1. Create an offensive strategy with a security-first mindset: Assume you are already hacked. At all times. If a company builds its operations and defense with this premise in mind, the chances of helping to detect these types of attacks and preventing the breaches are much greater than for most organizations today.
2. Formal vulnerability management doesn’t simply involve the act of patching and reconfiguring insecure settings: Vulnerability management is a disciplined practice that requires an organizational mindset within IT that new vulnerabilities are found daily requiring the need for continual discovery and remediation
3. Data governance is necessary in order to provide and protect high-quality data throughout the lifecycle of that data: This includes data integrity, data security, availability, and consistency. Data governance program policies must include:
Delineating accountability for those responsible for data and data assets
Providing integrity controls to provide for the quality and accuracy of data
Identifying safeguards to protect data
Determining who can take what actions, with what data, under what circumstances, using what methods.
Assigning responsibility to appropriate levels in the organization for managing and protecting the data
4. An organization’s brand is a valuable asset, but it’s also a great attack surface. Threat actors exploit the public’s trust in that brand when they phish under the organization’s name or when they counterfeit its products. The problem gets harder when an organization engages with the world across so many digital platforms — the web, social media, mobile apps. These engagements are obviously crucial to a business. So, something else should be obvious as well: Guarding an organization’s “digital trust” — public confidence in the company’s digital security — is make-or-break for a business, not just part of a compliance checklist.
5. Building a security culture takes time and effort. What’s more, cybersecurity awareness training ought to be a regular occurrence — once a quarter at a minimum — where it’s an ongoing conversation with employees. One-and-done won’t suffice. People have short memories, so repetition is altogether appropriate when it comes to a topic that’s so strategic to the organization. This also needs to be part of a broader top-down effort starting with senior management. Awareness training should be incorporated across all organizations, not just limited to governance, threat detection, and incident response plans. The campaign should involve more than serving up rules, separate from the broader business reality. It means instilling a security-first mindset to help protect a business and deliver better business outcomes. Security belongs to every employee in the company, from the C-suite down to the seasonal intern — every employee owns a sliver of the exposed attack surface, but security programs work best when everyone understands that security makes the business stronger and their jobs easier.