Cybersecurity in 2022: What to Focus on
I have been facing writer’s block for quite a long time now. I was confused about what to write. There are so many things to write about and yet I could not focus on one. A lot of ideas were bouncing around in my head that I could not materialise. Then I read a quote by Bruce Lee:
“It is not a daily increase, but a daily decrease. Hack away at the inessentials.”
This is what I will be talking about today.
For a cybersecurity professional, it is very crucial to remove the inessentials. To be honest, you cannot focus on everything which comes under the cybersecurity purview. With the ever-changing landscape, improved attack techniques, new technologies being developed, and a constant battle of getting things done within the budget limits, it’s very important to know what the priorities are.
Being a cybersecurity professional, I feel like these should be our top three priorities:
- Visibility
- Incident Detection & Response
- End-User Awareness
Let’s expand on each of these.
Visibility
You cannot protect what you do not know. You should have clear visibility of your organisation's assets. I am not just talking about just infrastructure and endpoints, but also access, people, procedures, data, etc. In short, you should know what is going on in the organisation.
It is a daunting task to know everything going on and reporting that to the InfoSec department adds an extra step in the process. For starters, you can begin with an asset register, access control register, access entitlement register, and review them more frequently than the timeline you have mentioned in the policies.
Automate your processes so that these registers can be updated in real-time. Starting with these registers will enable you to have clear visibility that defines your boundaries for protection and makes it easier to detect and respond during incidents.
Incident Detection & Response
The average time to identify a breach is around 200 days and the average time to contain a breach is around 70 days. Taking six months to identify a breach means attackers have six months of access to the network to siphon the data.
The quicker you can identify a breach, the quicker you will take action to stop the attack. The goal should be to detect and thwart the attacker's plan as early as possible in the attack lifecycle. The longer it takes to detect the incident, the worse the damage will be.
It is practically impossible to prevent all cyber incidents and attacks, especially in the era of APTs and 0-days, but you can stay vigilant to enable your organisation to detect and respond in the event a threat is found on the network.
End-User Awareness
No matter how expensive and advanced your security tools are, people will still be the weakest link. They are the ones that will click on the phishing links, reveal sensitive information, reuse passwords, not lock their systems while stepping away, and so on.
A security tool can’t prevent this, but we can do better with making our users more aware of the threats that exist. Security awareness training needs to be more interactive and phishing simulations run more frequently.
In addition, instilling a culture of security and leading by example are some of the things you could do to focus on user awareness. Rewarding a team member for reporting a phishing email or other security issue or assigning specific trainings for those who fall for phishing are ways to enforce security culture among the users.
But wait..what about Prevention?
Shouldn’t we focus on prevention? Umm...I will say no.
Contrary to others, I suggest focusing on weak areas and preventive controls should not be one of those. Prevention is crucial to a security program but it should not be a focus, it should be the part of the foundation.
For example, while creating a server, server hardening is a preventive control. You should not be focused on hardening the server, it should be a step done while creating the server and the server should not be utilised until it is properly hardened.
Instead, you should focus on what’s happening on the servers once it is in use. This is the key. Make prevention a default behaviour and focus on visibility, incident detection and response, and end-user awareness.
