If you think the last few years were bad for cybersecurity breaches, take a deep breath before you consider what’s coming in 2023. Our existing defenses may not be ready for what’s in store.
Bad actors are honing their existing attack vectors and opening new ones that many companies have barely started to think about. For example, artificial intelligence technology is found in everything from autonomous vehicles to voice assistants, home security, and medical devices; attacks on these technologies are likely to increase. Security practices once seen as iron-clad, such as biometrics and password managers, are becoming more vulnerable as hackers get smarter—just remember the recent breach of LastPass, a commonly used password management system.
In the face of widening assaults, companies across all industries need to review their people, process, and technology. In my work, I see too many businesses displaying a false sense of security. They think they’re prepared but that illusion often falls apart when their defenses are seriously tested.
Time to play offense
No company can prevent every attack, but you can position your organization to minimize the risks and respond swiftly and effectively to breaches. Here are a few ways you can play offense instead of defense:
As your company starts its 2023 budget process, ensure that IT and security teams have enough budget to do their jobs well. Your C-suite, including the CEO, CFO and CISO/CIO, should have cybersecurity performance metrics that hold them accountable. Appoint at least one board member with cybersecurity expertise who knows the right questions to ask.
Going into 2023 gives you a fresh impetus to assure your plans are not only comprehensive and constantly updated, but also battle-tested. The following are four controls every company should have in place, as well as how to strengthen them.
1. Vulnerability scanning and penetration testing. You’ll be in a much better position to fend off attacks if you know your weak spots. Going into 2023, make sure you perform regular vulnerability scanning and penetration testing that covers all your mission-critical systems. Don’t exclude AI or biometric systems from these checks. Testing can be done in-house but you can also hire a third party to come at your defenses with fresh eyes; they might combine social and technical tactics to probe for weak spots in your systems that you’d otherwise miss.
2. Actively monitoring systems and networks. Right now, any size company in any industry is at risk from malware that has silently penetrated its systems and is waiting to unleash chaos. Without software that monitors and scans for these threats, malicious intruders could be sitting in your systems for months – a particularly big risk for healthcare and financial companies that store sensitive personal data, as well as biometric software companies. Security Information and Event Management (SIEM) tools are must-have software solutions that monitor and log threats. But the software alone isn’t enough. Companies should appoint trained professionals to make sure the SIEM is examining the right information, the right alerting is set up, and the right people have been trained on how to interpret the alerts and put plans into action.
3. Incident response planning. You’ve just been hacked – now what? Without an incident response plan, the answer won’t be clear. With attacks on the rise, it’s critical to have a well-developed plan. In an emergency, you need to mobilize quickly and people should be aware of their roles. Yet these measures still aren’t enough; plans should be tested. If simulating a real-life incident isn’t feasible, walking through the program during table-top exercises at minimum is critical: You need to know which parts work – and which don’t – before a real-life incident. Digital forensics firms can also help with attack investigation and eradication if needed.
4. Security Awareness Training. A financial controller receives an email that looks like it’s from the CFO, requesting a wire transfer to a client with new banking details. The controller sends it – and another phishing scam has succeeded. Despite education and planning, employees are still falling for these scams. Your security team should regularly test staff preparedness by sending out false phishing emails and seeing how many employees fall for them. Use the lessons learned to shore up your security awareness training. Offer incentives for passing phishing tests – gift cards to a local restaurant, coffee with a C-suite executive, or an extra vacation day. Companies also should eschew old-fashioned PowerPoint-style security awareness training for interactive training programs that incorporate things like multiple choice question/answer sessions or interactive case studies with true/false scenarios.
Does all this cost time and money? Unfortunately, yes. But the investment is well worth it considering the potentially devastating costs of a breach—the risks of which are growing by the day.