How Cyber Resiliency is Weakened by Organizational Struggles
We all know cybercrime is a major threat to businesses, but how much are internal issues impeding your organization’s ability to defend itself?
Cyber resiliency is defined as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources, according to the U.S. National Institute of Standards and Technology (NIST).
In this blog post, we’ll discuss how cyber resiliency can be weakened by organizational issues. We’ll also recommend a few steps your organization can take to overcome these issues and improve its cybersecurity posture.
Resources – The major impediment to cyber resiliency
Most of the struggle to attain strong cyber resiliency can be traced back to one source–a lack of resources. While major corporations can afford to put time and money into protecting themselves from cybercrime, small and mid-sized businesses are less fortunate.
Indeed, the Wall Street Journal found recently that fewer than two-thirds of businesses with under $50 million in revenue had a cybersecurity program in place, compared to 81% of companies with more than $1 billion in revenue. Furthermore, three-quarters of organizations that experienced one or more ransomware incidents in a 12-month period lacked the resources to properly rectify the situation, according to International Data Corporation’s 2021 Future Enterprise Resiliency and Spending Survey.
Constrained cybersecurity resources can manifest themselves in a variety of ways, namely:
- Lack of personnel. Large corporations can afford to have an entire team dedicated to protecting their digital resources. But SMBs often leave it up to a single IT or cybersecurity lead to do all the heavy lifting. When forced to go it alone, cybersecurity leads are more likely to cut corners, leaving their organization exposed to cyber threats.
- Lack of tools. Businesses require a range of tools to help them identify and respond to cyber incidents. Cybersecurity tools such as firewalls (FWs), web application firewalls (WAFs), and identity and access management (IAMs), are all very accessible. Large corporations can afford advanced solutions such as endpoint protection platforms (EPPs) or endpoint threat detection and response (EDR). However, SMBs often lack the money for these tools, weakening cyber resiliency.
- Lack of a process. Under-allocation of resources for cybersecurity can have a myriad of downstream effects, including not focusing sufficiently on the key steps to incident response. For example, an organization might focus solely on eradication, remediation, and recovery, at the expense of preparation, identification, containment, and post-incident review.
The solution – a cost-optimized cybersecurity strategy
A lack of resources may be a legitimate reason to not spend millions on cybersecurity, but it doesn’t justify not having a cybersecurity strategy at all. These days, cyber resiliency can be achieved for a fraction of the price of what the major corporations typically spend on defending themselves.
In a recent study on organizational cyber maturity, McKinsey found that businesses of all sizes were good at communicating cybersecurity requirements to suppliers and third parties, managing the security of remote access, and communicating cybersecurity policies and standards. But it found that smaller organizers struggled to map organization and data flows, conduct regular cybersecurity response simulations, or review and reward code security.
Here are a few ways in which SMBs can improve their cyber resiliency:
- Make cybersecurity an organizational focus. Once you accept that all your most important data is online and that this puts the very existence of your company at risk from cybercriminals, then it is easy to see why cybersecurity should be at the center of your organizational planning–and not just an afterthought.
- Use a managed solution. If your organization lacks the resources to employ a full team of cybersecurity personnel, then consider outsourcing this function. One such way to do this is to leverage a managed solution such as a Security Operations Center (SOC) platform. Provided that the SOC has the critical capabilities to fully secure an organization, an SMB can achieve cyber resiliency without the need to hire an expensive in-house team.
- Security awareness training. Most cybersecurity breaches involve human error. Providing employees with comprehensive security training–and following it up periodically with supplemental or annual training sessions–can help employees recognize when they are being targeted by hackers, protecting company data.
- Strong administrative controls. Complex passwords, especially on administrator accounts are a zero-cost and effective way to prevent brute force attacks. Multi-factor authentication adds another layer of protection and extra peace of mind.
From a top-down perspective, cybersecurity is one of many challenges organizations must deal with. There are different ways in which small or mid-sized businesses can close the cyber resiliency gap with larger corporations. The best answer as usual is “efficient planning”, but that is easier said than done. Considering the pace at which new and more advanced systems and technologies continuously find their way into the market and are adopted, organizations need to look at productivity and security as compatible, as opposed to being contradictory. Of course, finding the most suitable methods for your specific organization is key to reducing cyber risk.