If there is one positive we can take from the last sixteen months, it is businesses embracing a more flexible working culture for their employees. Fundamental changes to the traditional nine-to-five working day means that many companies, in part, have already successfully transformed some of their operations to meet the demands of a new hybrid working world that is now very much the norm.
Yet, while many changes have started to establish themselves and bring positives to workforce morale, there is one part of the operational jigsaw businesses that haven't yet been solved, and that's their cybersecurity. Hybrid working practices have introduced a whole new set of complex cybersecurity challenges that many businesses have firstly never had to face before, and secondly, haven't yet worked out how to manage. With employee devices moving to unmanaged and untrusted networks and locations, company security is more precarious, identity and access management are harder to oversee, and basic device hygiene and asset management tasks like deploying security patches and updates – which are famously hard to do under even the best circumstances - are proving even harder to enforce and maintain as a result of less frequent IT checks and controls.
The reality is, these challenges are urgent problems for businesses to address. The constant reports of successful ransomware attacks and the steep rise in cyber attacks over the past year are reflective of how unprepared businesses are when it comes to defending themselves against sophisticated cyber threats. In fact, the majority of business executives across the U.S., U.K., and Canada, are willing to pay a cyber ransom just to resume operations.
This is leading to a perpetuating cycle of panic, fear and uncertainty amongst businesses, as in their desperation to solve the cybersecurity problem, are being lured into buying yet more tools and buzzwords like the XDR (extended detection and response) products that are touted as the silver-bullet solution. For me, it's contributing to the problem and I'll explain why.
Fueled by vendor marketing, companies are being encouraged to buy products they just don't really need. This is leading to cybersecurity tool overload and fatigue amongst security analysts. It's also encouraging organizations to deploy point products to solve very small problems here, there, and everywhere - essentially papering over the cracks, without solving the bigger issues. This is a particularly challenging issue amongst small and medium sized businesses, whose teams are already overwhelmed by the sheer volume of security alerts their business receives, the continuing growth of the 'alert fatigue' phenomenon.
The best way organizations can address their cybersecurity challenge is by recognizing that they don't have a tools problem, but an operational one. By prioritizing and embracing security operations where they can make the best of their existing investments instead of the endless cycling through new vendors and new products, they will go a long way toward addressing the rapidly evolving threat landscape in a way that meets the unique needs of their business. There is no "one size fits all" in security, and if an enterprise doesn't put operational infrastructure in place, then all you have is just more tools, more collectors, more agents, more locations, and more data to filter through, which contributes to even more alert fatigue and will ultimately mean a threat is more likely to slip through the net and not be detected.
Businesses need to ask themselves: "When was the last time we did a solid disaster recovery activity? Do we have a playbook? Is it old and unsuitable?" Years ago, when data backups were written to tape and stored offsite there was a phrase "your backup is only as good as the restore." While testing the back-up and restore process was time-consuming and expensive, it only took one hardware failure incident to prove how valuable a well-rehearsed plan can be. There are direct parallels with cybersecurity, too. And I don't just mean having backups for when you get hit by ransomware.
The R in XDR is only as good as the execution of that response. So, when was the last time your business tested a disaster scenario? What's your cyber security team's first step when ransomware takes hold? There's no easy button and no buzzword tool that is going to replace the good old-fashioned planning and practice. This is operationalization, combining people, process, practice and making the best use of the tools you have. That's the endgame here.
When working with customers, we find that every organization already has the tools in place to fundamentally improve their security posture, but they lack either the skills or the time in their workforce to implement a more efficient and sophisticated security department. The first thing that organizations should do is to put a pause on buying not just XDR but all security products, close the flashy product PowerPoints that they're being sent from vendors, put the purchase order approval stamps away, and really understand what tools they already have at their disposal. The businesses that prioritize investing in their security operations, those that spend the time to understand their current capabilities and gaps before adding more complexity, will be leaps and bounds ahead of the cybersecurity maturity curve and will drastically reduce the likelihood and impact of in the long run.