The cybersecurity industry offers an abundance of high-quality, constructive guidance for organizations. Although this is something to be celebrated, it can also be overwhelming for business and technology leaders who are grappling with the following questions:
- How to determine if the organization’s current cybersecurity posture is good enough?
- How to establish the right priorities within a cybersecurity program?
- How to determine the best way to source the necessary talent, skill, and proficiency to sustain and mature a cybersecurity program?
- How to know which cybersecurity tooling is a must-have, a nice-to-have, and so forth?
- How much to spend on cybersecurity implementation and operations?
Fortunately, there are ways for businesses to navigate the morass of content and have some real light shed on these questions. Kalles Group’s approach is to start by identifying a target cybersecurity baseline and help clients develop the capabilities necessary to achieve and sustain it.
Getting clarity on cybersecurity basics from a trusted report
One of the most valuable resources produced in the industry each year is the Microsoft Digital Defense Report. This report contains a rich distillation of things that have been observed, experienced, analyzed, and actioned over a roughly 12-month period. Organizations turn to it for a simple outline (supported by detail and context) of the main things they should consider doing to protect against common threat campaigns.
Depending upon an organization’s business and technology profile, further areas of implementation could be warranted. But it’s helpful to ensure the basics are covered first.
Let’s look at what the report recommends.
Strategy #1: Enable multi-factor implementation.
This is a critical top priority for any organization. But it might be trickier than you think. Many organizations protect the primary business systems and applications that are being operated with multi-factor authentication. But as organizations continues to perform key business functions “in the cloud,” it’s important to think more broadly about this.
For example, do staff working in back-office functions use third-party software as a service (SaaS) solutions? If so, are they leveraging the native multi-factor capabilities of those solutions to protect critical processes and data? Some organizations don’t require this as a matter of policy and process, because dealing with additional multi-factor authentication solutions can be tricky for staff. After all, it’s a pain to use one solution to access company email and another to access an accounting system … and possibly, yet another to access additional systems.
Cost and operational efficiencies are top priorities for organizations, and these sometimes lead to suboptimal decisions in the area of cybersecurity. In our view, protecting things like back-office systems is just as important as protecting email and other core business technologies, even if it means creating some amount of process and tooling variance for users.
Regardless of user resistance, or even executive resistance, multi-factor authentication should be non-negotiable in almost every organizational context.
Strategy #2: Apply zero trust principles.
The term “zero trust” can appear to be inclusive of an extremely broad range of principles, processes, and tools — and this perception is correct. That said, we can still highlight several basic principles within this concept, and each of these offers a unique value.
Even if an organization starts with simply provisioning and managing user access based upon the principle of “least privilege,” it really helps. Too many organizations fail to make the necessary investment in this area. After all, it’s kind of a pain to do things like:
- Establish Identity and Access Management (IAM) processes that are detailed and nuanced enough to ensure users can only access the resources needed to perform their job
- Regularly review which users have access to which resources and make needed corrections
- Track all these data points across increasingly distributed systems and solutions (especially as cloud adoption continues)
Nonetheless, it’s vitally important to make a real effort in these areas. If a single user’s credentials are compromised and used to access an organization’s systems, the above measures will prevent the malicious actor from accessing anything beyond the resources that are accessible to that individual user. This significantly limits the potential scope of compromise.
Organizations with a more sophisticated and complex technology architecture may need to deploy high-level tooling and automation to cover other zero trust use cases. Regardless, everyone benefits from establishing these basic controls.
Strategy #3: Use extended detection and response (XDR) and antimalware.
It shouldn’t be challenging for organizations to find software solutions to perform these functions in a highly automated manner. However, it can be difficult to find the resources needed to ensure these solutions are deployed and operated in a way that covers the intended use cases and realizes sufficient value. Devices need just as much protection as credentials, data, and the like, and it’s not enough to rely on the traditional tools that have been used to protect the network from malware for a long time.
The use of a well-integrated XDR solution should be a realistic target for all organizations. And while other components of a reasonable cybersecurity baseline may have a direct impact on user experience (e.g., multi-factor authentication), this one should not. It does, however, require the availability of knowledgeable, experienced resources to properly deploy and operate the solution(s). Help is available for organizations than can’t justify full-time staff for these functions.
Strategy #4: Keep your assets up to date.
This is another “just do it” type of function on the list. If your internal or external (or hybrid) IT team struggles to keep infrastructure and devices updated, it’s worth taking the time to dig in and understand what’s going on. Oftentimes, challenges come from areas of “tech debt” or the persistence of legacy technologies. Assets that are poorly maintained and eventually replaced reach a state where it can be quite difficult — or even impossible — to apply updates.
Assets usually reach this state due to tough choices around investment. We’ve all been there. It’s important to ask ourselves whether we should put money into developing a new software feature that our users have long been demanding or fund asset maintenance work that’s less visible to users but still really important. When budgets get cut, initiatives that prioritize updating legacy technologies are often the first up on the chopping block.
The technological capabilities deployed by malicious actors are overwhelmingly looking to take advantage of older assets that aren’t being properly maintained. Sufficient investment in this area will help protect against those attack campaigns.
Strategy #5: Protect your data.
This one is getting more challenging all the time. An organization’s data can persist in many different places and in a variety of forms. The proliferation of SaaS solutions is a part of this issue, and so is the increasingly distributed nature of business and technology architecture.
It’s critical for an organization to do the following:
- Implement a documented data classification scheme.
- Teach users to recognize what data is sensitive and confidential.
- Train users to treat data appropriately based upon its classification.
- Sufficiently document where the most important and sensitive data is stored and managed.
- Deploy appropriate technology controls to help protect data.
This area is one that often suffers from being persistently reduced in scope, often due to cost. But it’s critical to get this right. Similar to how identity and access management (IAM) controls help reduce the potential impact of a compromise, data protection measures do the same.
Getting expert help with your cybersecurity baseline
As noted, for the organizations we work with, there may be a handful of other controls that merit being part of a reasonable cybersecurity baseline. However, the basics explored here should be serious considerations for any program.
If your organization struggles to make the needed investment in one or more of these areas, Kalles Group can help. For the fraction of the cost of a single, full-time cybersecurity engineer, we can help your program achieve the right baseline for your organization. We have deep expertise in partnering with internal and external IT teams to help you make progress in these critical areas.