In 2024, consumers saw an array of cybersecurity incidents that impacted them directly, and in dramatic ways. From the Change Healthcare attack that impacted healthcare systems and prevented some from getting medication, to the more recent issues involving Ahold Delhaize that left grocery stores shelves practically empty right before the Thanksgiving holiday, consumers are feeling the impacts of poor cybersecurity in tangible ways.
While cybersecurity incidents don’t always end up being so direct to the end consumer, the consequences of poor cybersecurity posture can result in eroded trust from the public as well as poor brand reputation. With cybersecurity incidents increasing consistently year over year, and with the impacts being more far-reaching than they have in the past, organizations must ensure they have plans to prepare for, mitigate, and recover from a cyberattack.
Start with Employee Education
The best way to mitigate threats is to ensure that the company’s greatest asset – its employees – are on the lookout for suspicious activity and can easily identify things like phishing emails. However, time and again, it’s been proven that people are susceptible to having their natural inclinations and biases exploited – which is why investing in employee training is absolutely essential to mitigate cyberattacks.
Employees at every level of an organization – from the CEO to the interns – should receive regular cybersecurity training and education. This training should touch on usual best practices around things like avoiding suspicious links and understanding the importance of strong passwords, as well as an overview of new and emerging threats to boost awareness. Employees should also be trained on the best way to report suspicious activity and how to do so in a timely manner to ensure others are aware of whatever scam might be circulating within the organization.
While videos and email reminders are great, simulations give employees a chance to react to real-world scenarios and employers an opportunity to evaluate (and improve) readiness. These tests allow employees to put their skills into practice and can boost awareness of certain threats and attacks (like phishing emails) when navigating online spaces – building a foundation of security into everything that they do.
Understand Where You’re Vulnerable
Not just employees need testing and evaluation—organizations also need to understand where vulnerabilities exist in their systems to better protect them. Penetration tests are a great place to start.
A penetration test simulates attacks on a company’s network and technology stack to identify weaknesses in real-time. Its benefit is that it provides an unbiased, comprehensive assessment of where vulnerabilities lie within systems, meaning that organizations can proactively take steps to patch up these vulnerabilities before they are exploited by bad actors.
Alongside penetration tests, companies should also be undergoing regular risk assessments to better understand their security posture. Risk assessments go even further than penetration tests in that they don’t just consider the technology but the people and processes working with and alongside that technology. By having a view of how everything works together, organizations can better identify holes in everything from the order of operations in the event of a cyber attack to understanding what alerts from systems are being paid attention to (or not). From there, companies can start to take steps to close those gaps, better augment human capabilities with other technologies, and shore up processes to allow for more proactive risk management.
Have a Business Continuity Plan
Even businesses that have prepared extensively can still be hit by a cyberattack, which is why having a business continuity plan is critical to ensure that the organization can quickly respond and continue to operate. These plans test and validate the impact of different systems, technologies, and/or vendors going down so that organizations have a way to save critical data and, most importantly, keep operations running. Having a plan in place can help mitigate financial losses and go a long way in maintaining customer trust.
Business continuity plans should address several of the following areas:
- Redundant Systems: Redundancy and backup solutions – including regular data backups – are key to ensuring continuity should a vendor’s services go down or a technology suddenly become unavailable.
- Communications Protocols: In the event of a security incident, timely communication is critical to addressing questions and getting teams on the same page. There should be open communication lines and protocols with discovered vendors in the event of a security incident.
- Specific Incident Response Procedures: Implement a plan for vendor-based incidents and regularly test them.
Plans should be reviewed and updated at least twice per year, though more is often better. As part of these reviews, companies should perform tabletop exercises and simulations that test current processes and systems. Based on the learnings of these exercises – and emerging threats – companies should go back and update plans to ensure that they are as prepared as possible.
As we’ve seen last year, the impact of overlooking cybersecurity can be dire. Taking proactive steps to educate around, prepare for, and mitigate the impact of cyberattacks can improve readiness and response, ensuring that companies are not just protecting their systems but their reputation and customers as well.
Michael Gray has been a strong technology leader at Thrive over the past decade, contributing to consulting, network engineering, and managed services and product development groups while continually being promoted up the ladder. Michael has a degree in Business Administration from Northeastern University, and he also maintains multiple technical certifications, including Fortinet, Sonicwall, Microsoft, ITIL, and Kaseya, and maintains his Certified Information Systems Security Professional (CISSP).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.