Addressing cybersecurity vulnerabilities does not have to be a losing battle
Many companies share the opinion that they are fighting a "losing battle" against cyber threats and security vulnerabilities. The threats are endless, and they are only getting more aggressive and difficult to counter.
This sentiment is echoed by the most recent edition of one annual security report (Priority One Report 2022), which describes 2021 as a banner year for cyberattacks. There is a sense of collective pessimism in being able to sustain cyber defenses, which cost hundreds of thousands of dollars yearly.
Organizations are finding cybersecurity more challenging in view of growing attack surfaces, the shortage in cybersecurity skills, and the emergence of dynamic adversaries. However, things do not have to be as gloomy as they appear. It is not a losing battle when organizations know what they are doing and use the right tools and tech for the job.
Improved attack surface management
Supply chain attacks have been among the most prominent cyber threats in 2021. Dozens of companies, including Microsoft and Apple, have been affected by this kind of attack. And who would forget about the infamous SolarWinds attack, which reportedly cost the affected companies $12 million on average.
The reliance of many businesses on third-party software or service providers has significantly expanded their attack surfaces. Since it is a relatively new setup for many organizations, the unfamiliarity has provided many opportunities for threat actors to exploit vulnerabilities and launch successful attacks.
To mitigate the risks, it is crucial to adopt an effective and efficient attack surface management system as part of an organization’s security posture management. This does not only apply to supply chain risks. It covers everything that is considered a potential point of attack, from physical workstations IoT gadgets to digital assets such as apps and cloud services.
Organizations do not have to start from scratch to come up with a good attack surface management strategy. There are existing solutions designed to automate cyber intelligence gathering and analysis as well as the assignment of risk ratings to help even those that are new to attack surface management to get acquainted with the system easily. These solutions involve continuous scanning, security visibility expansion, the scanning of internal and third-party assets to establish safe integrations or partnerships, and the generation of detailed reports to guide risk exposure reduction.
Shrinking and controlling attack surfaces are significant first steps towards addressing security vulnerabilities, and they effectively ease worries over what many fear is a "losing battle." The fight is already partly won when attack surfaces are properly managed.
Filling the cybersecurity skills gap
In its Cybersecurity Workforce Estimate and the Cybersecurity Workforce Gap in 2021 report, (ISC)², the world's biggest nonprofit association of certified cybersecurity professionals, revealed that the global cybersecurity workforce shortage was at 2.72 million in 2021. The world’s supply of cybersecurity professionals needs to grow by around 65 percent to keep up with the needs of the times.
A workforce shortage of more than two million is indeed massive, but the good news is that the figure has decreased from 3.12 million for the previous year. Addressing the skills gap is a big challenge, but the problem is far from a hopeless case. "We must put people before technology, invest in their development, and embrace remote work as an opportunity. And perhaps most importantly, organizations must adopt meaningful diversity, equity, and inclusion practices to meet employee expectations and close the gap,” says (ISC)² Chief Executive Officer Clar Rosso.
The (ISC)² report lays out some recommendations on how the cybersecurity skills gap can be overcome, based on the responses of the study’s participants. More than a third (36 percent) of the participants said that more training will be very helpful to develop the skills necessary for existing and new staff to address current and emerging cybersecurity concerns. The other suggestions are as follows:
- More flexible working conditions for cybersecurity teams (33 percent)
- Diversity, equity, and inclusion (DEI) initiatives (29 percent)
- The use of cloud security service providers (38 percent)
- Deployment of automated and AI-driven solutions to boost efficiency in tasks with manual inputs (37 percent)
- Having cybersecurity staff involved earlier when forging third-party relationships or using third-party solutions (32 percent)
Many organizations are in the position and are capable of training or facilitating the training of cybersecurity staff and experts. They can attract cybersecurity talents if they provide flexible work arrangements, foster diversity and inclusion, and invest in AI and automated tools. Additionally, they can empower their security workforce by giving them a say on the kind of platforms or solutions integrated into an organization’s security posture.
Can organizations operate with a scarcity of cybersecurity talents? This is already the case for many. However, this predicament cannot be allowed to stay as is given the adverse consequences uncovered by the (ISC)² study, which include system misconfigurations (32 percent), insufficient time for thorough risk assessment and management (30 percent), risky delays in the patching of critical systems (29 percent), and hasty deployments (27 percent).
Harnessing the power of collaboration
One of the best things to happen in the field of cybersecurity is the collaboration among security firms, experts, governments, nonprofits, and other important players. Everyone understands that the cyber threat landscape has become too big to be tackled by different firms individually. This collaboration has led to the sharing of threat intelligence and concerted efforts in identifying, analyzing, and addressing emerging cyber-attacks.
The spirit of collaboration is also responsible for the creation of the MITRE ATT&CK framework and other cybersecurity frameworks like the US National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) and the Center for Internet Security Critical Security Controls (CIS). These frameworks provide reliable guidance to organizations on how to identify and deal with various cyber threats, especially the most recent ones. The MITRE ATT&CK framework, in particular, offers a comprehensive reference for the latest adversarial tactics and techniques.
Some organizations may think they are fighting threats by their lonesome with only their own resources and limited expertise to rely on. It does not have to be how things go along, though. The many sophisticated vulnerabilities such as cross-site scripting, supply chain targeted attacks, and ransomware that create the perception of a "losing battle" are effectively covered by the different cybersecurity frameworks accessible to just about anyone nowadays. Organizations can tap on the fruits of the global cybersecurity collaboration without even communicating with other security organizations by simply integrating cybersecurity frameworks in their cybersecurity strategies.
In summary
It is understandable why some paint the cyber threat landscape with shades of pessimism. Cyber-attacks have been growing and evolving nonstop, even in the midst of a pandemic. However, there are many reasons to remain optimistic. Many organizations may be spending on cybersecurity at levels some would deem unsustainable, but these are likely the organizations that have not exhausted their options, especially the smart options targeting efficient attack surface management, the use of AI-powered and automated tools to bridge the cybersecurity skills gap, and the different tools and resources brought about by the collaboration among security experts.
Image Credit: Pixabay
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.