Establishing a Proactive Cybersecurity Plan
To help organizations shift security left, Greg Young, Vice President of Cybersecurity and CorpDev at Trend Micro and Andy Anderson, DataStream CEO and Co-Founder, discuss how IT decision makers can educate the board with a proactive cybersecurity plan.
A recent survey with Sapio Research has revealed that 73% of respondents were concerned about the size of their digital attack surface. This overwhelming reaction to the current state of cyber threats affecting organizations is based upon a single fact: remote work. Due to expansions in WFA (work-from-anywhere) labor forces and organizational cloud services, the reality of being exposed to a cyberattack has migrated from “if” to “when.”
This has ushered in a need for organizations to think more proactively about cybersecurity. According to Trend Micro researchers, 90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favor of digital transformation, productivity, or other goals. Additionally, 82% have felt pressured to downplay the severity of cyber risks to their board.
As a guest on The Cyber Crime Lab Podcast, Greg Young breaks down preemptive steps organizations can take when implementing a cybersecurity risk management plan.
Q: What kind of incidents are you seeing and what kind of lessons that organizations could take from that?
Scaling all the way back from his time with Gartner, Young stresses that, when organizations are hit with a cyberattack, it doesn’t come as a surprise to members of their security team. This coincides with Trend Micro research revealing that 22% of exploits sold on cybercriminal underground are more than three years old. In fact, Young shared that “99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.”
Q: Being proactive includes actions like addressing known vulnerabilities found in remote desktop protocol and Microsoft Exchange vulnerabilities. Why do you think that they don't get addressed?
While the common perception outside cybersecurity circles is that performing a backup or executing a patch is straightforward, Young explains that it is not as simple as it seems. Due to the fact that the chief information officer (CIO) no longer owns all of the IT, making it difficult to locate everything within an organization’s environment in order to patch it. According to a recent Gartner study, “More applications than ever are purchased and controlled by line-of-business organizations—not by IT.”
When it comes to industries that deal with industrial internet of things (IIoT), vulnerabilities may be even tougher to discover. This is because organizations that possess a large amount of industrial compute often keep this separated from the IT side. A Trend Micro study revealed that approximately only 40% of IIoT companies involve their security-related decision-makers. “There's a big wall and they don't want stuff going between that, even the cultures are different on both sides of that. So, it's people, it's cultures, it’s the ability to patch findings and this is the hardest stuff to find,” adds Young.
Q: Many times, you see an organization’s board of directors trying to minimize cost and risk at the same time. How do you see this as a threat to security?
According to Trend Micro™ Research, 69% of business and technology leaders believe that cybersecurity is entirely or mostly a technology area with little or no linkage to the business. This means that an organization’s board is more likely to oppose the interruption of business than an IT team lagging on applying a patch to a vulnerability. As Young explains, “if you sit there and do nothing for many organizations that's indirectly rewarded.”
Q: While using open-source components helps an organization move faster with more flexibility, cybersecurity teams are often plagued with vulnerabilities. How can IT security stay one step ahead?
Using a recent example of a cyber breach on an organization, Young points out that many IT security solutions have open source components buried into their code. While IT teams are often unaware of these components, this allows cybercriminals to capitalize on these vulnerabilities.
Trend Micro offers four best practices to mitigate open source code vulnerabilities. This includes maintaining an open-source inventory, tracking open source vulnerabilities and licenses, fixing, patching, and upgrading, and continuously monitoring.
Q: What’s your advice for small and medium-sized businesses when it comes to thinking proactively about cybersecurity?
As an Opinium survey commissioned by Trend Micro revealed, nearly 50% of 1,125 CISO respondents cited the cybersecurity skills gap as a concern for their organization. This led Young to urge organizations who don’t possess proper in-house expertise to outsource their cybersecurity expertise or integrate managed cybersecurity tools.
In addition, Young encourages security leaders to look at their security environment to ensure that, if multiple tools are being used, that these products aren’t siloed.
For more information on cyber risk management, check out the following resources: