If you thought the past few years were bad for cybersecurity breaches, take a deep breath before contemplating what’s happening in 2023. Our current defenses may not be ready.
Bad actors are honing their existing attack vectors and opening new ones that many companies have barely even begun to think about. For example, artificial intelligence technology is found in everything from autonomous vehicles to voice assistants, home security and medical devices; Attacks on these technologies are likely to increase. Security practices once seen as iron-clad, such as biometrics and password managers, are becoming more vulnerable as hackers get smarter—just remember the recent breach of LastPass, a commonly used Password management system.
In the face of widespread attacks, companies across industries need to review their people, process and technology. In my work, I see many businesses displaying a false sense of security. They feel they are ready but this illusion is often broken when their defenses are seriously tested.
offense play time
No company can prevent every attack, but you can prepare your organization to mitigate risks and respond rapidly and effectively to breaches. Here are some ways you can take offense instead of defend:
As your company begins its 2023 budget process, ensure that IT and security teams have a sufficient budget to do their jobs well. Your C-suite, including the CEO, CFO and CISO/CIO, should have cyber security performance metrics that hold them accountable. Hire at least one board member with cyber security expertise who knows the right questions to ask.
Moving into 2023 gives you a new impetus to ensure that your plans are not only comprehensive and constantly updated, but battle-tested. The following are four controls every company should have, along with how to strengthen them.
1. Vulnerability Scanning and Penetration Testing. If you know your weaknesses you will be in a better position to fend off attacks. Going into 2023, make sure you regularly conduct vulnerability scanning and penetration testing that covers all your mission-critical systems. Do not exclude AI or biometric systems from these checks. Testing can be done in-house but you can also hire a third party to come to your rescue afresh; They can combine social and technological tactics to check for weak spots in your system that you would otherwise miss.
2. Actively monitoring system and network. Right now, a company of any size in any industry is threatened by malware that has quietly penetrated its systems and is waiting to spread to chaos. Without software that monitors and scans these threats, malicious intruders can sit in your system for months—a particularly big risk to healthcare and financial companies that store sensitive personal data, as well as biometric software companies. Huh. Security information and incident management (SIEM) tools should contain software solutions that monitor and log threats. But software alone is not enough. Companies should hire trained professionals to ensure that SIEM is checking the correct information, setting the correct alerts, and training the right people on how to interpret alerts and execute plans. has gone.
3. Incident Response Planning. You just got hacked – now what? Without an incident response plan, the answer would not be clear. With the increasing attacks, it is important to have a well-developed plan. In an emergency, you need to mobilize quickly and make people aware of their roles. Yet these measures are still not sufficient; Plans should be tested. If simulating a real-life event isn’t possible, it’s important to at least walk through the program during a table-top exercise: You need to know which parts work—and which ones—before a real-life incident. No. Digital forensics firms can also assist in the investigation and elimination of attacks, if needed.
4. Security Awareness Training. A financial controller receives an email that looks like it’s from a CFO, requesting a wire transfer to a customer with new banking details. The controller sends it over – and another phishing scam has succeeded. Despite education and planning, employees are still falling victim to these scams. Your security team should regularly test the readiness of employees by sending false phishing emails and seeing how many employees fall for them. Use the lessons learned to enhance your security awareness training. Offer incentives for passing a phishing test—a gift card to a local restaurant, coffee with a C-Suite executive, or an extra vacation day. Companies should also avoid old-fashioned PowerPoint-style security awareness training for interactive training programs, which include things like multiple choice question/answer sessions or interactive case studies with true/false scenarios.
Does all this cost time and money? Unfortunately yes. But the investment is well worth it considering the potentially catastrophic costs of a breach – the risks of which are increasing by the day.