What is Cybersecurity Posture and How to Improve It?
Author: Jacques Sauve
Before we begin discussing such things, we must begin by defining some words; words, after all, have meaning, and it is crucial that we all understand them the same way if we are to share ideas and concepts. When we say “The sky is blue”, we all understand what “the sky” is and what “blue” is, so we all end up with the same mental picture in our heads.
“Posture”, for example, typically refers to a position associated with the body; Merriam-Webster offers us these definitions:
A: The position or bearing of the body whether characteristic or assumed for a special purpose
B: The pose of a model or artistic figure
There is another definition however, that goes like this:
State or condition at a given time especially with respect to capability in particular circumstances
//maintain a competitive posture in the market
This is more in line with what we need: “with respect to capability”. The “particular circumstance” that we are concerned with here is the ability for an organization to defend itself from a cyberattack. Your cybersecurity posture, then, is the sum of your abilities and capabilities to fend off, withstand, and recover from a cybersecurity incident.
Unfortunately, there’s no “magic pill” that will make any organization 100% secure; there isn’t any one thing you can do to completely protect yourself (despite what many vendors will have you believe). There is, however, a singular, critical thing organizations can do to mitigate the risk of a cyberattack; we’ll get to that in a bit.
When it comes to cybersecurity, it is imperative to take a layered approach; I call it “Shrek’s Onion” (“Layers! Onions have layers, ogres have layers!”).
Indeed, within the realm of cybersecurity we speak of Defense in Depth, which is essentially composed of three layers:
Let’s quickly go over each one.
The highest objective should be to “Prevent” a cyberattack in the first place. This will involve using tools such as a DNS firewall, securing your network perimeter, file and disk encryption, content filtering, properly configuring your cloud services, etc. Anything and everything you can do to prevent an attacker from getting to your data.
Despite trying to Prevent threats from coming into your environment, they often will get through your primary defenses, and therefore it is crucial to Detect these early and eliminate or contain them. This is where a strong, centrally managed antivirus/antimalware solution would come in, email filtering, traffic monitoring, and a host of other solutions often touted by vendors as the be-all and end-all of security (“Just take this little red pill and you’ll never have to worry about security; you’ll be able to sleep soundly at night!”).
And yet, despite all these efforts, threats do get in, and they do infect networks; at this point, you are in Recovery mode. This is the stage where most organizations resort to restoring their data from backups, re-imaging their workstations, or rolling back via snapshots. Oddly enough, many small businesses believe they are protected from cyber incidents because they have “good backups”. I can never help but smirk and tell them, “Yes, that’s fine, but you realize that if you’re resorting to backups, it’s because it’s too late? You’ve been the victim of a cyberattack and it may cost you highly, both financially and in terms of reputation to your company.”
If Recovery is your primary defense, then your cybersecurity posture is nowhere near good enough – you are leaving yourself absolutely vulnerable to a myriad method of attack.
Now that you understand a little more about how much needs to be done to protect your network and your data from a cyberattack, what is that singular, critical thing that I mentioned above that organizations can do to mitigate the risk of becoming a victim?
Surprisingly, it has nothing to do with technology.
You can’t even buy it; there’s no cost, no financial investment required! It’s totally free!!
It is abundant and readily available to everyone.
Ready? Here we go:
You simply need to be concerned about protecting your network and your data.
It’s almost anti-climactic, but there it is: a simple truth. Not enough organizations take cybersecurity seriously, and so they leave themselves easily vulnerable.
Pick your favourite martial artist (think Bruce Lee, Jackie Chan, Jet Li, or any other one); what is the first thing they do when they are about to fight? Easy: they assume a more defensive stance! Feet about shoulder-width apart, most likely one foot forward, one back; knees bent a bit to lower the centre of gravity – all to provide them with a better…wait for it…posture to better meet their attacker!
And so it is with cybersecurity: if you are not even willing to assume that fighting stance (that posture), then your hopes of winning against the threat actors out there today are practically nil. There are cybercriminal gangs that are very well organized, run like businesses, that make millions and millions of dollars by hacking into networks and demanding ransoms; and all of it is automated, so if you’re thinking “Why would anyone target my business?”, they’re not: they use highly sophisticated, automated tools that knock at everyone’s door.
As an example, I run a system called a “honeypot” at home; this is a type of system that emulates vulnerabilities commonly found on computers and networks, and then logs the attempts to break into them. On a typical day, I can get as many as 100,000 attempts on that system! This is on a HOME network; imagine what’s knocking at the door of your business. Trust me: you’re not necessarily targeted.
The second aspect of the martial arts analogy is also important: fluidity. Implementing defenses at all levels (Prevent -> Detect -> Recover) is not a “one and done” affair; the threat landscape is constantly changing, and you need to adapt to it, much like the martial artist constantly shuffles his feet and alters his stance.
So, once again: You simply need to be concerned about protecting your network and your data.
You need to become borderline obsessed with protecting your assets.
Then do something about it.