The surge in cyberattacks in recent years has been staggering, and projections suggest that global cybercrime damages will continue to rise by 15% annually over the next two years to reach $10.5 trillion per annum. Despite this ominous forecast, preventing cyber threats is entirely feasible for a company. The challenge often lies in the approach adopted by management: often instead of addressing the most concerning risks for their business, they focus on the most obvious ones. This narrow perspective leads to investments in well-known tools like access control systems, antivirus software, firewalls and VPNs. And while these are undoubtedly valuable, relying solely on them can leave significant vulnerabilities unattended and ultimately expose organizations to reputational and financial losses. Selecting the Right Tools While preparing to combat cybercriminals and choosing the necessary products, it is crucial to focus on three primary criteria: risk priority levels, ease of implementation and integration, and cost-effectiveness. Risk Priority Levels Start by outlining a threat model. It can be simple, consisting of two elements: the likelihood and potential impact of various cyber threats on your organization. To build this model, consider historical data analysis (including past incidents within your company and industry) and feeds and reports from cybersecurity vendors. When evaluating impact, consider the sensitivity and criticality of affected data, operational disruption, financial costs, compliance breaches, and reputational damage. Additionally, develop an adversary model to understand potential attackers, including their psychological state, technical skills, and overall preparedness. Begin by identifying and categorizing different types, such as cybercriminals, insiders, and competitors. Assess their goals, motivations, and typical behaviors through market reports and threat intelligence resources. Once you have your models, select your response. There are five common strategies you can use: avoid, transfer, escalate, accept, and mitigate risks. Avoid This strategy focuses on eliminating threats entirely by modifying the project scope, technology, personnel, or implementation plan. For example, if you discover that your website's content management system (CMS) is incredibly vulnerable and can be hacked in numerous ways, you can replace it with something fundamentally more secure instead of looking for tools to protect it. Transfer This approach involves shifting the responsibility and impact of the threat to a third party. For instance, if your company accepts card payments and needs to secure payment data storage to avoid hacking, you can connect to a service like Stripe and let Stripe handle the security. A classical example of the transfer strategy is partnering with insurance companies that assume all associated risks. Escalate This strategy involves passing the responsibility for managing a specific risk to a higher authority. It is usually adopted by line managers that have this kind of mindset: "I've notified you of the issue, boss; now it's your turn to find a solution." If a company is a branch or division of a larger entity, it can sometimes act in the same manner — escalate an issue to the level of the entire group and not resolve it independently. Accept This means acknowledging and tolerating a risk without taking immediate action. According to this approach, you might protect the website from DDoS attacks but not secure your office network simultaneously because the latter is less likely to be targeted by malicious actors in case when all critical services are hosted in the cloud. Therefore, you might think that if the office network gets hit with a DDoS attack, you'll come up with a solution then. Until that happens, it's not a priority. Mitigate This strategy involves reducing the probability or impact of a threat. This can be accomplished through various tactics, such as enhancing processes or conducting additional testing. It's worth noting that mitigation does not eliminate the threat; rather, it reduces its severity to an acceptable level. Thus, the first step always involves choosing a strategy from the five available options. If it is a mitigation strategy, then choose the tools that mitigate specific risks, whether those are DDoS attacks, malware, content scraping, phishing, or identity theft. While it might be tempting to opt for multi-purpose solutions, be wary of those claiming to be universal. In cybersecurity, no single provider can effectively cover all areas of protection. Prioritize selecting specialized products for each identified risk. Ease of Integration Next, evaluate how easy it will be to implement particular cybersecurity tools in your company. The adage "security at the expense of usability comes at the expense of security" holds true; overly cumbersome measures often lead users to bypass them, thereby increasing vulnerability. A historical example illustrates this point. In the 2000s, Windows allowed system administrators to require users to change passwords every three months, without repeating any of the last ten. This policy, though well-intentioned, led to employees forgetting their