A strong security posture is crucial in an age of growing cybersecurity risks. Fortunately, businesses need not be helpless in the face of danger. There are many positive and proactive ways to identify and manage risks. Indeed, by taking a methodical and holistic approach to cybersecurity, businesses can ensure they strike a robust security posture.

Organizations are facing increased risks

The first step towards a strong security posture is appreciating the profound dangers that businesses face.

Many modern business practices are opening up new fronts of vulnerability for cybercriminals to exploit and attack:

• The increasing use of the Cloud.
• Growing prevalence of DevOp supply chains (often involving third-party applications).
• The growth of remote working (and the mobile security issues this raises).
• The speed of business innovation means that the IT estate of a business can evolve haphazardly.

In addition, the cyber attackers themselves are more varied and adept:

• They develop new approaches and methods - attempting to beat cybersecurity measures and exploit new weaknesses.
• An increasingly challenging global economic outlook may push more people into cybercrime as a potentially profitable enterprise.
• Geopolitical instability is leading to increasing state-backed attacks on businesses and infrastructure.
• The rise of Ransomware as a Service (RaaS) makes cybercrime possible for even non-expert would-be attackers.
• Insider attacks continue to pose a threat.

Finally, the consequences of attacks are becoming increasingly severe:

• The amount extracted from businesses by attacks is increasing (e.g. larger ransoms and more data stolen).
• Growing sanctions for inadequate cybersecurity can compound the cost of attacks (GDPR, for example).
• Attacks are high profile, so the reputational cost for brands can be immense (for example, the SolarWinds attack of 2020).

You cannot afford to fall for myths of cybersecurity complacency. As Stephane Nappo of Société Générale International Banking puts it, “It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it”. Avoiding such damaging situations requires a forensic and holistic approach to a company’s security posture.

Elements of security posture 

Your cybersecurity posture reflects the overall level of safety of your entire IT estate. By necessity, it must encompass everything in your IT estate and ecosystem.

For most businesses, that ecosystem is now vast. It includes everything from your hardware and services, to any third-party resources your organization may be subscribed to (e.g. any hybrid technology solutions). If any aspects of your IT estate are left out, these could become potential weaknesses and undermine your posture.

It is crucial to appreciate the different aspects of an effective security posture:

1. Have you identified every asset and element of your IT estate?  
2. Have you identified all the evolving risks your IT estate faces?   
3. What security measures are in place, and could these be improved?   
4. How prepared is your business to respond to incidents?  
5. How effectively is the security posture embedded throughout your organization?

Having identified these five core areas, we can briefly consider a tip for addressing each one.

5 ways to improve your security posture

Each of the five areas above is significant in its own right. Here’s a few ways to get started addressing them.

1. Ongoing inventory of your IT estate

You cannot robustly defend aspects of your IT ecosystem that are not on your radar. Therefore, an accurate and up-to-date inventory of all your IT assets should be at the heart of your security posture. It is crucial—anything missing could become a weak point in your organization, i.e. a potential entry point for an attacker.

This inventory should list everything in your IT estate. Include all your on-site and off-site IT hardware assets. Capture every network and data storage system. It does not matter whether or not they are internet-facing; they could all be vulnerable (even if only to an insider attack), so include them. Detail all applications and services, whether in-house or externally facing. And include all security tools already in use.

Don’t forget any third-party components of your broader IT ecosystem. While not part of your estate, they interact with it and bring additional complexity. This could open up points of weakness for attackers to exploit. Ensure you understand their use, any security issues they raise, and how they interact with the rest of your IT.

Next, identify the relative importance of each asset. Which are more or less critical? What would be the financial or productivity impact if each was compromised? That will help determine which to prioritize.

2. Ongoing risk assessment

Once you have identified all the IT assets in your estate, you should evaluate the cybersecurity risk each one poses.

Consider possible attack vectors for each asset. An attack vector is how a cybercriminal might attack an asset. For instance, phishing emails are an attack vector, as are ransomware, credential theft, encryption, and configuration issues. The likely attack vectors will vary between assets. For instance, your ERP inventory management software will face different risks from those of your ci/cd pipeline.

