What to Do Now to Strengthen Your Cybersecurity in 2021
Cybersecurity is a complex and rapidly changing landscape. Organizations face the challenge of meeting today’s latest security demands and planning their defenses against the possibilities of more uncertainty and disruption in the months and years ahead.
When organizations, both large and small, sent office workers home last year due to COVID-19, security risks increased as a result. Forced to move quickly, organizations often compromised security to keep operations running, and bad actors took advantage. With internal networks, external networks, home networks and cloud infrastructure to defend, IT teams have had their hands full. Still, we can learn from 2020’s challenges and build better defenses against future uncertainties.
Lessons from 2020
Even before the global pandemic took hold, ransomware attacks, one of the most insidious and nerve-wracking types of cybercrime, were rising. Then, between February and March, they jumped 148%.[i] With access to corporate networks via less secure home networks, hackers have had plenty of opportunities to infiltrate organizations, release ransomware, snoop for confidential data worth stealing, or move from one organization’s network to their customer’s environment.
Here’s what we should take away from 2020:
- Cybercriminals will find a way to take advantage of sudden changes in environments.
- Employees remain the first line of defense, but also the weakest link.
- Organizations that make security compromises are the ones who suffer the most from cybercrimes.
- Supply-chain risk is a growing threat vector from state actors, and vetting technology vendors’ supply-chain security becomes mandatory.
- Companies with immature security programs are less prepared for the unexpected, less able to deal with it when it occurs, and more likely to make security compromises to maintain business operations.
The future of cybersecurity has changed as bad actor activity has increased, and new supply chain threats have shone a spotlight on existing vulnerabilities. Given these changes, what expectations should we have moving forward?
- Organizations must up their game: improve their maturity and preparedness, get smarter about optimizing investments and budget, and make sure risk is understood and managed.
- Remote work is not going away, and bad actors know this, so planning needs to include shoring up remote workforce security, such as remote access methods, endpoint security and email protection.
- Cybersecurity Maturity Model Certification (CMMC) must become a priority for Department of Defense suppliers and supply chain organizations.
- Companies should expect a U.S. data privacy law in 2021 as data privacy regulatory pressure increases.
What to Do Now, and How
IT organizations understand the need to reduce cybersecurity risk; the question is what to do first to generate the most significant impact for the effort. In a new white paper, Flexential Professional Services has laid out an actionable cybersecurity maturity model that helps organizations plan for their optimal security posture. The benefit of the model is that it enables quick discovery of where an organization may be “immature” and lays out routes for improvement. The model clarifies the best next steps and investments of limited resources regarding people, processes and technologies. The five levels of cybersecurity maturity in the Flexential model are:
Level 1 - Beginning
Markers of an immature cybersecurity posture include no one dedicated to IT security, the organization not being aware of its security gaps, and no risk or IT security assessments, vulnerability scanning or penetration testing. The organization is not compliant with regulatory requirements, has outdated or missing policies and procedures, and has an ad hoc approach to incident response.
Level 2 - Developing
As an organization’s posture begins to develop, system or network administrators become responsible for cybersecurity. The organization completes an IT security gap analysis or annual risk assessment, and initial vulnerability scans provide a better understanding of vulnerabilities. These organizations perform monthly vendor patching and start to understand their compliance needs but have only minimally documented policies and procedures.
Level 3 - Advancing
More advanced maturity organizations have a dedicated security administrator, perform annual risk assessments, have executed a formal security assessment and developed a remediation roadmap. At this stage, vulnerability management includes quarterly scanning, monthly patching and remediation of critical vulnerabilities and annual (or more frequent) penetration testing. The organization has at least partially documented policies and procedures for security, privacy and governance, including an incident response plan. Efforts are underway to become fully compliant with regulatory requirements and chosen standards and certifications.
Level 4 - Effective
Organizations with effective cybersecurity maturity have a team that includes specialist knowledge. That team updates the risk register at least quarterly, has achieved compliance with all requirements and has fully documented policies, procedures and incident response plans. It is working to implement an IT security framework based on NIST or ISO and is developing a full vulnerability management program.
Level 5 - Proactive
For the most demanding industries or larger organizations, the security team has multiple certifications for cybersecurity, risk and compliance. The organization has a fully implemented IT security framework and vulnerability management program. Penetration testing and social engineering testing occur quarterly. Incident response plans are updated annually. Risk registers, privacy, and security policies and procedures are updated on an ongoing basis. The organization is fully compliant and on track to meet future compliance requirements.
Naturally, an organization may be Advancing maturity in one cybersecurity aspect (such as penetration testing) but only Developing in another (such as incidence response planning).
It can feel overwhelming to address current security needs and simultaneously prepare for the next ones. The model’s value is that it defines and clarifies which aspects of cybersecurity to address first and the next stage of maturity to work toward. Every organization must continue to advance its cybersecurity maturity, so straightforward ways to assess current cybersecurity posture and choose the most effective next steps are critical. The only truly poor choice is to do nothing.
Read Simplified Steps to Improve Cybersecurity and assess your organization’s cybersecurity posture with Flexential’s cybersecurity maturity model.