What difference does accountability make in cybersecurity? From my point of view as chief technology officer at BlackBerry, I see accountability in cybersecurity as a critical factor — especially at a point in time where we are all looking for ways to save money and reduce cyber risk at the same time.
I discussed this recently on the cybersecurity podcast “KBKAST, The Voice of Cyber.” Click below to listen:
Some recent research on cyber insurance, conducted by BlackBerry and Corvis Insurance, found that 34% of respondents were denied cyber coverage because they lacked basic security technology, like endpoint detection and response (EDR) capabilities. It’s an accountability problem. In this age of frequent and often crippling ransomware attacks, insurers are looking for organizations that will hold themselves accountable by implementing certain cybersecurity basics, like EDR, proactive and preventative AI-based endpoint protection platform (EPP) solutions, etc.
As you might expect, our research also found that a sizable number of organizations had implemented basic security technology such as EDR solutions specifically to obtain cyber insurance. This need to obtain insurance against cyber-based losses is a big driver of EDR adoption, and one that can facilitate a double dose of risk reduction.
Taking basic accountability steps — like implementing EPP and EDR — reduces cyber risk. But that’s just the start. Once your organization has reduced its risk enough to become insurable, it can obtain a cyber insurance policy and pass additional risk to the insurer. This is a situation which effectively allows an organization to reduce its risk twice.
In this article, I’ll cover additional concrete examples of what organizations — especially small and mid-sized businesses (SMBs) — can do to take a proactive approach to accountability and reap the rewards of making a commitment to due diligence in cybersecurity.
Even as the cybersecurity environment becomes more complex — due to factors like increased sophistication of attack techniques, hybrid onsite/remote work locations, and the proliferation of vulnerable Internet of Things (IoT) devices — accountability remains constant. In the context of cybersecurity, accountability comes down to three things: prevention, mitigation, and communication.
In other words, an organization must first work to prevent, that is, to do everything reasonably possible to lower the risk of allowing a cybersecurity incident to occur. However, if an incident occurs, an organization must then do everything reasonably possible to mitigate the impact on customers, partners, and employees. Lastly, an organization is responsible for ensuring that a prompt, continuous, and transparent means of dialogue is in place. I want to stress this last point — communication — because it is a vital component of an effective business resilience strategy that is too often overlooked.
SMBs are just as accountable to customers and other stakeholders as larger companies. However, they often don't have adequate resources – budget, personnel, etc. – to respond to cybersecurity incidents the same way a large enterprise might. Still, there are steps SMBs can take to demonstrate accountability and show their commitment to due diligence.
SMBs that adopt a zero trust network access (ZTNA) approach are able to reduce the risks associated with supporting a remote workforce, as it allows them to establish secure network connectivity from any device — managed or unmanaged — to any app in the cloud or on-premises, across any network. Some ZTNA solutions, CylanceGATEWAY™ from BlackBerry for example, come with an added layer of security via interoperability with multi-factor authentication (MFA) solutions, such as Google Authentication, Microsoft Authentication, Okta, and so on.
For years now, organizations far and wide have felt the pressure of a growing skills shortage in cybersecurity. I believe this is particularly true for SMBs. Many small and medium-sized businesses may not have in-house resources, such as an incident response (IR) team, nor the capabilities necessary to continuously monitor their entire cyber environment, counter sophisticated cyberattacks, or gather and operationalize cyber threat intelligence (CTI).
This is where SMBs can leverage an IR retainer and managed cybersecurity services to fill the gaps and still meet their objectives to prevent and mitigate cybersecurity incidents. Subscribing to managed services offerings also frees the in-house team to manage, coordinate and communicate their cybersecurity activities more effectively with stakeholders.
Often referred to in the industry as managed detection and response (MDR) services, the most advanced offerings add extended detection and response (XDR) capabilities to monitor more of an organization’s potential attack surface. A managed XDR service, such as CylanceGUARD™ from BlackBerry, provides 24x7x365, 360-degree monitoring of your total operating environment, and regular assessments of your security posture. This bolsters prevention, mitigation and communication, while freeing up limited in-house resources and reducing the risk of sustaining a damaging cyberattack.
This approach can also be significantly cost-effective. Our analysis indicates that some SMBs could save nearly $1.8 million by subscribing to a managed XDR service instead of building out a fully functional in-house security operation center (SOC) of the same caliber.
CTI services have traditionally been reserved for companies with large internal security teams and budgets, but that too is changing. CTI offers valuable insights into which attacks — and which attackers — are most likely to target your organization, your industry, and your region. This type of service provides organizations of all sizes with the context they need to make informed decisions at the strategic, tactical, and operational level, and ultimately bolsters their cyber resilience. Moving forward, I believe that using and consuming actionable CTI data will become another key factor in assessing the accountability and maturity of an organization’s cybersecurity posture.
SMBs operating with a lean cybersecurity team can also demonstrate their accountability by implementing an AI-based endpoint protection solution. Effective EPP solutions are generally cloud-managed and, among other things, provide automated malware prevention as well as continuous monitoring and gathering of activity data. An effective AI-based EPP will block most attacks before they execute, while a signature-based solution will detect and alert an ongoing attack it was unable to prevent. However, it is important to note that all artificial intelligence and machine-learning models used in cyberattack prevention products are not created equal, as the best-informed CISOs will attest.
The sheer complexity of today’s software supply chain can also make it hard to answer the question, “Who is accountable?” Due to resource constraints, many SMBs that are suppliers of embedded system software struggle to identify the provenance – or the potential vulnerability — of all the code contained in their software supply chains. To some extent, it’s understandable. A typical application can contain well over 100 software dependencies. If you bundle that together with a cybersecurity skill shortage, then getting full visibility into a software stack becomes a herculean task.
There is a way for SMBs in this situation to demonstrate commitment to accountability. It requires implementing a software composition analysis and security testing solution.
Such solutions let organizations detect and list open-source software, as well as commercial software licenses, that exist within their embedded software and systems. By generating a software bill of materials (SBOM), this type of solution enables SMBs to have a clearer view of their software stack. It also helps detect and list vulnerabilities and exposures in the stack.
As businesses continue to rely more on the cloud for various operational activities, SMBs should consider a cloud security posture management (CSPM) solution. CSPM tools enable SMBs to identify and remediate risks through security assessments and automated compliance monitoring.
Without getting into the weeds, this means that if a change in the settings of an organization’s cloud infrastructure results in a vulnerability, a CSPM solution can recognize the potential danger and automatically revert the settings back to a “known good” state, freeing up human resources and reducing risk.
A proactive approach that demonstrates accountability in your cybersecurity efforts can save money and reduce cyber risk, which helps your organization protect its bottom line.
If you want to hear more about accountability in cybersecurity, please tune in to my discussion with Karissa Breen on the KBKAST Podcast.
Related Reading
