编者按: 以下是a - lign赞助的博客文章.
There has been a very clear change in awareness 和 overall attitude toward cybersecurity 和 compliance in recent years. Before the p和emic, this work was often seen as too costly 和 treated as an afterthought. 体积为 网络攻击迅速增加, 更多的 companies today are realizing that security 和 compliance are an integral part of the business 和 a major competitive advantage.
Let’s take a look at the current reality of the cyber threat l和scape 和 what organizations can do both internally 和 externally to strengthen their cybersecurity posture 和 manage risk.
当前网络威胁的现实
网络威胁形势比以往任何时候都更大、更复杂, 网络事件可能造成的经济损失也达到了历史最高水平. 根据 IBM和波耐蒙研究所的最新研究在美国,数据泄露的平均成本约为4美元.24 million; for businesses in the U.S.在美国,这个数字翻了一倍多,达到9美元.0500万年. 现代IT安全系统的复杂性, extensive cloud migration 和 a pervasive skills shortage are among the top factors contributing to the growing average data breach costs.
全球冲突只会火上浇油, 增加了发生网络事件的可能性,如 ransomware, a 水牛跳,或 物联网(IoT)攻击. The White House has specifically warned US organizations to be on the lookout for threat indicators originating from Russian actors, especially those involved in the supply chain of critical infrastructure industries. 这加强了对 供应链风险管理 for both public 和 private sectors means 更多的 companies are requiring their vendors to demonstrate a suitable level of cybersecurity 和 compliance maturity.
All of this begs the question, “Where are most organizations on their cybersecurity maturity journey?“简短的回答是:不是他们应该在的地方.
贝恩公司的研究 & 公司 表明许多人难以遵守简单的最佳实践. While 43% of executives believe their firm follows best practices for cybersecurity, analysis reveals that only 24% of firms actually had appropriate security measures in place.
It is common for businesses to acknowledge the severity of the situation but remain unprepared or unaware of the underlying risks they have, 包括:
- Adoption of new technology 和 tools that have not gone through the right protocol to ensure security
- Lack of data visibility 和/or the ability to view adherence to policies 和 procedures
- 来自第三方供应商的未识别或未监控的风险
- 巨大的遵从性差距和缺乏理解标准的人员
应对日益增加的网络风险的基本原则
Many organizations have lost sight of the core concepts of information security, instead opting to throw money at tools that promise to mitigate their risk rather than adhering to basic security best practices 和 久经考验的行业框架. Introducing too many “cutting-edge” technologies in an attempt to secure your environment will actually make things 更多的 难以保证.
而不是, 澳门赌场官方下载应注重清洁建设, manageable security architectures that can be fully understood by stakeholders. Here are a few specific measures that your organization can take internally to respond to increased cyber risks:
- 专注于你最有价值的资产: This is a frequently overlooked foundational step — you must start by recognizing what your most valuable assets are 和 where they reside. 毕竟, 并非所有的系统和数据都是平等的, 和 those that are of critical importance to your business should be at the heart of your security strategy.
- 简化资讯保安(KISS)不要把“复杂”等同于“全面”.“没有必要重新发明轮子——专注于采用 基本网络安全最佳实践. 例如,简单地启用多因素身份验证可以 99以上街区.9%的账户泄露攻击.
- 准备,不要反应: Organizations should prepare for an inevitable cyber event by critically assessing their capabilities (事件响应 和 灾难恢复)通过模拟练习对事件作出反应.
- 多层次的安全也被称为the 瑞士奶酪安全模型, each layer of security serves a distinct purpose 和 can mitigate certain types of risk but not others (not to mention the possibility of human error). 这些层合在一起可以更有效地防止严重事故的发生.
如何对外展示成熟的网络安全态势
一旦你开始加强内部的网络防御, 是时候考虑如何验证您所做的工作了. 拥有网络安全态势的价值 由认可的第三方评估人员验证 有两个:
- 它向组织拥有的内部利益相关者确认, 事实上, 采取适当措施管理网络风险.
- 它向合作伙伴、潜在客户和客户发出信号 that the business follows cybersecurity best practices 和 has a strong program in place.
安全第一的组织会 积极寻找他们相对于行业同行的基准 以及他们如何弥补网络安全项目中的漏洞. Here are a few tips for underst和ing where your business is on its cybersecurity maturity journey, as well as how you can showcase your achievements to earn trust 和 win new business:
- 执行漏洞扫描 to map out threat surfaces 和 known weaknesses so you can address issues before malicious actors capitalize on them.
- 使用渗透测试 + 社会工程 看看你们的技术, systems 和 people react to a real-world attack involving the most sophisticated tools 和 tactics seen across today’s threat l和scape.
- 请求第三方评估 to obtain a report or certification that can help fulfill contractual security obligations 和 serve as a valuable proof point for marketing 和 sales.
Many people equate cybersecurity compliance with abiding by the laws 和 regulations that m和ate organizations in a given geography or industry meet certain security requirements. 从法律的角度来看,保持合规是很重要的, 有许多自愿遵守的标准, 例如SOC 2, that are becoming increasingly popular because they demonstrate that an organization is managing sensitive data responsibly. It’s also worth mentioning that as cyber insurance becomes increasingly competitive 和 difficult to obtain, having a compliance certification against a well-known st和ard may make a business 更多的 likely to receive coverage.
启动您的网络安全和合规计划
It’s always better to be proactive rather than reactive when it comes to cybersecurity 和 compliance. Spending the time 和 resources up front to enhance your defenses 和 develop a response plan will save you a great deal of lost time, 如果你在数据泄露发生时没有做好准备,你的收入和客户将会受到影响.
The work of a trusted cybersecurity 和 compliance partner such as A-LIGN doesn’t stop after the security assessment has finished. Our team of experienced auditors also present key findings 和 opportunities for improvement, 包括补救建议, so your business knows exactly what you need to do to turn weaknesses into strengths. 查看我们的网络安全评估的完整列表 to learn 更多的 about how you can minimize the impact of a cyber event on your business.
