A quick guide to planning your 2022 cybersecurity strategy  

If you’re anything like us, you’re probably reflecting on your 2021 IT infrastructure and wondering, ‘how can we iterate on this and make it even stronger?’

Inevitably, cybersecurity will be front of mind whether you’re a  CTO, COO or a founder. This will be especially true if you’re in a growing organisation with a swelling data footprint, or if you’re diversifying into new sectors, or releasing products that make use of sensitive financial or health data. 

Looking at the aftermath of events in 2021 such as the HSE phishing crisis and the supply chain attack on Kaseya, it’s safe to say the benefits of testing your security go far beyond prevention and compliance

PwC’s Independent Post Incident Review of HSE shows their infrastructure was insecure because they lacked investment to maintain it. There’s no doubt that getting the budget you need to create a robust infrastructure is non-negotiable, so here’s our quick guide to evaluating and iterating on your cybersecurity this coming year.

2022 and beyond

What we do now needs to be informed by what’s ahead. By 2025, Gartner predicts that 60% of organisations will prioritise cybersecurity when deciding on transactions and business engagements. This is hardly a far flung prediction, either. We’ve already seen companies rule out organisations for acquisitions or mergers based upon their security infrastructure.

Bloomberg report that according to the US Treasury, the average ransomware transaction was $102.3m per month in 2021. And while cyber insurance might mitigate the damage, it won’t cover GDPR fines or protect against disruption as ransomware attacks become more frequent. Market analyst Jeffrey Williams told the Insurance Times that ransomware attacks now occur every 11 seconds, which is in line with pre-2021 predictions.

With this in mind, it’s no surprise that the Digital Europe Programme is assigning €269m of its funding to advance cybersecurity equipment, tools and data infrastructures. Similarly, the UK government is investing £700m in cybersecurity training and business support.

Whether you take advantage of this funding or not, it’s essential to evaluate your security strategy, policies and technology. You may realise you should be enforcing a zero trust policy, role based access, stricter VPN policies – or you might need to ensure your remote employees have the home infrastructure they need. For many companies, it will also be crucial to reassess their hybrid working cybersecurity strategy and monitoring tools.

Getting the buy-in and budget you need

As with many organisations, you will eventually come up against the issues of internal buy-in and budget. And this is where you’ll likely want to consider a pen test. 

Pen testers can discover where exactly the vulnerabilities are in your organisation – whether it’s your cookies, authentication or employee behaviour. Once you know what your weaknesses are, you can present the risks to stakeholders and use your budget to strengthen them in the optimal way. 

To understand what kind of test is right for you, you should know that automated tools alone will not be sufficient. Hackers don’t solely rely on automated tools, so you shouldn’t rely on defences tested by automated tools either. Of course, the strongest tools can speed up the process, but if you’re going to simulate a real cyber threat, you’ll need a seasoned ethical hacking team – known as a Red Team – testing your infrastructure.

You should also strongly consider hiring pen testers who are CREST-certified or similarly qualified and vetted. The process, training and experience they undertake to get that certification makes them an invaluable asset to have on your side. 

Finally it’s worth understanding the benefits of independent pen testing. The more impartial your testers’ security recommendations, the easier you’ll find it to persuade stakeholders that those suggested measures are necessary.

Book a free consultation 

To kick off the new year, we’re going to be offering organisations a free 30-minute consultation to discuss their infrastructure and cybersecurity strategy.

You’ll have the opportunity to speak with a senior tester and a project manager, and ask any questions – technical or otherwise. There’s no obligation to commit to any form of pen testing with us afterwards, but we’ll be able to explain anything in case you need to make a business case to other decision makers in your organisation.

Datavax is a trusted, neutral and CREST-certified cybersecurity partner. To book a consultation with us, don’t hesitate to get in touch