Ever-larger attack surfaces, more sophisticated attackers and increasingly complex IT infrastructures in 2024 means that many firms will be challenged to keep their cybersecurity heads above water in the year ahead. That is especially true when it comes to businesses faced with budget constraints.

Indeed, the smaller the company, the greater the challenge. According the UK Government's Cyber Security Breaches Survey 2023: "The proportion of micro businesses saying cyber security is a high priority has decreased from 80% in 2022 to 68% in (2023). Qualitative evidence suggests that cyber security has dropped down the priority lists for these smaller organisations, relative to wider economic concerns like inflation and uncertainty."

Another study found that half (52%) of organisations feel that cyberthreats are now too complex for them to deal with themselves.

Five Cybersecurity ‘Musts’ for 2024

Assuming you haven't been breached, the first problem is self-awareness – knowing that you are struggling.

Srinivas Mukkamala, chief product officer at Ivanti, offers five cybersecurity resolutions for businesses committed to doing better in the year ahead.  

• Create a central repository of well-defined whitelisting policies.
• Implement and enforce access policies that are NOT dependant on manual configurations or variable homegrown scripts.
• When someone leaves your company, revoke every single digital privilege immediately and automate the process moving forward.
• Prevent users from accessing the wrong files from the wrong places at the wrong times.
• Build a consistent process for adding new applications (including cloud/SaaS) into your business and always apply appropriate user policies to them.

These five checklist items are core to any business’ line of business and bolstering data/application security, reducing the risk of insider threats and reducing the risk of breaches.

Beyond the Bullet List

For Chester Wisniewski, field CTO applied research at Sophos, a healthy approach to cybersecurity in 2024 also includes a fresh mindset and separate budgets for IT and information security. 

"Measuring the time being spent being reactive versus proactive is a leading indicator of whether you are moving forward or backward,” Wisniewski asserts. “Information security is a risk management practice and should be operated separately from IT to avoid having security risks be deprioritised compared to other IT projects."

Resolve to Change Attitudes and Business Culture

If you want to tackle the problem yourself, it may require a change of attitude.

"To cope with fast-changing and unknown threats, organisations need to move beyond a reactive, rules-based stance and consider things like resilience, automation, empowerment and holistic risk management," Mukkamala suggests.

This alteration in mindset must got beyond the security function and the IT department.

"All too often, negative culture is the exact root cause of why vulnerability management programmes fail," explains Lance Spitzner, a senior instructor at the SANS Institute. "SecOps fail too when teams butt heads and the working culture isn't positive and collaborative enough to foster great results."

Lance asserts the path to better security business culture begins with SecOps stakeholders. Those confident their cybersecurity priority list is in order will promote a better business culture beyond the data centre.

"I frequently observe organisations attempting to 'upgrade' their security posture to protect against yesterday's threats," says Wisniewski. "Many security teams are focusing on specific signs of malware, certain files, hashes, or IP addresses, yet the most dangerous threats today are not objects, but rather humans."

Getting Help

For those organisations finding it hard to keep up, an obvious solution might be to outsource the issue to a third party, such as a Managed Security Services Partner (MSSP). For resource starved businesses, partnering with an MSSP is no an option. However, Wisniewski reminds anyone seeking third-party help that you can’t outsource control and CSOs and alike need to partner carefully and never cede control of SecOps.

"No one knows your business like your own team," says Wisniewski. "Your individual processes, policies and priorities cannot be outsourced and should be at the centre of your security strategy. On the other hand, threat hunting and staying on top of the latest malware, tools, scripts and attackers is a daunting task and is often best done at scale."

Ultimately, though, it's up to you to re-assess your threats and your capability to deal with them. And people throughout the organisation can help.

 "Security teams must be able to hold a mirror in front of themselves and ask 'would I buy into what I see here?'," says Spitzner. "While it might seem daunting to ask the workforce what they think about their cyber security team, there's no better way to get a cyber culture health check and an understanding of what needs fast improvement [in the year ahead]."