Adopting an Inside Out Approach to Cybersecurity
September 30, 2020
Cyber hygiene is a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security. These practices are often part of a routine to ensure the safety of identity, data and financial assets that could be stolen or corrupted. Much like physical hygiene, cyber hygiene is regularly conducted to ward off natural deterioration and common threats.
One can think of cyber hygiene as the countermeasures that are implemented on a network to keep the system and data safe from hackers, fraudsters and negligent employees. It is most effective when implemented in layers. These levels build up a protective defense against all network threats. The idea is to create robust detection and prevention measures that monitor, identify, alert and stop threats to the network.
Many Small and Medium-sized Enterprises do not have IT reporting to the C-Suite. Therefore, leaders tend to manage cybersecurity based on assumptions about the level and scope elements in place, such as:
- All elements of the firewall are 100% activated
- Malware detection is fully functional
- Established access management parameters
- Appropriate wireless security protocols
- Endpoint security (mobile devices, tablets, laptops)
- All software registration certificates are up-to-date
- Vendor connections are working correctly and secure
- Security patch management
What’s missing is the validation that the information surrounding an organization’s cyber defense is accurate. Therefore, businesses need to validate controls in a continuous manner, rather than viewing measurement of security as one snapshot at a time.
Understanding inside weaknesses and vulnerabilities is more important than ever. To truly prepare for the cyber threats, it’s crucial that organizations start operationalizing a view of security from the inside out while focusing on cyber hygiene right at the heart.
For this reason, Alera Group recommends all companies adopt Continuous Threat Monitoring (CTM). CTM is aligned to give real-time visibility into security systems. Instead of penetration tests or audits, which are static, continuous monitoring gives more holistic visibility into systems over a longer period of time. Businesses can then quantifiably validate whether their controls are protecting critical assets. At the same time, security leaders and teams can manage their cybersecurity programs with more meaningful metrics to drive decision-making, optimize operations, and, ultimately, improve their cyber posture over time.
Companies can approach cybersecurity with an “inside out” view by doing the following:
- Identify exact points of vulnerability within the attack life cycle. For example, the first point of vulnerability is your organization’s own people. Security leaders should focus on helping their teams understand an attacker’s behavior in a particular segment they’re trying to defend. Then validate defenses by testing the incident response process. By understanding how teams currently respond to threats with practice scenarios, leaders can determine where to make defenses stronger. Then systematically proceed to identify points of entry and vulnerabilities.
- Measure ROI on cybersecurity investments. Businesses must ensure trust with their partners and clients. At the same time, to ensure cybersecurity businesses are incurring new expenses that previously had not been contemplated. This is why it’s especially important to verify that your organization is attaining the expected ROI out of cybersecurity investments — rather than assuming so. Security leaders need data that shows exactly where the security gaps are and where you need to invest more heavily.
- Apply risk-based decision-making, not compliance-based. Traditional models of measuring cybersecurity effectiveness tend to be siloed and compliance-based, where cybersecurity measures are managed across separate enterprise channels and important data is underutilized. This also tends to result in a “checklist” mentality, which can leave your company vulnerable. Instead, cybersecurity must be aligned with your organization’s biggest risks and mission-critical business needs with products that deliver holistic and actionable insight. Further, IT must have a seat at the management table to share knowledge and be held accountable.
- Determine which technologies can be improved and which can be removed from the stack. For cybersecurity personnel, there are many products they have to manage. But it’s important to verify which products in the environment are working and which are not. Solutions for one organization may not be the right match for yours. Determine what technology products can give you the most value and what fits best with your current architecture so that you’re not purchasing redundant products that you already own. Having security controls mapped in an automated fashion also makes it easier to tag and label identified threats.
- Develop close relationships with cybersecurity resources. When it comes to cyber threats, and how they continue to evolve, businesses are faced with the known and massive unknown. Many businesses are under-prepared and/or under-insured for their growing cyber peril. Therefore, it’s imperative for businesses to have a quantifiable way to understand their own digital network security posture. As cyber perils looms, the focus must shift from a reactive position to an intentional, proactive approach engaging risk management, incident prevention and response. Success is about integrating technology and forging relationships with third-party providers, such as Cybersecurity Operation (Sec Ops) experts. These Sec Ops deliver an end-to-end solution that identifies a company’s network vulnerability, closes gaps, educates employees on how to avoid exposing their network to hackers, provide 24×7 monitoring and establish a post-incident event plan. These best in class attributes reduce the chance of cyber disruption for an improved risk profile
When you approach security from the outside in, you’re simply trying to deny intrusion. When you approach from the inside out, you are protecting your mission-critical data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets.
About the Author
Steve Paulin, CIC is a Risk Management professional and Workers’ Compensation Practice Leader for Orion Risk Management, an Alera Group Company. Steve has over 35 years of experience helping mid-market businesses reach their profit goals by optimizing the insurance program’s financial efficiency and risk management outcomes. Steve has extensive experience with Cyber Risk, and Loss Sensitive plans, including Large Deductible and forming Captive programs.