Take the time to assess the risk across your entire IT estate:

• How might an attack target each element?
• What could go wrong to make such an attack more likely?
• What mistakes might employees (or customers) make that facilitate that attack?
• And how is all this changing over time?

The last point is worth emphasizing. These risk assessments are not static; you should review and update them frequently. You are likely to face an ongoing barrage of attacks which may include multiple types of attacks, that could range from application fraud (using fake details on application forms or over-inflating insurance claims) to phishing attacks.

With robust risk assessments in place, you can be confident you are addressing all the pertinent issues, such as having a secure password management system.

3. Evaluation and improvement of security controls

By this point, you have fulfilled two crucial requirements of a strong security posture:

• You have an accurate and complete inventory of all your assets and your broader IT ecosystem.
• You have also assessed all the possible dangers your IT faces, including attack vectors.

You can now form a detailed picture of all your vulnerabilities. You may hear this referred to as your attack surface: The various ways that a determined assailant could try to breach your organization.

You can then assess to what extent your current security controls protect you. You probably already use a range of measures, including DNS filtering, firewalls to protect your networks, virtual private networks (VPN) for remote access to your networks, and various security tools in your DevOps supply chain. But are these enough to counter the risk?

Be sure to consider any third-party tools that your business uses. For example, what security features does your third-party enterprise-grade VoIP have?

Make a detailed assessment of what each security measure offers to address the risks. But also consider what they do not. There will almost certainly be deficiencies if this is the first thorough review.  

Worst-case testing and modeling can probe how well your defenses stand up to various potential encroachments, revealing gaps or weaknesses in your security cover. You may discover, for example, vulnerabilities introduced as a result of a recent shift from monolithic application architecture to a microservices approach. You can then take steps to address any identified weaknesses. 

Automation and Artificial intelligence (AI) are becoming increasingly crucial tools for cybersecurity. By embedding automation in your security practices, you can improve the speed and accuracy of your defenses without increasing headcount. For example, it can help identify suspicious behavior. AI can analyze and define the 'normal' behavior of users. Then that learning can power automated, real-time monitoring of all future users. 

Another option would be to adopt a system of privileged access management. This is a process whereby employees’ access levels and permissions are restricted to the minimum levels required for them to do their job, thereby lowering the risk of a security breach.

4. Live incident response plan

However good your security controls are, you are unlikely to eliminate all the dangers. Even with excellent defenses, attacks may breach them. Therefore, it is essential to have an Incident Response Plan. 

It should set out how your business will deal with attacks. It is a set of actions, ready-to-go, as soon as an attack starts. Time is of the essence: Attackers are getting much swifter at carrying out their activities once they have gained access. A strong plan means everyone involved in the response knows what they should do and with whom to liaise. Of course, for all this to work, the Incident Response Plan also needs collective buy-in and support from all key participants. 

There should be a focus on lesson learning in the plan. During and after an incident, identify any mistakes made. Investigating what goes wrong will help to refine future responses. However, positivity is crucial. It is about improving future responses, not blame. And it should identify successes, not just missteps. 

5. Ongoing collaboration and training

Consider assembling a dedicated IT team to oversee security posture. They should be aware of any changes within or beyond the business that might have an impact. They should be fully involved in the live Incident Response Plan - ready to leap into action should an incident occur.

However, a strong posture requires everyone across the business to play a part. Many cyber attacks succeed due to human error: Employees are tricked into sharing security credentials (e.g. by a social engineering attack) or unwittingly opening an unsafe attachment (via a phishing attack). Well-trained, sensitive employees are some of your best defenses against such dangers.

Constant learning and refinement

Put cybersecurity at the heart of your business. By striking a strong security pose, you not only protect your infrastructure, operations, and finances. You are also protecting your customers and their data. Robust security should be a fundamental component of offering good customer service. Indeed, the reputation of your brand may depend on it.

And do not be content with a plan from yesterday. Adapt your security measures to address changes both within and beyond your organization. Keep on top of the changing dangers. How will you ensure that your posture will evolve to meet any new challenges? What have you learned from any recent mistakes? With a proactive and determined approach—and with a close eye over your entire IT ecosystem—you need to grasp tomorrow's dangers today.

‍