Organizations live in a world of elevated threat levels, determined malicious actors, and expansive attack surfaces. In this context, it can be difficult especially for smaller businesses to optimize their use of digital technologies without exposing themselves to excessive cyber risk. So what’s the answer?
While no silver bullet, cyber resilience is an increasingly popular strategy. When done right it can help organizations continue business as usual even during attacks and then rapidly adapt and recover without imperilling business operations.
But getting to this point isn’t easy. As a new Osterman Research study reveals, 86% of organizations have a cyber-resilience plan, but few have confidence in it and over half don’t even have a way to assess its effectiveness. For SMBs in particular, consolidating capabilities could have a big impact on the success of initiatives.
According to the U.S. National Institute of Standards and Technology (NIST), cyber resilience is: “The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resource.”
Why is the focus increasingly turning to resilience? Because no organization is 100% breach proof. A critical pillar of resilience is threat prevention — blocking as many incoming threats as possible. But IT leaders must also be realistic. If one does get through — and it will — better to also have the right processes and technologies in place to detect, respond, and recover.
This is set against an increasingly forbidding backdrop of agile cybercriminals and emboldened nation-states. Service-based offerings freely available on the dark web have lowered the bar considerably for ransomware, phishing, and much more. That’s particularly bad news for SMBs, as it increases the potential pool of threat actors and makes it financially viable to compromise larger numbers of less lucrative targets.
According to the Osterman Research report, ransomware (63%), supply chain attacks (51%), malware (49%), and coding bugs (48%) are the biggest concerns for organizations. They’re exacerbated by the fact that the corporate attack surface continues to grow, as these same firms invest in cloud and other digital technologies.
SMBs have arguably been ahead of the game on cloud. That was a boon in the pandemic years and continues to benefit these firms today as hybrid work becomes the norm. But it also exposes them to a greater risk of data theft and operational disruption. Remote workers are a particularly acute threat. It’s been claimed that they’re more likely to engage in risky behavior than office-based peers, such as clicking on phishing links or using unpatched personal devices for work.
It’s also true that, while breaches at big firms make the headlines, smaller ones often take the hit. The average employee of a small business with under 100 employees could receive 350% more social engineering attacks than an employee of a larger enterprise, according to Barracuda.
Hence the push for greater cyber resilience. But according to Osterman Research, things are not going well. It highlights several challenges in current programs including:
IDC defines five critical stages to a cyber-resilience program:
Achieving this clearly involves a multilayered, whole-of-business effort. That means improved board engagement, better training for general employees, detection and response tools, and cyber hygiene basics like regular patching, backups, encryption and firewalls — all wrapped in a coherent risk management strategy.
Under-resourced SMBs looking for robust security controls should look to trusted partners for help with the protection stage of their resilience program. This is where Secure Access Service Edge (SASE) platforms can play an important role, by consolidating some critical features including:
Cyber resilience is the direction of travel for many organizations. But it needn’t be out of reach for the SMB community. With the right approach and consolidated, platform-based tooling, smaller businesses can drive digital-powered growth without compromising on security.
By Phil Muncaster
This article originally appeared on Journey Notes, the Barracuda blog.
Back