passwords. They resorted to writing them down on easily accessible Post-it notes. This practice inadvertently expanded the attack surface in companies, allowing anyone with physical access to the office to compromise security. Thus, when selecting safety measures, consider their impact on business processes and strive to minimize disruption. Cost-Effectiveness Finally, take cost into account. Avoid opting for the cheapest solutions, as they often fail to provide adequate protection. An analogy can be made with the purchase of a bulletproof vest. A high-quality product from a reputable manufacturer will be much more reliable than a secondhand option ordered on a marketplace. The latter might only reveal its deficiencies in critical moments, but it’ll already be too late. Rely on reviews from industry professionals, the advice of your information security consultant, and comprehensive test results when making purchasing decisions. And last but not least, review your threat and adversary models at least once a year. As business processes evolve and new tools and attacks emerge, regular updates become necessary to ensure your cybersecurity measures remain effective. Testing Defense Systems There is no one-size-fits-all test due to the diverse nature of protection methods. A VPN software might work perfectly for securing inter-office communication but could fall short for remote work scenarios due to compatibility or configuration issues. Therefore, evaluation must align with specific goals. However, testing can still be broadly categorized into regular and continuous. Traditional, or Regular Testing Typically involves scheduled assessments, such as annual penetration tests performed by specialized firms or individual contractors. They are usually based on the company’s threat model already in place, but can also provide fresh perspectives on potential vulnerabilities. These tests come in two main types: Closed box: The tester receives minimal information about the company’s IT systems, often limited to what is publicly available or known by an average employee (if insider threats are a concern). This method provides high-level overview of security issues in the company, generally without spoiling critical business information to an outsider. Open box: The tester is given comprehensive access to system documentation and operations. This allows for a thorough analysis at the source code level, identifying logic vulnerabilities, misconfigurations, and security gaps. Most companies typically opt for the closed box testing, as it provides some impression of control to them. Keep in mind, however, that, in absence of proper security countermeasures (and you are specifically putting these countermeasures to test during this process), a closed box testing procedure could turn into an open box one pretty suddenly. Therefore, take into careful consideration whether you need to limit the abilities of your penetration testing specialists by constraining their knowledge or not. Companies that deal with really sensitive data may also employ in-house testers who have full access to enable monitoring based on intimate system knowledge. Continuous Testing Involves setting up automated tests to run at regular intervals — hourly, daily, or at other suitable frequencies — to ensure ongoing defense solution functionality and threat adequacy. This approach is often more effective but can be impractical in some cases, such as evaluating DDoS protection & mitigation solutions. The resource consumption and cost will be too high as it requires infrastructure capable of generating and managing large volumes of traffiс. This involves significant investment in hardware, software, and network resources. Continuous testing is more suitable, for example, for configuring a system to periodically check email attachments on the server for malware. In this case, the company needs to maintain a repository of malware samples and regularly send suspicious emails to verify the antivirus system’s detection and response capabilities. Measuring Cyber Resilience The exact metrics used to evaluate cybersecurity solutions can differ significantly depending on the product. Below are just several examples. Detection Rate: assesses the effectiveness of a cybersecurity product in identifying risks. It measures the percentage of detected threats out of the total number encountered. The closer this rate to 100%, the better. Ideally, it should reach at least 95%. False Positive Rate: the percentage of non-malicious activities incorrectly identified as threats. This metric provides insights into a solution's accuracy in attack detection. Security magazine reports that as many as one-fifth of all alerts turn out to be false positives. It is better to maintain this rate below 10%, though, to minimize unnecessary operational disruptions. Mean Time to Detect (MTTD): evaluates the average time taken to identify a threat from the moment it occurs, indicating the product’s responsiveness. In general, threats should be detected within minutes, though this time may be extended for advanced persistent threats and zero-day vulnerabilities. Mean Time to Respond (MTTR): measures the average time required to mitigate