Year after year, we are observing large-scale cyber-attacks happening in our local environment, as opposed to recent history, when they were a critical matter only overseas or in distant Russian gangs. Consequently, cybersecurity management is developing as one of the essential strategic processes in organizations.
Preliminary data from the Si-Cert* National Response Centre shows that among the incidents handled in 2023, phishing was by far the most common means of attack, followed by various types of fraud. Trojan horses were the leader in attacks with malicious code, while the misuse of an unprivileged user account dominated breaches. The Verizon report** also shows that the human factor still plays the most crucial role in hacking, with 74% of intrusions starting with an attack on the end-user and a quarter of attacks involving ransomware, according to Verizon. It should be remembered that the number of attacks is increasing yearly; based on the data collected so far, Si-Cert has recorded 4% more incidents in 2023 than in 2022.
What does this brief statistic tell us? Cyber-attacks are increasing yearly, but the end-user remains the primary target. It is much easier to fool a human being than to bypass the protections on security devices, and since the flagship is not to be replaced, cybercrime is thriving.
From the point of view of corporate cybersecurity managers, it is more difficult to sufficiently educate employees on how to act safely in the cyber world than to install an additional security device. Although many companies ensure that their employees are regularly educated about cyber threats, there may always be either a new employee who has not yet passed security training or an existing user who does not want to do the training, is not sufficiently aware of the risk of cyber intrusions, or even deliberately (e.g. out of spite or revenge) harms the employer.
When considering options for how to move forward with cybersecurity management, we should consider the new NIST Cybersecurity Framework***, which introduces the category of governance in addition to identification, protection, detection, response and recovery. Governance is essential for all the other five steps of cybersecurity management, as it places the importance of security at the highest level of an organisation’s management. The governance segment connects all the other building blocks of cybersecurity and contributes to a coherent information security picture of the entire organisation.
Based on our experience, at least among large companies in Slovenia, regular cybersecurity testing is on the rise. Still, it is mainly performed as testing of individual network segments or software. These one-time projects require much flexibility for contractors and clients, as the timing often depends on other stakeholders, such as internal development teams or external contractors. This kind of testing provides a fragmented picture that would be useful to integrate into a coherent whole.
How can we connect fragmented testing into a meaningful whole? The first step is to plan security tests at least annually. Determining which systems or applications to test in the current year can be difficult. Testing everything every year may also be unnecessary, especially if there have been no major changes. However, conducting an internal network test every year is sensible, supported by an extensive external test and quarterly network scans. Compare the results of the scans and gain insights into the changes occurring at the perimeter so you can act accordingly.
A large proportion of Slovenian organisations will become subject to the new Information Security Act in the next two years, which will also define more precisely best practices regarding security tests and the monitoring of the security posture of suppliers, in line with the requirements of the NIS2 Directive. The requirement for annual testing is an incentive for more focused planning, opening the opportunity for a broader and more structured review of security posture. It may happen that specific plans go beyond the annual timeframe and would be better spread over a more extended period. This is also an established practice, as collaborations between organisations and security test providers often run on a three-year cycle basis. In addition to a well-thought-out planning of improvements, this approach also results in better responsiveness on both sides and, thus, faster implementation of changes. The relationship with the security service provider evolves from a project-based to a (post-) consultative one, giving the company faster access to information, solutions, and improvements.
As mentioned before, another aspect of the continuous monitoring and improvement of cyber security is monitoring suppliers’ security posture. This is to protect our organisation from attacks along the supply chain that could compromise our system due to a supplier’s low level of cybersecurity. We monitor the security posture of suppliers using solutions that scan the external network of companies in a non-invasive way and categorise the results of these tests according to different areas of cybersecurity. The results of the tests are regularly reviewed by the company, which can also work with a security testing partner to improve its cyber security.
To conclude, organisations can best protect themselves against cyber attacks with an integrated cyber security management strategy. While it is understandable that the strategy for small businesses will be significantly different from that of large enterprises, it is essential that each organisation identifies the risks based on its IT assets, user and supplier structure, assesses them and, based on this assessment, draws up a list of actions and improvements to be implemented over a given period.