You can’t have good posture without good visibility. This is not a phrase I’ve picked up during those hours of internet yoga classes during lockdown; try saying that in a real life yoga class and you’ll get some very funny looks indeed. But it does describe the core of an effective cybersecurity strategy.
Your ‘Security Posture’ is a combination of factors:
- Your awareness of current and changing cybersecurity threats.
- The security status of your hardware, software, networks and policies.
- Your understanding of the vulnerabilities in your technical and operational processes.
- The measures you put in place to mitigate risk.
- Your ability to react to and recover from any form of cyberattack or data breach.
‘Visibility’ can be broken down into three areas:
Threats to companies can be general or very specific. What your organization does, what it creates and how its clients interact with it can determine the relative risk of different types of cyber attack as well as the direction from which it comes. A manufacturer might be at increased risk from industrial control system attack or intellectual property theft – possibly from inside. An online shop will be vulnerable to Magecart attack or business email compromise. And healthcare providers are more threatened by ransomware and data theft.
The popularity or notoriety of a brand, or the politics and tweets of senior management are an excuse for someone to target a company these days, for their own gain or, perhaps, to sow chaos.
Also under this heading one has to consider the culture of the organization, and whether cybersecurity has buy-in at every level and is given the resources it needs to be delivered effectively.
From an IT viewpoint, any business process that involves a computer introduces a vulnerability. You need to know why and how someone is authorized to carry out a task, what training they’re given, the system they use and how access is revoked when they no longer carry out that set of tasks. If your organization adheres to some kind of compliance rules, then a lot of this will be mandated already. If not, then business process analysis is an important part of business continuity planning. All too often, however, that becomes someone else’s problem.
Much more than a simple audit of servers, networks and end-user devices, technical visibility is the real-time analysis of data flow, access, authorization; where both the threats and vulnerabilities are; what the security status is of every piece of kit, how they are being used, exploited and protected. This extends out to third-party systems and cloud services which are processing your data.
Even when standing still, the internal environment changes at lightning speed compared to organizational and business process changes. You may complain that you never receive money for new kit, but the computers, servers, firewalls, and all of the software will be receiving a constant stream of updates to counter the ever growing list of vulnerabilities. Users are constantly joining, leaving, changing roles and probably sharing passwords.
Visibility over the entire technical landscape of an organization is absolutely crucial, and extremely hard to get right. More data is good only if it’s informative and there’s not so much that it becomes overwhelming.
Are you confident in the visibility you have over your whole technical landscape? Is the data you have comprehensive enough for you to make well-informed, critical decisions? If not then consider speaking to TBG about their Cyber Security Architecture Assessment. They can help you establish and improve your security posture, and will save you time and stress trying to gain that all-important technical visibility.