You may all remember in GCSE science – or, O-level science, as it was called in my day – a lesson looking into the formula of how a plant grows. It needs a balanced mix of light intensity, water and temperature. If one of these factors is lacking, the lesson goes, then the plant will only grow to a certain point.
Whilst I claim no expertise in botany, this formula is comparable to the challenges organisations now face when reducing cyber risk. The equation to work out your firm’s vulnerability to threat actors can roughly be defined as how likely a cyberattack is to happen multiplied by the severity of the consequences of an attack. Be warned: both factors are equally important in divining the final result. If one aspect doesn’t get enough consideration, there is a limit to how much cyber risk can be reduced.
Why cybersecurity has reached the ‘limit’
Since at least 1987 with the invention of the first antivirus solutions, businesses have tended to associate successful cyber risk strategies with actions that reduce the probability of a successful cyberattack. Thanks to technologies such as firewalls and intrusion detection and prevention systems, organisations have reached a point where we can prevent around 99% of all attacks.
At first glance, that sounds like great. However, it also means that one in every 100 attacks is still successful. If you then scale that up and think of the rate at which cybercriminals can deploy attacks, then the threats which businesses face online justifiably appear to be much more nefarious and difficult for them to handle.
The challenge for security teams is they have now reached a “limit” where it’s impossible to reduce the probability of an attack taking place any further. Essentially, many are at a point where spending record amounts of money will only ever result in diminishing returns.
As such, organisations need to start preparing for the worst-case scenario of a threat actor causing chaos within their systems. It’s an area that, unsurprisingly, has not featured prominently in security planning across much of the private sector – evidenced, in part, by the huge ransoms many corporations and public-sector bodies pay to cybercriminals to prevent their data from being exposed online.
Ultimately, businesses must prioritise keeping their most critical functions going in the event of a serious cyber incident to avoid such costly impacts. It requires a breach containment mindset, where organisations strategically manage and contain threats to reduce the potential harm caused.
How to implement breach containment
The best way to adopt a breach containment strategy is through Zero Trust. By operating on the core principle “never trust, always verify,” security teams can enforce stringent authentication, authorisation, and validation protocols at every access point, ultimately isolating and mitigating threats.
To enforce such access controls, IT departments must develop a strategy that identifies which internal operations are essential to the running of the company. This helps dictate which areas are most critical to protect and where extra resources and money should be spent.
Once those systems have been identified, their focus should extend outward. Businesses must think about the surrounding links and how critical systems are connected. An attack could just as easily come through a supply chain as it could directly target a company’s systems. According to recent research from the World Economic Foundation, 54% of large enterprises identified supply chain challenges as the biggest barrier to achieving cyber resilience.
Businesses should map out their entire network, identifying all assets, users, and data flows. This is the most effective way of understanding where their organisation sits within the overall threat landscape and where effective access controls and monitoring systems should be implemented.
The latter also requires organisations to implement micro-segmentation technologies, such as Zero Trust Segmentation (ZTS). Dividing the network into mini-isolated environments with their own dedicated security controls enables security teams to restrict user access and monitor traffic flow. Users and devices should also be granted the minimum level of access necessary to perform their functions. Additionally, they shouldn’t be able to access isolated environments that are not relevant to their role.
To avoid prevent unauthorised access to isolated environments, multi-factor authentication should be implemented and mandated. This makes it harder for attackers to gain access to systems that control energy distribution or heart monitors.
Ultimately, it is impossible to prevent cyberattacks entirely. It is an unfeasible goal that sets cybersecurity teams up for failure. For companies to truly reduce cyber risk, they must shift the conversation from “How do we stop the probability of a successful attack?” to “How do we mitigate the impact of an attack?”
By prioritising a breach containment strategy, with Zero Trust and micro-segmentation technologies at its core, businesses can avoid the costly impacts we have seen in the past.
Trevor Dearing is the director of critical infrastructure at Illumio
Read more: We urgently need to bridge the IT-OT cybersecurity divide
