Why it’s hard to stop Reactive Security
Many find themselves in a cycle of reactive security. They are responsible for security but are part of small to mid-sized enterprises (SMEs). This situation means there is usually no formal 24/7 security operations center (SOC). Instead, it’s a few IT staff and maybe one dedicated security person. Verizon’s Data Breach Investigations Report: Diving Back Into SMB Breaches found that small and medium-sized enterprises (SMEs) face nearly as many security threats as larger enterprises
Of course, it’s natural to now REACT!
For some organizations, reaction is continually rewarded, so a cycle of reaction is the default way of dealing with security. They become good at firefighting issues, show value by counts of closed vulnerabilities and events reacted to, and are continuously busy in this loop.
Yes, there are plenty of threats, alerts, and exploits that feed into this reactive cycle. In an SME survey, 59% say cybersecurity is the top IT challenge of the past year. Outside threats pose the greatest challenge, with the top three types being:
- Network Attacks (40%)
- Ransomware (31%)
- Software Vulnerability Exploits (31%)
Security tools are advancing with additional capabilities that try to help this situation, looking for possible attacks as they happen and alert. When this happens across multiple firewalls, endpoints, and servers, there are three reactive paths that we’ve seen happen:
- A high rate of false positives and alert fatigue occurs.
- To dampen the false positives, the verbosity or configuration is altered to be less sensitive but inadvertently increases the time to detect a security event.
- Legitimate security alerts sporadically occur, but it’s not feasible due to time demands, lack of expertise, and security spending to hunt and get to a definitive conclusion if the business is at risk or not.
Reacting when it comes to security is common and a complex cycle to break. Every day there are new unknowns with unexpected threats, vulnerabilities, and security news. Keeping an organization safe is exceptionally challenging in organizations with minimal executive support but high expectations. It reinforces this negative loop of reacting.
What to Do Beyond Reacting
Change is constant, and security outcomes cannot improve if those responsible for security are constantly reacting. 67% of SME IT admins report feeling overwhelmed, and we are experiencing a cybersecurity talent crisis that will forever change IT.
Reacting means dealing with an event during or after the event has occurred.
Instead of reacting, responding is the next best approach. Responding is a spin-off from the word responsibility and is focused and deliberate. Responding is harder than reacting. It takes more time and effort and requires context. Responding tends to be advantageous because there is a framework and methodology associated with each response that follows the same path of inquiry.
Respond step examples:
- What is the intent of the alert, and what is it meant to detect?
- What are examples of when this alert found malicious activity?
- Where in the attack lifecycle does this alert live, signaling the severity of the situation?
- Would logs from associated systems and firewalls give more insight?
- Have we seen a correlation with like indicators of an attack based on threat context?
- How often does this alert fire?
- Does it happen across connected networks, accounts, or hosts?
- Did this alert lead to evidence of unauthorized activity or lateral movement?
What seems to happen is that the more you enable the practice of responding, better decisions and security outcomes come next. Organizations, no matter what size, can experience a level of cyber resiliency and become less susceptible to risk. This is the growth and security maturity that is needed. Getting support from executives should be easier, but we’ll leave you with one piece of information that can make moving to this level of security a competitive differentiator.
Small and medium-sized enterprises (SMEs) are seen as a key threat to supply chains, partner networks, and ecosystems. 88% of respondents indicate that they are concerned about the cyber resilience of SMEs in their ecosystem, from the World Economic Forum 2022 Global Cybersecurity Outlook
There are industries that have already adopted or are updating their security compliance standards to help alleviate weak links in their supply chains. We’ve seen this as more healthcare providers and institutes are requiring HITRUST certification for their business associates. HITRUST recently added new options to make it easier to achieve certification for SMEs.
There are many reasons to evaluate if your business organizationally has fallen into a reactive security pattern. For individuals responsible for security the pros and cons of reactive security can give you the insight to elevate your role, and start to explore change.
Pros and Cons of Reactive Security
Pros:
People who are used to putting out fires all the time tend to be good at it. Reactive people learn to be flexible and deal with crises as a regular part of life. This might cause them to work well under pressure and go the extra mile to manage security events. This security type quickly deals with the problem, providing in-the-moment leadership. They show their value in the heat of security issues.
Cons:
While good in action, there is no time for strategic security planning. This leads to executive or management communication problems around achieving better security outcomes. For organizations where executive support for security is lackluster, this can become a career detriment and, ultimately, loss of confidence.
Steps to Take to Improve:
Reactive security types risk burnout, especially if they lack understanding and appreciation of the effort they put into their job. Take this commitment and focus and leverage the detailed IT knowledge they have about the business. Look to have a managed security provider tackle the day-to-day security alerts with platform orchestration and intelligence to elevate the actual security events. Still responsible for security but now proactive about the needed security changes and policy alterations will lead to cyber resilience.
SMEs are neither large enterprises nor small businesses. Here at TECH LOCK our security and compliance services are about giving cost-effective access to advanced enterprise-grade security, addressing the complexity of compliance needs, and providing personalized support. We help SMEs to achieve better security outcomes. You may also be interested in reading 5 Tips when Evaluating a Managed Security Provider if you find yourself exploring options for your organization.