In the digital age, protecting an organization’s assets has never been more critical. Cyber threats are evolving, becoming more sophisticated, and appearing with alarming frequency. Yet, organizations often find themselves under-resourced, struggling to keep pace with the threat landscape.
ITSecurityWire Bureau had an insightful interaction with Chris Reffkin, Chief Security & Risk Officer, Fortra, to understand the importance of fortifying defenses by prioritizing remediation efforts, tackling the skills gap, and adopting a culture of continuous improvement in cyber security.
ITSecurityWire Bureau: What advice do you have for organizations that are facing a lack of resources to perform remediation?
Chris Reffkin: Organizations with limited remediation resources should prioritize efforts based on the significance and risks of security assessment findings.
Leaders must evaluate these findings to identify those posing the greatest risk to business objectives and mission. It’s essential to translate technical security issues into business impact terms, explaining how each risk can affect operations, reputation, and the bottom line.
Clear communication, addressing questions like “So what if this vulnerability exists?” and “What’s the risk to our business if this issue is not remediated?” helps demonstrate the real-world consequences of security vulnerabilities.
As the cybersecurity skills gap is seemingly only growing wider, organizations may also have to get creative when it comes to finding additional resources to help in their remediation efforts. For example, upskilling and reskilling efforts within the existing workforce can be especially effective in this area. Personnel learning new skills may find remediation to be a great learning runway, as these initiatives are typically more structured and have clear objectives.
Most importantly, as frustrating as it can be to deal with these shortages, organizations all need to adopt a mindset of continuous improvement. Due to the dynamic nature and increasing complexity of technology, maintaining cybersecurity is a never-ending task.
Even if all of the resources were made available to us, it will always be a challenge to stay ahead. By tackling remediation incrementally and consistently, organizations can systematically strengthen their security posture in a way that is also resource efficient.
Also read: IoT Defense Strategy – Addressing the Remediation Deficit
ITSecurityWire Bureau: Why does lack of patching continue to exist and how can pen testing help mitigate this risk?
Chris Reffkin: Patching is a classic example of a security practice that sounds simple but can be quite a complicated process. The lack of patching persists due to the complexity of maintaining a robust patch management program.
Organizations must manage thousands of virtual and physical assets and numerous applications, coordinating patching efforts with business processes and external dependencies at least monthly. This orchestration is challenging and resource-intensive, leading to gaps in patch management.
Pen testing can help mitigate this risk by focusing limited resources on critical areas and demonstrating the impact of these gaps. Organizations can identify vulnerabilities through pen testing and tie the results to business objectives and specific control elements like patch management.
This targeted approach enables iterative improvements and helps prioritize remediation efforts, ultimately driving significant improvements in the organization’s overall security posture.
ITSecurityWire Bureau: How can pen testing, red teaming and security awareness training help prevent phishing threats?
Chris Reffkin: Pen testing, red teaming, and security awareness training are essential tools in preparing for and mitigating phishing threats.
Security awareness training educates employees on recognizing and avoiding phishing attempts. Some phish are still painfully obvious with strange email addresses, vague requests, and bad spelling. However, the game has changed significantly and it’s harder than ever to differentiate between a well-crafted spear phish and a genuine email.
Security training is ideal for teaching employees to look out for the more subtle signs, like a different reply-to address, unusual timing, or contextual discrepancies that don’t align with your recent activity or the sender’s communication style. These trainings are also great for refreshing employees on best practices and extra measures of precaution, like independently going to a web address instead of clicking a link.
Lastly, these trainings are especially vital for showing personnel their organization’s specific process for reporting suspected phish. Flagging an email is not only helpful for making sure you don’t get repeated attempts, it can also ensure that it never arrives in another employee’s inbox. The less opportunities there are to click, the better.
Pen testing is a great next step, as it can help verify the efficacy of training efforts. How many employees are still prone to click even after a recent training? Is there regression after a certain amount of time has passed? These assessments can help pinpoint where additional training is needed and the optimal cadence. Pen testing not only tells you who is prone to phishing attempts; it also assesses what may happen if someone is successfully phished.
Phishing campaigns can identify potential vulnerabilities and weak points in an organization’s environment, providing a broad analysis of where phishing attacks could exploit gaps in security controls.
Red teaming goes a step further by simulating sophisticated, targeted attacks, showing the real-world impact and consequences of an attack that begins with a successful phishing attempt. For example, many ransomware attacks begin with a phishing attack and end with operations grinding to a halt unless exorbitant sums are paid to threat actors.
These engagements can test an organization’s ability to detect and respond to attackers as they try to gain a foothold, move laterally, access sensitive data, or compromise systems. This comprehensive approach helps organizations understand and improve their defenses, better preparing them to handle phishing threats.
Also read: Why Spear Phishing Is the Next Big Challenge for CISOs
ITSecurityWire Bureau: Could you elaborate some cost-effective ways to approach pen testing?
Chris Reffkin: Cost-effective approaches to pen testing focus on managing the scope and setting clear expectations for the use of results. One effective way to control costs is to schedule testing based on your organization’s risk assessment.
By cycling through different environments or specific systems according to their risk level, you can ensure that higher-risk areas receive more frequent attention.
Instead of attempting to cover everything with one comprehensive assessment annually, it’s more efficient to conduct focused, smaller-scale tests throughout the year. This approach allows for more manageable results and targeted remediation efforts, ensuring that resources are used effectively, and high-risk vulnerabilities are addressed promptly.
Focusing on critical components of your infrastructure can serve two functions. It not only helps to protect an organization’s most essential and sensitive assets; it also simultaneously constructs a business case that showcases the necessity for penetration testing and other offensive security efforts.
A well-documented pen test can provide a detailed picture of the potential damage that could have been incurred had a vulnerability not been discovered, which can serve as an effective demonstration of ROI.
Ultimately, it’s worth remembering that the act of penetration testing is cost-effective. By uncovering security weaknesses and getting guidance on remediation, you’re avoiding the much more expensive, long-term costs of a breach, which can include downtime, recovery, legal penalties, and reputational damage. Preventive action should be the foundation, with defensive interventions as the safeguard.
Conclusion
The multifaceted approach toward bolstering organizational defenses against evolving cyber threats is crucial for maintaining operational integrity and security. Prioritization of remediation efforts based on potential business impact, continuous improvement practices, and strategic resource allocation form the backbone of an effective cybersecurity strategy.
Additionally, pen testing, red teaming, and rigorous security awareness training can significantly enhance an organization’s resilience to phishing and other sophisticated cyber-attacks. By fostering a culture of awareness and proactivity, organizations can navigate the complexities of cybersecurity management and mitigate risks associated with unpatched vulnerabilities and sophisticated phishing schemes.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
