How to arrive at a robust cyber resilience strategy?

Brian Pinnock, a cybersecurity expert at Mimecast explains how organizations can provide a holistic strategy that protects customers, employees and data from exploitation.

Spare a thought for the modern CISO. The global cybercrime industry has been in overdrive since the start of the year, as threat actors capitalise on the disruption brought by the coronavirus pandemic.

The Mimecast Threat Centre found a dramatic increase in cyberattacks during the first 100 days of the pandemic. In the Middle East and North Africa, spam attacks increased by 36% and malware by 22%.

Cybersecurity is a ‘complex puzzle’
To protect against these threats, organisations are having to build complex, multi-layered security strategies that safeguard customers, employees, and company data. The sheer volume of threats and the abundance of attack vectors makes effective cybersecurity a complicated puzzle.

In many cases, organisations have no clear idea of how to put those puzzle pieces together in an effective way. Encouragingly, 82% of organisations surveyed in the UAE and Saudi Arabia in Mimecast’s State of Email Security 2020 report, say they have a cyber resilience strategy or are actively rolling one out. Yet, 67% of respondents still believe it’s inevitable or likely they will suffer from an email-borne attack in the coming year. This begs the question; do they have all the right measures in place to fully protect their organisation and be totally resilient?

What are the pieces of the cybersecurity puzzle? In our experience, the following four elements can add up to a holistic cybersecurity strategy that protects customers, employees, and data from exploitation:

1. Visibility
Without visibility over employees, data, and your online brand, building an effective cybersecurity strategy is a bit like building a puzzle in the dark. Threat intelligence can play a vital role by providing insight into how organisations are targeted, what cyber threats have been blocked and why, which employees are the riskiest and what actions to take to optimise the broader cybersecurity strategy.

However, visibility should extend beyond the perimeter of the organisation. The speed at which cybercriminals can imitate brands online makes it easy to launch sophisticated attacks using lookalike domains that can easily trick customers, partners, and employees.

Tools such as DMARC, are effective and an essential piece of the puzzle, but only for protecting domains already owned by the organisation, against email brand exploitation. Supplementing DMARC with tools that protect against online brand exploitation can help identify attack patterns at the preparation stage and block compromised assets before they turn into live attacks. To fully protect a brand, an organisation should consider implementing DMARC along with brand exploitation tools, managed from one integrated system that provides both visibility and proactive remediation.

2. Resilience
All organisations regardless of size are at risk of cyberattack. While defences are important, being able to quickly recover from a successful attack is just as vital.

Unplanned outages – such as those typical in cloud services such as Microsoft365 – can also disrupt business and lead to losses in productivity, revenue, and reputation. The State of Email Security report found that 60% of organisations in UAE and KSA experienced a Microsoft365 outage in the last 12 months.

Email is still the most widely used business tool and email continuity solutions provide guaranteed access to email, from anywhere and on any device even when email servers fail. Cloud archiving can further help keep corporate knowledge available despite disruptions. And specialised sync-and-recover tools can fill data recovery gaps for those instances where data is corrupted or deleted – whether intentionally or by accident.

3. Culture
Cybersecurity is at its most effective when every employee understands their role in protecting the organisation – and themselves – from attacks. Organisations should seek to instil a culture of cybersecurity awareness that permeates from the top to the bottom of the organisation.

Micro-learning together with engagement is the key. Ongoing training that is short, relatable, memorable and that regularly reinforces key concepts works. We know this because during lockdown periods across the world, Mimecast researchers found that users in organizations that had Mimecast awareness training were 5 times less likely to fall prey to social engineering attacks than those that did not.

Management teams should be ready to take swift action in the wake of a data breach, to ensure the threat is contained, damage mitigated, and the organisation is not at risk of non-compliance to prevailing regulations.

4. Compliance
While the UAE does not have a comprehensive data protection law at its federal level, there are laws in place that govern privacy and data security. Sector-specific data protection provisions exist for certain laws, while three special economic or sector free zones have specific data protection laws. These data protection laws keep UAE organisations accountable, placing them under pressure to protect customer data.

Both data management and data protection are key elements in achieving compliance. It is difficult for an organisation to achieve data management compliance with unstructured data like email. What’s key is to have a third party, independent and immutable data repository that complies to regulatory standards and mitigates legal risks.

The importance of data security and protection is elevated with financial and criminal penalties. Organisations also need to consider the brand damage that is associated with data breaches. Email remains the number 1 attack vector for cyber-attacks. It is widely reported that 91% of all attacks start with an email, with some not even requiring malware.

Call for greater awareness, effort
There is no silver bullet when it comes to security, even when it comes to protecting against a specific attack – like phishing. The entire ecosystem needs to take security seriously or everyone remains at risk.

Protecting your brand and customers with solutions like DMARC and tools that prevent brand impersonation online is important. But if the organisation at the receiving end of a phishing email does not have protections in place, they could fall victim to an attack.

Ultimately, the entire business world needs to prioritise security and protect each other. The first step is to consider managing security solutions and resilience tools in an integrated system that helps reduce cost and complexity, and ultimately enhances the broader security ecosystem.