Cyber attacks will cost the world $10.5 trillion USD annually by 2025. To put that into perspective, that’s the GDP of a number of countries in Western Europe put together. 

One of the main factors behind these costs is that relentless pressure from emerging threats puts most organizations in constant triage mode, disrupting their ability to build the resilience and capabilities needed to reduce the impact of events. 

To make matters worse, organizations will also face greater exposure to threats as attack surfaces expand with greater cloud utilization, ongoing hybrid/remote work arrangements, and employees using their own devices for company business.

While the latest tools and technologies will remain essential parts of any security program, technology alone cannot address what has essentially become a “people” problem. According to Verizon, the “human element” played a major role in 82% of successful breaches last year. The changing nature of how businesses run means that cybersecurity is increasingly becoming a responsibility of the entire workforce, not just security teams. To build greater resiliency against the latest threats, we need to re-think how our workforces prepare.

Preparation builds resilience

Workforces are more resilient to a cyber attack if they’re prepared, and effective preparation means building a culture of continuous upskilling. This requires a shift from one-off traditional training sessions toward a more continuous, modern approach focused on building the right cyber skills at the right time – and proving it. Organizations cannot prepare for the next threat or vulnerability if they’re in constant reaction mode. The following five tips can help organizations better prepare for their next crisis.

Tip #1: Context

Context is the first essential part of effective preparation. In the early moments of an incident, when leadership is trying to determine if they actually need to worry about, you need information. And that information needs to be readily available.

Tip #2: Data collection

Context is important, but how you get that context is equally important. You need the right information so that in those first minutes of an incident, you can make well-informed decisions without information overload. Large organizations (e.g., Microsoft, Google, Palo Alto, Cisco) share a wealth of information via regular bulletins, including indicators of compromise. That information, however, is only useful if your organization is positioned to create and generate logs that analysts can navigate. 

In terms of business continuity, you also need data that helps you understand what parts of the organization are mission critical. As a cybersecurity professional, it can be easy to say, “Shut it down” when I see an attacker about to jump to another network. But if that part of the network is critical infrastructure powering hospitals, that becomes a very different conversation.

These decisions should not be made in isolation and must include all stakeholders to understand the business consequences of shutting something down, the impact that it’s going to have, and how it’s going to domino through the organization. The secondary, unintended consequences could be potentially more damaging to the organization than the underlying threat from a cybersecurity perspective in terms of dollar/loss impact.

Tip #3: People

Tools and technologies by themselves are never enough. You can’t have resilience against new and emerging threats without a well-trained team. Trust is essential for all your different people to function as a team. The last place you want to test relationships is when you’re in the middle of a crisis. If your team has had the opportunity to build trusting relationships in a calm training environment, that enables them to have a shared mental model of a situation. If you’re working as a team and you’re prepared, then you’re probably well-positioned to respond to a live threat situation.

This trust-first approach also fosters adaptability by learning from each other’s experiences. No matter what happens, your organization can communicate across the business and adjust as needed. The ability to communicate and understand will ultimately enable the swift reaction you need during an actual crisis.

Tip #4: Playbooks

I’ve been in the industry for a while, and I’m used to old-school playbooks – a set of steps to follow for any given situation. But the evolution of the Internet and methodologies used by ransomware groups and supply chain compromise attacks have really changed things. All of a sudden, my well-defined, well-written, sequential playbooks became outdated in many situations. There’s no point having a playbook that says, “Now go to check that your exchange servers are patched” if you’re cloud-native and you don’t have exchange servers on-site.

That said, playbooks can still be a powerful tool. They allow people to think about the approach they need to take for their specific context. The kinds of playbooks that can be really powerful today might focus on things like threat hunting – how do I identify suspicious activity versus standard activity? 

Some industries have very specific playbooks that outline precise steps that must be followed under certain parameters. But given what we’re hearing about the different motivations of cyber attackers, it’s important to remember that you’re being attacked by a person. And you’re not necessarily going to have a playbook that addresses every specific threat. You need agility in your playbooks to understand how best to deploy your resources, where to focus, and then when and how to engage the business.

Tip #5: Practice

Use those playbooks to exercise, exercise, exercise. But be smart when you’re exercising. That doesn’t mean you need everyone in your organization’s incident response team to sit down for four hours. You might do that kind of traditional tabletop exercise once a year, but that alone is not going to instill confidence in your procedures. You need regular practice to build that kind of confidence by being as prepared as possible for an eventual attack.

For any organization, the teams that need to be involved in any cyber response go from very technical subject matter experts up to board members. These aren’t individuals that will interact with each other on a regular basis. As a CISO, you may not normally speak to the head of legal. A moment of crisis shouldn’t be the first time you trade business cards. You need to start building that relationship well before you’re being overwhelmed with information and pulled in a thousand different directions. 

When it comes to practice, think of a sports team. Different players have different skills and responsibilities in their various positions, but they practice working together as a single unit so that they’re ready to perform when gameday arrives. Real-life simulations can give workforces the preparation they need to respond to threats, while allowing leaders to measure their cyber preparedness against industry benchmarks.

Build Knowledge, Skills, and Judgment

Cyber resilience is about being prepared for the eventuality that you will suffer an incident at some point.

When the inevitable does occur, you will need data and tools to empower your people, but those people also need the knowledge, skills, and judgment to react. They need training that helps them understand when to escalate an issue, when to make an immediate decision, and how to use those playbooks. For security leaders, this also means creating a space in your program to build trust between different teams, not just those you work with on a regular basis.While facing an unknown threat in a live attack will always be stressful, preparation will help your teammates stay calm and confident under duress.

To learn more about how to prepare your people to combat emerging threats, click here.

Check Out Immersive Labs in the News.


April 12, 2023


Kevin Breen

Director Cyber Threat Research