Recent events have brought the risk of cyber threat to the forefront for both business and the U.S. government. A 2020 study from the Ponemon Institute explains that it takes 207 days on average to identify a breach and another 73 days to contain it. The attack on SolarWinds (known as the Orion security breach or SUNBURST) validated this statistic. The breach discovered on December 11, 2020, began as early as September of 2019.
In the recent U.S. Senate testimony regarding the Orion breach, Microsoft President Brad Smith indicated a need for better cyber hygiene and security practices, advocating for a concept called “zero trust.” Smith said, if these were in place, “the attacker would have had only limited success in compromising valuable data even after gaining access to agency environments.”
It is true that basic hygiene, security practices, and zero trust are great habits to adopt. As organizations are putting their cybersecurity strategies together, they should consider three critical elements to maximize the impact of these leading practices. These elements include:
- Governance is how an organization directs and controls IT security. Designing a governance structure is the first step in creating a great cybersecurity program. With it, an organization has a specific and clear plan that states what actions to take and who is authorized to make decisions. Policies, procedures, and practices all fall under governance.
- Technology refers to the organization’s infrastructure to withstand cybersecurity threats over time as users interact with it. This includes the network, logical, and physical environment that protect an organization’s data and assets. Taking into account the technical element of cybersecurity means conducting regular network penetration tests, access control reviews, and physical security assessments.
- Operations is how an organization exercises security by putting the governance and technical elements into action. For example, an organization may have a well written incident response (IR) plan with great detection technology. However, if the IR plan is not exercised by the organization then it is still at a higher risk. Or take a company that conducts a periodic network penetration test but doesn’t have a way to address the vulnerabilities identified from that test. The threats remain or could even increase. Companies can address the operational element by implementing security programs such as security awareness, vulnerability management, monitoring, and ensuring they are current to address existing and new cyber threats. Many organizations are finding they may need to enlist the help of a managed services provider to provide operational support.
When planning a cybersecurity strategy, it is critical to have conversations with key business and IT stakeholders about the governance, technical, and operational elements. Considering all three of these will improve your organization’s ability to address and mitigate risks as well as increase its cyber-resilience. This is what it takes to withstand, respond, and recover from a cyber-attack.