There seems to be something seriously wrong with the digital resilience of Dutch organisations. In the 2019 National Cyber Security Agenda, the National Coordinator for Security and Counterterrorism clearly states that “incidents could have been prevented and damage could have been limited if basic measures had been taken.” While the fear of ‘state actors’ and professional hackers is increasing, it is proving quite a challenge for many organisations to build effective resistance to ordinary threats.
The first step towards increasing resilience is to recognise your vulnerability. When we consider and discuss cybersecurity and how we can protect ourselves in that regard, the conversation quickly turns to technology. Using firewalls and other measures, a wall can be built around an organisation in no time, and that is deemed to be sufficient. This is a fairly reasonable assumption, as long as the threat is external.
Unfortunately, more and more research shows that an increasing number of incidents (up to 50% or more, depending on the study) can be traced back to errors made within the organisation itself. That includes not only malicious employees - which everyone wants to believe they do not have - but particularly negligent or careless behaviour, manipulation (social engineering), poorly configured hardware and software, and unclear, incomplete or even missing processes.
You can get very expensive locks put on your doors, but that won’t do much good if you leave the window open afterwards. Even the best cybersecurity can’t do much about employees that simply walk out the door with your company data. Cheap and easy tricks like phishing or smishing (phishing via text messaging) and simple bluffing often prove to be enough to obtain the data needed to drain entire company accounts. So don’t be fixated on technology. Instead, make sure your workforce and processes are in good order.
Three measures in the mix
The first thing that can help organisations increase their resilience is making the foundation of the organisation manageable. If you don’t know you have a window in the cellar, you can’t check to make sure it’s closed. So make sure you obtain complete and up-to-date insight into the resources, the users and the network traffic of your total infrastructure as soon as possible. That will help to assess the consequences of potential incidents and to better determine where you are vulnerable and in which areas you may have to take additional measures. Furthermore, such insight is essential in order to discover incidents in good time. Organisations often don’t find out about a security incident until months after the fact, and even then only after being notified by others.
The second thing is to ensure that you take at least those measures that everyone should take. If you know there are active intruders around and you leave your windows open, you are sure to be paid an unwanted visit sooner or later. Vulnerability management ensures that well-known vulnerabilities are handled quickly, such as by installing the latest patches and updates and by immediately resolving possible configuration conflicts. At Solvinity and for our clients, that is a process we work on constantly.
It sounds so obvious, but the list of well-known vulnerabilities is exceptionally long, and actively checking whether all those potential problems have been properly resolved is quite a job. At the same time, you can assume that cybercriminals are familiar with those vulnerabilities too. They simply go down the list to see who has their affairs in order and who does not. So make sure you have proper vulnerability management. The last thing you want is to have to explain to your customers after the fact that you could easily have prevented a security problem (you cannot imagine how often this still happens).
And finally, make security the responsibility of everyone in your organisation. In March of this year, Dutch daily newspaper de Volkskrant published an article stating that damage caused by phishing has quadrupled in one year’s time. This is not only because fraud has become more sophisticated but also because people do not sufficiently recognise and acknowledge the risks. They are the weakest link.
The key term here is awareness. Make your people aware of the risks. We regularly test our own employees with social engineering attempts of varying quality and sophistication. Turning this into a competition and sharing the results, along with scores and leaderboards, makes the whole team much more alert when it comes to phishing, suspicious links and other attempts to persuade people to share data or carry out actions that make the company vulnerable.
There are very good, very expensive solutions on the market to protect yourself against advanced external threats, but these are only worth considering if you have your own organisation under control. Insight into your own vulnerability, immediately resolving well-known vulnerabilities, and giving employees a sense of responsibility: that is the basic recipe for a resilient organisation.