and resolve an incident after detection. A good MTTR can vary depending on your industry and IT operational effectiveness. A rule of thumb is an MTTR of under 3-5 hours for major incidents. In some cases, you should aim for less than an hour. From the attacker's perspective, several hours is more than enough if they are downloading data from your database. Impact on IT Performance: this is estimated to ensure minimal disruptions to operations and user experience. The impact can be especially high for continuous scanning that consumes CPU usage, memory, and disk space. In a perfect scenario, it should still not lead to more than a 10% increase in latency or resource usage. A red flag showing that a cybersecurity system needs to be changed is its failure to protect against relevant threats and the inability to upgrade it respectively. It’s not always a provider’s fault, though. External factors may also necessitate updates. New compliance laws, evolving competitive landscapes, or layoffs may introduce new risks, such as insider threats. 5 Recommendations for Businesses Trying to Protect Themselves Conduct Strategy Sessions with Department Heads In larger organizations, it is also advantageous to involve team leaders. Collect insights from various departments to create a comprehensive list of potential threats. While this process may seem bureaucratic, it also engages employees in the topic, immerses them in the latest cybersecurity trends, and encourages them to think like potential attackers. This, in terms, leads to enhanced awareness and vigilance, as well as corporate culture where security is prioritized. Develop a Robust Strategy With a foundational threat model in place, the next step is to seek solutions. Ideally, aim to address all identified risks promptly. However, remember that achieving full protection is a gradual process. The saying "no one is 100% secure" should not be an excuse for inaction. Instead, strive to be more secure than competitors, making your organization a less attractive target for attackers. Implement and Monitor Security Systems Implementation is just the beginning. Regular monitoring is vital, along with reassessing threats and evaluating the relevance of the software used. Stay informed about the cybersecurity market to identify and adopt more effective solutions as they become available. Increase Employee Awareness Engage employees through interactive and practical training sessions. Move beyond passive learning methods and incorporate workshops, hands-on tasks, and expert lectures and webinars. The objective is to ensure your team genuinely understands how to protect company data and system access. Update training programs regularly (every six months to a year). Recognize That Security Extends Beyond Compliance While the latter is critical, it should not be the sole focus. Regulations like GDPR (General Data Protection Regulation) in the EU are designed to protect personal data. They may not cover all the specific security needs of a company, such as protecting financial information. Businesses must independently assess and address risks unique to their operations. Remember that no one will protect your company except for you. The surge in cyberattacks in recent years has been staggering , and projections suggest that global cybercrime damages will continue to rise by 15% annually over the next two years to reach $10.5 trillion per annum. staggering staggering suggest suggest Despite this ominous forecast, preventing cyber threats is entirely feasible for a company. The challenge often lies in the approach adopted by management: often instead of addressing the most concerning risks for their business, they focus on the most obvious ones. This narrow perspective leads to investments in well-known tools like access control systems, antivirus software, firewalls and VPNs. And while these are undoubtedly valuable, relying solely on them can leave significant vulnerabilities unattended and ultimately expose organizations to reputational and financial losses. Selecting the Right Tools While preparing to combat cybercriminals and choosing the necessary products, it is crucial to focus on three primary criteria: risk priority levels, ease of implementation and integration, and cost-effectiveness. Risk Priority Levels Start by outlining a threat model. It can be simple, consisting of two elements: the likelihood and potential impact of various cyber threats on your organization. To build this model, consider historical data analysis (including past incidents within your company and industry) and feeds and reports from cybersecurity vendors. When evaluating impact, consider the sensitivity and criticality of affected data, operational disruption, financial costs, compliance breaches, and reputational damage. Additionally, develop an adversary model to understand potential attackers, including their psychological state, technical skills, and overall preparedness. Begin by identifying and categorizing different types, such as cybercriminals, insiders, and competitors. Assess their goals, motivations, and typical behaviors through market reports and threat intelligence resources. Once you have your models, select your response. There are five common strategies you can use: avoid, transfer, escalate, accept, and mitigate risks. Avoid This strategy focuses on eliminating threats entirely by modifying the project scope, technology, personnel, or implementation plan. For example, if you discover that your website's content management system (CMS) is incredibly vulnerable and can be hacked in numerous ways, you can replace it with something fundamentally more secure instead of looking for tools to protect it. Transfer This approach involves shifting the responsibility and impact of the threat to a third party. For instance, if your company accepts card payments and needs to secure payment data storage to avoid hacking, you can connect to a service like Stripe and let Stripe handle the security. A classical example of the transfer strategy is partnering with insurance companies that assume all associated risks. Escalate This strategy involves passing the responsibility for managing a specific risk to a higher authority. It is usually adopted by line managers that have this kind of mindset: "I've notified you of the issue, boss; now it's your turn to find a solution." If a company is a branch or division of a larger entity, it can sometimes act in the same manner — escalate an issue to the level of the entire group and not resolve it independently. Accept This means acknowledging and tolerating a risk without taking immediate action. According to this approach, you might protect the website from DDoS attacks but not secure your office network simultaneously because the latter is less likely to be targeted by malicious actors in case when all critical services are hosted in the cloud. Therefore, you might think that if the office network gets hit with a DDoS attack, you'll come up with a solution then. Until that happens, it's not a priority. Mitigate This strategy involves reducing the probability or impact of a threat. This can be accomplished through various tactics, such as enhancing processes or conducting additional testing. It's worth noting that mitigation does not eliminate the threat; rather, it reduces its severity to an acceptable level. Thus, the first step always involves choosing a strategy from the five available options. If it is a mitigation strategy, then choose the tools that mitigate specific risks, whether those are DDoS attacks, malware, content scraping, phishing, or identity theft. While it might be tempting to opt for multi-purpose solutions, be wary of those claiming to be universal. In cybersecurity, no single provider can effectively cover all areas of protection. Prioritize selecting specialized products for each identified risk. Ease of Integration Next, evaluate how easy it will be to implement particular cybersecurity tools in your company. The adage "security at the expense of usability comes at the expense of security" holds true; overly cumbersome measures often lead users to bypass them, thereby increasing vulnerability. A historical example illustrates this point. In the 2000s, Windows allowed system administrators to require users to change passwords every three months, without repeating any of the last ten. This policy, though well-intentioned, led to employees forgetting their passwords. They resorted to writing them down on easily accessible Post-it notes. This practice inadvertently expanded the attack surface in companies, allowing anyone with physical access to the office to compromise security. Thus, when selecting safety measures, consider their impact on business processes and strive to minimize disruption. Cost-Effectiveness Finally, take cost into account. Avoid opting for the cheapest solutions, as they often fail to provide adequate protection. An analogy can be made with the purchase of a bulletproof vest. A high-quality product from a reputable manufacturer will be much more reliable than a secondhand option ordered on a marketplace. The latter might only reveal its deficiencies in critical moments, but it’ll already be too late. Rely on reviews from industry professionals, the advice of your information security consultant, and comprehensive test results when making purchasing decisions. And last but not least, review your threat and adversary models at least once a year. As business processes evolve and new tools and attacks emerge, regular updates become necessary to ensure your cybersecurity measures remain effective. Testing Defense Systems There is no one-size-fits-all test due to the diverse nature of protection methods. A VPN software might work perfectly for securing inter-office communication but could fall short for remote work scenarios due to compatibility or configuration issues. Therefore, evaluation must align with specific goals. However, testing can still be broadly categorized into regular and continuous. Traditional, or Regular Testing Typically involves scheduled assessments, such as annual penetration tests performed by specialized firms or individual contractors. They are usually based on the company’s threat model already in place, but can also provide fresh perspectives on potential vulnerabilities. These tests come in two main types: Closed box: The tester receives minimal information about the company’s IT systems, often limited to what is publicly available or known by an average employee (if insider threats are a concern). This method provides high-level overview of security issues in the company, generally without spoiling critical business information to an outsider. Open box: The tester is given comprehensive access to system documentation and operations. This allows for a thorough analysis at the source code level, identifying logic vulnerabilities, misconfigurations, and security gaps. Closed box: The tester receives minimal information about the company’s IT systems, often limited to what is publicly available or known by an average employee (if insider threats are a concern). This method provides high-level overview of security issues in the company, generally without spoiling critical business information to an outsider. Open box: The tester is given comprehensive access to system documentation and operations. This allows for a thorough analysis at the source code level, identifying logic vulnerabilities, misconfigurations, and security gaps. Most companies typically opt for the closed box testing, as it provides some impression of control to them. Keep in mind, however, that, in absence of proper security countermeasures (and you are specifically putting these countermeasures to test during this process), a closed box testing procedure could turn into an open box one pretty suddenly. Therefore, take into careful consideration whether you need to limit the abilities of your penetration testing specialists by constraining their knowledge or not. Companies that deal with really sensitive data may also employ in-house testers who have full access to enable monitoring based on intimate system knowledge. Continuous Testing Involves setting up automated tests to run at regular intervals — hourly, daily, or at other suitable frequencies — to ensure ongoing defense solution functionality and threat adequacy. This approach is often more effective but can be impractical in some cases, such as evaluating DDoS protection & mitigation solutions. The resource consumption and cost will be too high as it requires infrastructure capable of generating and managing large volumes of traffiс. This involves significant investment in hardware, software, and network resources. Continuous testing is more suitable, for example, for configuring a system to periodically check email attachments on the server for malware. In this case, the company needs to maintain a repository of malware samples and regularly send suspicious emails to verify the antivirus system’s detection and response capabilities. Measuring Cyber Resilience The exact metrics used to evaluate cybersecurity solutions can differ significantly depending on the product. Below are just several examples. Detection Rate: assesses the effectiveness of a cybersecurity product in identifying risks. It measures the percentage of detected threats out of the total number encountered. The closer this rate to 100%, the better. Ideally, it should reach at least 95%. False Positive Rate: the percentage of non-malicious activities incorrectly identified as threats. This metric provides insights into a solution's accuracy in attack detection. Security magazine reports that as many as one-fifth of all alerts turn out to be false positives. It is better to maintain this rate below 10%, though, to minimize unnecessary operational disruptions. Mean Time to Detect (MTTD): evaluates the average time taken to identify a threat from the moment it occurs, indicating the product’s responsiveness. In general, threats should be detected within minutes, though this time may be extended for advanced persistent threats and zero-day vulnerabilities. Mean Time to Respond (MTTR): measures the average time required to mitigate and resolve an incident after detection. A good MTTR can vary depending on your industry and IT operational effectiveness. A rule of thumb is an MTTR of under 3-5 hours for major incidents. In some cases, you should aim for less than an hour. From the attacker's perspective, several hours is more than enough if they are downloading data from your database. Impact on IT Performance: this is estimated to ensure minimal disruptions to operations and user experience. The impact can be especially high for continuous scanning that consumes CPU usage, memory, and disk space. In a perfect scenario, it should still not lead to more than a 10% increase in latency or resource usage. Detection Rate: assesses the effectiveness of a cybersecurity product in identifying risks. It measures the percentage of detected threats out of the total number encountered. The closer this rate to 100%, the better. Ideally, it should reach at least 95%. Detection Rate: assesses the effectiveness of a cybersecurity product in identifying risks. It measures the percentage of detected threats out of the total number encountered. The closer this rate to 100%, the better. Ideally, it should reach at least 95%. False Positive Rate: the percentage of non-malicious activities incorrectly identified as threats. This metric provides insights into a solution's accuracy in attack detection. Security magazine reports that as many