Cybersecurity concerns are at the top of the list for business and IT leaders. In this blog, we’re sharing some of the common questions we receive from executives on these concerns and actions to take.
7 Cybersecurity Concerns of Business and IT Leaders
The cybersecurity concerns Fortra’s Alert Logic hears can be bucketed into seven categories:
1. Ransomware is in the news every day. How great is my risk?
The threat of ransomware is very real, and it impacts every company and industry, regardless of size. This year, I’ve spoken with a dentist’s office that was hit with a $1,000 ransom demand, a law firm for $50,000, a software company for $11,000,000, and a hospital system for a 9-figure sum – no one is immune.
Not only that, but the average dwell time (amount of time an attacker is in your environment before you discover their presence and remediate) has decreased from 200+ days to around 30 days, showing how threat actors continue to get more efficient. Remember, cybercrime is a business, and ransomware is the fastest path to profit.
2. My cyber insurance is going up, and my customers are sending more and more cyberattack and data integrity related contract redlines.
I’ve spoken with dozens of company officials who tell me their cyber insurance premiums have significantly increased, despite the fact that they remain incident-free. What’s more, their own customers are sending them questionnaires asking them to elaborate on what they are doing to reduce the risk of a cybercrime related incident.
Vulnerability scanning, endpoint protection, intrusion detection systems, log review, e-mail security, cyber-compromised data recovery, and more are being requested by insurance companies and customers alike. You’d better be ready to make cyber resilience documentation part of your recovery plan.
3. Are we doing enough to protect our business and customers with our work from home (WFH) employees?
With the move to full-time work from home and hybrid environments came some new cybersecurity concerns. Many companies were forced to relax BYOD (bring your own device) policies due to resource constraints and supply chain issues, like the inability to quickly order enough laptops to support WFH.
This introduces a great deal of risk. Are you using endpoint protection, and conducting vulnerability scans on your endpoints (employee laptops)? What about personal laptops they may use for company business? What about their smartphones? How are they securing their home WiFi networks? Are you regularly training your employees on cybersecurity, and how to remain safe? Have you reviewed your Identity and Access Management (IAM) policies?
4. Are we secure across all environments as we migrate to the cloud?
According to the 2024 Fortra State of Cybersecurity Survey, 64% of enterprises have a hybrid cloud environment. As you plan your cloud migration or hybrid cloud strategy, it’s crucial to keep security top of mind.
When architecting your new environment, make security part of the foundation, not something you “add on” when everything is done. And don’t neglect security in your existing environments, whether private cloud, on-prem, colocation, or another public cloud.
If you don’t have the team or the time to focus on security, consider an option like managed detection and response (MDR). This will enable you to maintain 24×7 coverage across all of your environments, all with a single log-in (no more switching tools and dashboards for different environments).
5. How do I find cybersecurity employees? How do I retain the ones I have?
According to the Bureau of Labor Statistics, cybersecurity has a 0% unemployment rate, and demand for security analysts is expected to grow 36% by 2029. To say that hiring is difficult is an understatement. I recommend focusing on candidates with the right experience and qualifications and not just a diploma.
You’ll also need an attractive compensation and incentive package that’s focused on more than just the money. Low or no-cost healthcare coverage, 401k matching, and generous PTO allowances are a great start, but don’t forget about training and career development. Covering the costs of licenses and certifications won’t hurt, and neither will offering flexible schedules and WFH policies.
As for retention, these employees want to be a part of a great company culture and to have a voice in decisions that affect them at work. Take care to avoid burning them out and overworking them. And when all else fails, consider outsourcing or augmenting your current security strategy. MDR is a great option to maintain 24/7 coverage with no more worries about talent shortages.
6. I am PCI/HIPAA/GDPR compliant. But am I secure?
Many of us may hate to hear this, but compliance does not equal security. Being compliant means your company is meeting the minimum-security requirements for specific regulations at a particular moment in time. Remaining free from security threats while operating your compliant infrastructure is being secure.
If you built your security posture by checking the necessary boxes to become compliant, you should revisit it. I recommend determining what your security goals are and viewing your security posture through that lens, as opposed to the compliance lens, in order to find any gaps. The good news is that many of the tools you have in place for compliance will help you be secure if you are using them appropriately.
Here are some conversations I have all too regularly that help highlight the differences between compliance and security:
- Statement: We conduct vulnerability scans as a part of our compliance requirements.
- Response: That’s great! When was the last scan run? How frequently are you running them? If you aren’t doing them at least daily, why not?
- Statement: To be compliant, we collect and retain our logs for a specific period.
- Response: That’s a great start. Are you analyzing those logs every day for things like anomalous user behavior? Who in your organization is responsible for this, and what tools are they using to help? How are they parsing and tagging all the logs? How far behind are they? Who takes over if they leave the organization?
- Statement: We use an IDS (Intrusion Detection System) or IPS (Intrusion Prevention System) to satisfy a compliance requirement.
- Response: That’s a valuable tool that every organization could benefit from. How many alerts are you receiving each day, and who is tasked with validating, triaging, and responding to them? If you have a person or small team responding to hundreds or even thousands of alerts, are you confident that they are giving the appropriate attention to each alert, or do you suspect they may suffer from alert fatigue?
Having the tools does nothing to help you be secure if you aren’t using them and their outputs/data effectively. You should also be constantly reviewing and updating your tool set and the skills of your team to keep up with the pace of change and innovation. But it’s also imperative to recognize that despite the best preventive measures, you need to be ready to respond when an attack is successful. That means having a well-rehearsed response plan inclusive of recovering data that has been encrypted, deleted, or altered by a ransomware attack. This typically means specialized plans and capabilities focused on the other DR – data recovery.
7. What is everybody else doing?
The rise in high-profile cybercrimes has everybody on edge. The threat landscape is constantly evolving, and even experienced security professionals are wondering if they’re doing enough to protect their companies and customers.
Many CTOs are completely frustrated. Imagine spending large amounts of capital on security tools, suffering through lengthy implementations, and hiring and/or training staff, only to feel like you still have unmitigated risk and vulnerabilities and are left open to new and emerging threats.
For some, the answer is moving from a capex model to an opex model, futureproofing, and ensuring they have top security analysts, threat hunters, and PhD level researchers working to protect them. The move to MDR is more attractive than ever.
If you find yourself wondering what everybody else is doing, are looking for some validation of your current security posture, or just need guidance related to your cybersecurity concerns, reach out to Alert Logic.