Cyber Risk Management in 2023: The People Element
Explore the latest findings from Trend Micro’s Cyber Risk Index (2H’2022) and discover how to enhance cybersecurity risk management across the digital attack surface.
Save to Folio
2022 was full of challenges, from cyber war between Russia and Ukraine, continuing ransomware attacks, and a number of high-profile vulnerabilities and zero-day attacks. With the attack surface constantly expanding, CISOs and security leaders are acutely aware of the need to minimise risk across people, processes, and technology.
Top infrastructure risk: people
It’s common knowledge that it’s not if but when your organisation will be the target of a cyberattack. CISOs and security leaders seem to share the same opinion—according to Trend Micro’s latest Cyber Risk Index (CRI) (2H’2022), 80% of 3,700 respondents across four global regions believed they will be successfully attacked in the next 12 months.
The CRI (2H’2022) also found that CISOs, IT practitioners, and managers identified that most organisations IT security objectives are not aligned with the business objectives, which could cause challenges when trying to implement a sound cybersecurity strategy.
It’s important to note that while ideal, avoiding a cyberattack isn’t the main goal—companies need to address critical challenges across their growing digital attack surface to enable faster detection and response, therefore minimising cyber risk.
While it's commonly assumed that cyber risk management efforts should be largely focused on protecting critical servers and infrastructure, the human attack vector shouldn’t be so quickly forgotten.
In a TrendTalksBizSec discussion, Trend Micro’s Jon Clay, VP of threat intelligence, and Ed Cabrera, chief cybersecurity officer, dig into how the global recession could impact hiring and maintaining cybersecurity professionals within organisations.
Managing people to manage cyber risk
Security leaders have good reason to be concerned about the risk as in the 2H’2022 CRI results, negligent insiders and mobile/remote employees were a top concern for organisations globally to their infrastructure.
“The people part of the equation is overlooked so much,” Ed Cabrera, chief cybersecurity officer at Trend Micro said recently, “You can look at any breach out there…and you see people and the breakdown possibly of someone either being exposed to a social engineering attack, be it phishing or smishing.”
With remote/hybrid employees accessing applications, networks, and servers via the cloud, oftentimes from multiple devices sharing an unsecure home network, enterprises are rightfully concerned with risk exposure. Factor in the 35% increase in business email compromise (BEC) detections and 29% increase in phishing attacks in 2022 , it’s paramount to secure the human attack vector to prevent malicious actors from accessing critical infrastructure.
Cyber risk management isn’t always a top priority within an organisation as a top risk from the survey was my organisation’s senior leadership doesn’t view security as a competitive advantage. This mindset may hinder efforts to improve the ability to detect and respond to a cyberattack.
Evidently, managing people should go beyond user awareness training regarding business email compromise (BEC) scams, phishing, smishing, etc. CISOs and security leaders must also ensure they have the right teams within their cybersecurity programme with the right skill sets and that those skills are properly maintained as threats evolve.
However, hiring the right staff can be challenging due a growing cybersecurity workforce gap and the fact that some enterprises may not have the resources to recruit a large team. Choosing a vendor that offers managed services is an effective way to augment teams while managing cyber risk.
Beyond general cyber hygiene, skills training, or leveraging managed services, drilling down into processes since it’s people that actually create and manage these processes.
Enhancing cybersecurity processes
After establishing a strong security team, the focus should shift to cementing processes that keep people in check. This is especially crucial with remote/hybrid workforces; with users more widespread and left to their own devices (pun intended), it can be challenging to know who you need to secure. As the adage goes: “you can’t stop what you can’t see.”
To identify the users within your network, you’re essentially identifying the attack surface which according to the survey is challenging. “My organisation’s IT security function has the ability to know the physical location of business-critical data assets and applications” was a top concern for respondents.
After security teams have achieved comprehensive visibility across the attack surface, they can establish processes to protect initial attack vectors. They should also manage and monitor users’ identities by deploying a zero trust model.
Leveraging a zero trust approach ensures that access is validated and continuously monitored for suspicious activity to prevent cybercriminals from using legitimate credentials to move undetected across the network.
Taking a risk-based approach to security is proving more effective than a compliance-based approach.
“Compliance is the starting line,” Cabrera said, “In other words, you’re not just thinking about ‘hey, what are we doing about compliance?’ We need to identify that risk…what are the basic elements of that risk. So, we can mitigate it before it gets out of control or to make it more manageable.”
Now that we’ve covered how to effectively manage people and processes, CISOs and security leaders need to consider that even the best and well-intended teams can come up short if the right security technology isn’t in place. And from the survey, many organisations know this is true: “my organisation’s enabling security technologies aren’t sufficient to protect data assets and IT infrastructure” was a top risk globally.
Look for a cybersecurity platform like Trend Micro One that is designed to help security teams better understand, communicate, and mitigate cyber risk across the enterprise. Its capabilities and features, like automation, third-party integrations, customisable APIs, detailed reports and risk insights, were purposefully created to simplify security for users while maximising protection.
To learn more about managing and minimising cyber risk as well as the benefits of leveraging a unified cybersecurity platform, check out these resources: