At the end of August, the second edition of CyberSQUAD, the largest cybersecurity event in the Netherlands, took place in The Hague. Young cybersecurity specialists and CISOs came together to exchange experiences and network. They learned about all the threats, learned how to deal with them and react quickly, and were also able to take part in the capture of the flag.

Cybersecurity guru Melissa Bischoping, Endpoint Security Research Director at Tanium, told them that “cyber resilience” requires, first and foremost, a cultural shift. But what is it really? The American standards organization NIST defines cyber resilience as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or enable cyber means. A boring description – such are definitions – that says exactly what it is about: As soon as something is digital, it can be attacked, and we have to be careful about that. As an individual, but even more so as an organization. Cyber ​​resilience is the measures you take to protect yourself from cyber attacks.

The hunter and the prey

Unfortunately, it is not always easy to protect a company from these attacks. Organizations often lag behind in the fight against cybercrime. You can compare it with doping in sports: As soon as the doping hunters can discover all performance-enhancing substances during a control, a new drug comes onto the market.

In her talk at CyberSQUAD, Melissa Bischoping preferred to compare cybercriminals with tech entrepreneurs. Just like a technology startup, cybercriminals are extremely agile and adapt perfectly to trends and changes in the market. They are increasingly specializing in cybercrime niches and applying new business models. It is not for nothing that a phenomenon such as “ransomware-as-a-service” has developed, in which hackers are hired by third parties or provide them with tools.

127 new IoT devices are connected to the internet every second.

Wytze Rijkmans, regional vice president of Tanium

As if that wasn’t enough of a headache for the CISO, there are more and more digital devices that are vulnerable. For example, consider the 127 new IoT devices that are connected to the Internet every second. To give an idea of ​​the extent of the vulnerabilities, CVE.org tracks all new cyber vulnerabilities. Last year, no fewer than 25,000 new “cybersecurity vulnerabilities” (CVEs for friends) were documented, a quarter more than in 2021. And this year we already had 14,000 new CVEs after two quarters, so 2023 will also be a record year.

A fight against all odds?

The numbers are mind-boggling, but organizations are anything but defenseless. According to Bischoping, organizations can take a range of measures to increase resilience. First, an organization must carefully examine what needs to be protected and to what extent. There are not only crown jewels that need to be guarded, such as trade secrets in the form of intellectual property, but also infrastructure, which is crucial for the continuity of the organization. Some industries also have regulations that require additional protection for some systems, for example in financial service providers or pharmaceutical companies.

Protecting all of these assets requires a well-thought-out plan but also the right tools. Many organizations use a patchwork of tools and workflows that are completely disconnected from one another, making it impossible for IT and operations to keep a good overview of which assets are fully up to date and which are not. Cybercriminals enjoy such silos. Then using a solution from the Converged Endpoint Management category helps, which enables tools, workflows and teams to operate as a whole.

Trust or “Zero Trust”?

Software tools aren’t the only thing companies need to invest in, said Melissa Bischoping. A culture of cyber resilience is at least as important. The entire organization must be aware of the lurking dangers so that threats can be easily identified. According to Bischoping, it’s important to reward people for their attention. This is more important than making them feel guilty about being deceived by a phishing attempt. An incentive to report problems increases everyone’s attention.

The entire organization must be aware of the lurking dangers so that threats can be easily identified.

Wytze Rijkmans, regional vice president of Tanium

Of course, training and awareness are not enough, the right measures must also be taken and enforced. Just think of passwordless authentication, multi-factor authentication, a clean desk policy… “A policy that is not enforced is nothing more than a suggestion,” says Melissa Bischoping, who also points out that senior management must lead by example. the rest of the organization.

According to Bischoping, it’s all about trust: not “trust” as in the hyped “zero trust”, but real trust that is placed in employees. “If you give people trust, they will tell you what is happening. If they tell you this, you will discover pain points. This is very important because when employees are willing to point out vulnerabilities, they become your best “early warning system.” And that is ultimately your best defense: a perfect combination of people, processes and technology.”

This is a post from Wytze Rijkmans, Regional Vice President of Tanium. You can find more information about their services here.