout the organization. Respondents to the survey point out that careless employee behavior represents a significant point of weakness for most organizations. “One of the main things that every CISO needs to focus on is raising awareness of their employees as well as their customers. Educating your employees and making them aware of the risks is important,” says Meetali Sharma, Head, Risk Compliance and Information Security, SDG Software India Ltd.
To defend against common threats, organizations need to make sure that the basic strategic components are in place, says the report. Companies need to stick to the basics such as patch management, which are crucial to implement. For example, Microsoft released a patch one month before the WannaCry attack struck. The company knew that these were the vulnerable areas and therefore released the patches. However, organizations did not update the patches. The very same patch was used by the hackers for the WannaCry campaign. This vulnerability was exploited by the attackers.
“Through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year,” warns Greg Young, Research Vice President at Gartner.
“First, create and support a culture of accountability with well-established risk ownership and responsibilities. Next, build an enterprise-wide risk register that accounts for the top risks across all risk domains. Finally, map risk directly, clearly, and defensibly to business goals and objectives,” advises Katell Thielmann, research vice president at Gartner.
A number of cyber security vulnerabilities stem from the fact that the sophistication level of cyberattacks keeps evolving. Organizations will need to adopt a new approach and technology to face them.
(Image Courtesy: www.pixabay.com)