For organizations to have the best chance of minimizing the impact of any cyberattack, it is essential they take a proactive approach and gain visibility into where they are vulnerable. That means developing a resilient mindset throughout the business.
Resilience is becoming an increasingly important part of how organizations approach cybersecurity, as businesses realize the inevitability of attacks and the limitations in only focusing on attempting to stop these.
A study by Gartner finds organizations that leverage the principles of resilience outperform their less resilient peers, and build stronger, more adaptable cybersecurity programs.
Central to this is the concept of creating a truly “zero-trust” mentality, which provides the bedrock for any organization’s cyber strategy. “Zero-trust is not a product but a concept,” explained Tony Fergusson, CISO in Residence at cloud-based cybersecurity platform Zscaler, who helped develop the theory.
Building a resilient mindset is a core element of zero-trust, encouraging individuals to take responsibility for cybersecurity rather than leaving it to IT teams. This means, Fergusson said, actively involving employees in planning exercises to test the impact of a cyberattack, so they can see at first hand just how serious an incident can be. “I’ve been inside the war room and people react very differently,” he said. “Some completely freeze and just don’t know what to do. Others step up and take charge.”
Tabletop exercises, where teams of people meet up to tackle fictitious but plausible scenarios to test how they would respond and take away key lessons for future events, can be an excellent way of helping people understand their role and responsibilities. “We need to sit with the people who are going to be in the crisis room and make sure that we have a plan,” said Fergusson. “Often it can get very mixed up in terms of who is doing what, and the result is that not a lot happens.”
Such exercises can then be used to develop specific roles for individuals in a crisis. “One of the other things I’ve found is that we tend to overreact,” he added. “Sometimes the reaction is to shut everything down. But that can cause even more damage, because maybe some things were still working. Once you’ve turned everything off, it can be difficult to get systems back up and running. That’s not a nice place to be.”
As well as working with employees, organizations need to develop a wider culture of resilience. This means taking a more proactive approach to identifying potential risks rather than relying on more reactive techniques. “Endpoint detection and response and other tools are very much about trying to detect something and respond to it,” said Fergusson. “That time to respond is coming down so much that we need to think about what controls we can put in place. If we can look for where we have risk, then we can mitigate it before something happens.”
A central tenet of the zero-trust concept is removing the attack surface. “You can’t attack what you can’t see,” said Fergusson. “If I remove my attack surface as an organization, that is a proactive measure I can take to prevent an attacker compromising my infrastructure.”
Existing technology can also help organizations take more proactive steps, he added, including Sandbox, which will run applications in a controlled environment to test it, before delivering it to the user. “There’s also now technology like browser isolation,” he said. “This means we can isolate the browser in the cloud and only send the pixels to the user, so if there’s a malicious piece of code, it’s not able to run on the endpoint. It removes the attack surface for the user.”
Breach attack simulation tools and even artificial intelligence can also identify where the biggest risks lie, and how these can be mitigated. “We need to find out what is the most important part of the technology that needs to run and make sure we build resilience around it,” he said, adding that industry standards often only provide a basic minimum in terms of resilience. Once the biggest risks have been identified and mapped, organizations can deploy a risk register and use key performance indicators to drive teams to resolve those.
A resilient mindset also means reviewing how organizations use the technology they have at their disposal. “Sometimes the problem is the way the technology is used or configured,” Fergusson pointed out. “If I have a firewall, but I don’t configure policy in it, how resilient am I going to be against attack? That’s where we have a lot of work to do.”
Underpinning all of this is the need for visibility. “That is a superpower,” concluded Fergusson. “If we’re able to mitigate risk before that attacker comes after us, before that network fails or before that person makes a human error, that’s true resilience.”
To find out more about how Zscaler can help your business build a resilient mindset, visit zscaler.com
-
The writer is Nick Martindale, copywriter for Zscaler.
