“We noticed some unusual activity.” That’s how one recent phishing campaign—posing as LinkedIn—began slipping past Google’s email security controls. A link then sent recipients to a sign-in page that mimicked LinkedIn’s branding in an attempt to steal more than 500 users’ credentials.
Social engineering attacks like this have become increasingly sophisticated. Now, with ChatGPT, criminals are equipped with a tool that can help them write convincing emails (in multiple languages), build mock websites, refine malware, and tweak their algorithms to better snatch access credentials in matter of seconds. It’s no surprise that 51% of IT decision-makers believe there will be a successful cyberattack credited to ChatGPT within the year.
The rise of Chat GPT exemplifies the double-edged sword of adopting advanced technologies—be it IoT devices, AI/ML, cloud computing, or others. As the threat surface expands, so do the risks—even as technologies such as AI offer new capabilities to defenders.
But new tools aren’t everything. While most organizations know they need to invest in such products to protect themselves—global cybersecurity spend is set to jump nearly 15%—simply purchasing them won’t be enough. Companies instead should take a holistic approach that considers how cybersecurity strategy relates to their overall business and align their tactics and spend accordingly. Here’s how they can make it happen.
The cybersecurity terrain is vast and changing—fast. Organizations are aware of the growing vulnerabilities from new IoT devices, AI, and geopolitical tensions.
What they may not be aware of is the sheer scope of these risks—not to mention looming regulatory burdens:
When it comes to cybersecurity, many companies follow a strict framework (e.g., the National Institute of Standards and Technology’s Cybersecurity Framework) or simply build their strategy around meeting compliance requirements. Yet in doing so, they can easily forget to focus on what matters: the actual cyberthreats facing the organization—and what would happen if they were realized.
In other words, executives should build their strategy around how their business actually operates today, focusing on reducing pertinent company-specific threats. For instance, a manufacturer should be more worried about protecting against ransomware that can disrupt revenue-generating systems versus data loss. Frameworks can be a useful guide but should not be the full extent of an organization’s cybersecurity program.
Some important considerations to keep top-of-mind:
What they’re getting wrong: Many companies today are narrowly focused on meeting regulatory requirements or building a cookie-cutter solution. While this approach may seem adequate, companies need to stop and think about the actual risks that affect their company.
How they can get it right: It’s critical to implement key controls, including endpoint detection and response, security monitoring, managed detection and response, off-network backups, an incident response plan, cyber insurance, effective training and asset management, patching protocols, and privileged access management, among others. These controls are part of a full lifecycle vulnerability program, which includes cybersecurity risk assessment, prioritization, assignment, mediation, tracking, and reporting. Fundamentally, organizations must also understand their assets, who’s responsible for them, and anything else that can foundationally impact their company.
What they’re getting wrong: Many companies fall into the trap of overspending on tools—but are not investing in the right tools or don’t know how to properly use them.
How they can get it right: After developing a full lifecycle vulnerability program, organizations should align their cyber budget and spend to the threats that matter most to their company—then learn how to use the tools and track their success against key performance metrics.
What they’re getting wrong: As software companies increasingly migrate their infrastructure to the cloud, they tend to simply “lift and shift” their cybersecurity defenses in kind. But security standards are different in the cloud and organizations can’t simply use the same set of tools.
How they can get it right: Executives should therefore think more strategically about their cloud security. Cloud-native vendors might offer effective solutions, for instance, but don’t necessarily teach their clients how to effectively implement them. Meanwhile, security protocols will shift depending on how organizations consume cloud services (e.g., Infrastructure-as-a-service vs. platform-as-a-service)—and companies should prepare for changes to operating models that arise from using the cloud, particularly in a hybrid working environment.
What they’re getting wrong: Many organizations are so concerned with preventing cyberattacks that they aren’t prepared for the hard reality—that, eventually, every organization is going to be attacked.
How they can get it right: Whether you can quickly detect, react, and recover from breaches is crucial. Remember: Though concentrating on prevention is smart, don’t forget to invest in detection, recovery, and incident response planning as well.
To put the above principles into practice, organizations need a holistic approach that draws on expertise from various practice areas and backgrounds, as well as the current capabilities and objectives of the business. This requires taking a broad look at the overall organization and goes beyond simply implementing safeguards to account for product strategy, customer success, employee management, organizational structure, and more.
It’s about people, process, and technology. The technology is there and pretty much the same across the board. Now is the time to ensure that you have implemented the right processes and have the right people in charge so that you can get the most out of your cybersecurity investments in today’s heightened threat landscape.
Whether your organization is developing a cybersecurity strategy and roadmap, optimizing security tools, or creating cloud security strategies and controls, it’s critical to begin now.