How to start your cybersecurity journey

Published by Tristan Loret on

How to start your cybersecurity journey

According to a study done in late 2020 by Cybersecurity Ventures, the cost of cyber-crime is expected to grow by 15 percent annually over the next five years, from USD$3 trillion in 2015, to a predicted USD$10.5 trillion in 2025. Cyber-crime ranges from network breaches to denial of service (DoS) attacks, from ransomwares to theft of Personable Identifiable Information (PII) and financial data, and those are just the tip of the cyber-crime iceberg. Most organizations spend 10 percent of their IT budgets on cybersecurity programs. While the amount differs in each organization, it is very likely the case there would be a lot of cybersecurity areas to improve upon and the first steps you take towards improving your organization’s cybersecurity posture could seem daunting.

Start small but move fast

The very first step you can and should take is to conduct a cybersecurity audit or assessment. The audit is aimed to provide visibility on the maturity of cybersecurity in the organization. A study by Ponemon Institute on separating truths from myths in cybersecurity found that about 30% of cybersecurity purchases in an organization end up not being used and these investments only cost organizations a lot of money and time. Purchasing the best cybersecurity system does not equate to a cyber-crime-proof environment and conducting the audit will allow you to conceptualize a roadmap to improve the cybersecurity posture based on the level of maturity you are at.

How should I do my audit/assessment

There are several similar maturity grid levels that you could use to model your organization’s cybersecurity maturity level whilst you are conducting your audit. They range between 4 to 6 levels and would be the best place to begin your cybersecurity journey. The ISO27001 framework aims to help implement the best practices in Information Security Management. Even without the intention to get certified, using ISO27001 as a map to define your organization’s improvement areas allows you to orientate your organization’s cybersecurity posture in a structured manner.

The maturity grid below can be used to gauge the maturity level of your organization’s cybersecurity practices and processes, from Level 0 where cybersecurity processes are missing or incomplete to Level 5 where processes are reviewed and optimized within your organization.

Above: General process/practice maturity grid that can be used in regards of ISO27K standards.

Another cybersecurity maturity grid that could be used is the Cybersecurity Maturity Model Certification (CMMC). In January 2020, the United States’ Department of Defense released the Cybersecurity Maturity Model Certification (CMMC) framework to measure the cybersecurity readiness and capabilities of their contractors. The five levels of CMMC ranges from Level 1 where an organization performs “basic cyber hygiene” practices such as ensuring employees’ passwords are regularly changed to Level 5 where governance and standardized processes are in place across the organization.

Above: The five levels in Cybersecurity Maturity Model Certification (CMMC). Image from: https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf

These maturity grid levels will allow you to benchmark and orientate where your organization is with regards to cybersecurity posture. Depending on the industry you are in, some sectors (e.g., telecommunications, healthcare and finance) may require a specific level of cybersecurity awareness, capabilities and posture.

On top of knowing where your organization stands within the cybersecurity maturity range, you should also interview employees to gauge their cybersecurity awareness and their internet usage. The old saying “You are only as strong as your weakest link” rings particularly true when it comes to cybersecurity. A PurpleSec trend report in 2021 showed that 98% of all cyber-attacks rely on social engineering, a broad range of malicious activities accomplished through human interactions. Knowing how an employee would react when they get any phishing attacks (in the form of emails, phone calls, text messages, etc.) would give you a more holistic picture of your organization’s cybersecurity posture.

Focus on tangible cybersecurity victories

Once you have a good feel of your organization’s cybersecurity maturity and the level of awareness and adeptness of the employees, you can begin to conceptualize and rationalize a cybersecurity transformation journey. A study on cybersecurity conducted by Boston Consulting Group (BCG) gave an average of 3-4 years for a cybersecurity transformation journey to complete, with total expenditure of up to 5-6 times their annual cybersecurity spending. Instead of splashing out your organization’s cybersecurity budget on the latest endpoint protection, focus on tangible cybersecurity victories also called “low hanging fruits”.  Examples of these include conducting cybersecurity awareness training for employees, introducing governance based on ISO 27001 standards and ensuring your organization’s devices are all up to date in terms of anti-virus signatures and operating system patches. These tangible victories may require some “heavy lifting” in terms of effort, but they do not have much (if any) impact on your cybersecurity budget.

While the road ahead may be challenging when it comes to your organization’s cybersecurity journey, following the steps shared in this article should make it less intimidating:

  • Audit and assess your environment to understand and prioritize the gaps that needs to be filled.
  • Start small and select a few key priority areas identified from your audit(s) (ISO27k audit can be completed by technical audits).
  • Finding “low hanging fruits” for “quick wins” and market them internally to the organization to raise overall awareness and gain a favorable ground for further actions to strengthen your cybersecurity stance.

Eventually, as your organization’s cybersecurity maturity increases, there will be a period on your cybersecurity journey where you will have to begin to look at the latest cybersecurity trends and protection, usually much is to be done before reaching this stage. The cybersecurity transformation journey may be long and at times arduous with dangerous pitfalls like data breaches and ransomware attacks but don’t doubt, those will happen: How your organization will be prepared and reacting to them is what is at stake here. Improving your organization’s cybersecurity posture through strengthened baseline and proactive and protective actions can potentially save your organization tens of thousands to millions of dollars (as direct or indirect financial impacts).

Increasing your organization’s cybersecurity maturity is a company-wide transformation journey, don’t forget to follow the best practices of a transformation!

EVA Group is able to perform cybersecurity audits against well-known frameworks (such as ISO27k requirements) and technical audits: network security audits, cloud security & finOps audits, pentests, source code review and more to improve your cybersecurity posture.

Don’t hesitate to reach out to us to get full visibility and a comprehensive overview of your cybersecurity and network landscape.

Hamka YUSOFF

Senior IT Consultant, EVA Group Singapore

About EVA Group

A renowned international cybersecurity and IT performance consultancy.
EVA Group has been assisting major accounts and SME in the luxury goods, retail, banking, insurance, manufacturing & supply chain, services and governmental agencies for 15 years.
Specialized in three areas – Cybersecurity, Cloud & Infrastructure, and Data – EVA Group combines methodological know-how, high level of technical expertise, and R&D.       
We help clients address their key challenges:

  • Support IT projects for transformation and innovation,
  • Identify and reduce exposure to cyber risks,
  • Design, build and operate efficient and secure information systems,
  • Align IT governance with the strategy.

Labeled HappyAtWork©, EVA Group is established on 4 continents through 10 offices. For more information: www.evagroup.asia

Categories: EVATECH