as one-fifth of all alerts turn out to be false positives. It is better to maintain this rate below 10%, though, to minimize unnecessary operational disruptions. False Positive Rate: the percentage of non-malicious activities incorrectly identified as threats. This metric provides insights into a solution's accuracy in attack detection. Security magazine reports that as many as one-fifth of all alerts turn out to be false positives. It is better to maintain this rate below 10%, though, to minimize unnecessary operational disruptions. reports reports Mean Time to Detect (MTTD): evaluates the average time taken to identify a threat from the moment it occurs, indicating the product’s responsiveness. In general, threats should be detected within minutes, though this time may be extended for advanced persistent threats and zero-day vulnerabilities. Mean Time to Detect (MTTD): evaluates the average time taken to identify a threat from the moment it occurs, indicating the product’s responsiveness. In general, threats should be detected within minutes, though this time may be extended for advanced persistent threats and zero-day vulnerabilities. Mean Time to Respond (MTTR): measures the average time required to mitigate and resolve an incident after detection. A good MTTR can vary depending on your industry and IT operational effectiveness. A rule of thumb is an MTTR of under 3-5 hours for major incidents. In some cases, you should aim for less than an hour. From the attacker's perspective, several hours is more than enough if they are downloading data from your database. Mean Time to Respond (MTTR): measures the average time required to mitigate and resolve an incident after detection. A good MTTR can vary depending on your industry and IT operational effectiveness. A rule of thumb is an MTTR of under 3-5 hours for major incidents. In some cases, you should aim for less than an hour. From the attacker's perspective, several hours is more than enough if they are downloading data from your database. under 3-5 hours under 3-5 hours Impact on IT Performance: this is estimated to ensure minimal disruptions to operations and user experience. The impact can be especially high for continuous scanning that consumes CPU usage, memory, and disk space. In a perfect scenario, it should still not lead to more than a 10% increase in latency or resource usage. Impact on IT Performance: this is estimated to ensure minimal disruptions to operations and user experience. The impact can be especially high for continuous scanning that consumes CPU usage, memory, and disk space. In a perfect scenario, it should still not lead to more than a 10% increase in latency or resource usage. A red flag showing that a cybersecurity system needs to be changed is its failure to protect against relevant threats and the inability to upgrade it respectively. It’s not always a provider’s fault, though. External factors may also necessitate updates. New compliance laws, evolving competitive landscapes, or layoffs may introduce new risks, such as insider threats. 5 Recommendations for Businesses Trying to Protect Themselves Conduct Strategy Sessions with Department Heads In larger organizations, it is also advantageous to involve team leaders. Collect insights from various departments to create a comprehensive list of potential threats. While this process may seem bureaucratic, it also engages employees in the topic, immerses them in the latest cybersecurity trends, and encourages them to think like potential attackers. This, in terms, leads to enhanced awareness and vigilance, as well as corporate culture where security is prioritized. Develop a Robust Strategy With a foundational threat model in place, the next step is to seek solutions. Ideally, aim to address all identified risks promptly. However, remember that achieving full protection is a gradual process. The saying "no one is 100% secure" should not be an excuse for inaction. Instead, strive to be more secure than competitors, making your organization a less attractive target for attackers. Implement and Monitor Security Systems Implementation is just the beginning. Regular monitoring is vital, along with reassessing threats and evaluating the relevance of the software used. Stay informed about the cybersecurity market to identify and adopt more effective solutions as they become available. Increase Employee Awareness Engage employees through interactive and practical training sessions. Move beyond passive learning methods and incorporate workshops, hands-on tasks, and expert lectures and webinars. The objective is to ensure your team genuinely understands how to protect company data and system access. Update training programs regularly (every six months to a year). Recognize That Security Extends Beyond Compliance While the latter is critical, it should not be the sole focus. Regulations like GDPR (General Data Protection Regulation) in the EU are designed to protect personal data. They may not cover all the specific security needs of a company, such as protecting financial information. Businesses must independently assess and address risks unique to their operations. Remember that no one will protect your company except for you.
