Often, its attacks make the news, impacting well-known companies and directly affecting individuals. It’s important to examine trends and identify lessons that can be applied to our own practices in response to the ransomware threat.

Why the Decline in Q2 Attacks Doesn’t Tell the Whole Story

The first thing that stands out from this quarter’s report is the overall drop in attacks. That’s great at first glance. One thousand fewer attacks, a 40% drop in attacks compared to Q1. However, organizations cannot simply take the top numbers and totals to draw a broad, general conclusion about the threat level decreasing when they see these initial numbers.

High-level trends can give false hope to an organization, which is why it’s important to examine the numbers themselves. As the report demonstrates throughout, a false sense of security would form if we focused just on the total numbers.

Don’t Think in Silos: Risks Cross Every Boundary

One trap we must avoid is thinking in our own silo. The reality is simple: threats are everywhere, and they’re constantly shifting. It’s vast and far-reaching, and much of it affects us directly. Even if we initially downplay the threat from certain risk groups based on perceived attack likelihood, that assumption can be misleading.

The past few years have heightened our collective awareness of third-party and supply-chain risks. These are closely related, and we have seen their impact on organizations, customers, and the general public reach a heightened level of awareness. We need to look beyond the borders of our organization when assessing threats and considering our risk awareness. That includes industry trends that may not be ones we exist within, but are highly impactful to our daily operation as a business.

Move Beyond Prevention: Resilience is the New Goal

This leads us back to the need to elevate our mindset and the lens through which we view our security program. It is no longer enough to think in terms of prevention and recovery. Yes, they are important components, but that can’t be where we focus all of our efforts and resources. Our focus and aim must be resilience.

How do we continue to operate at or near 100% in the event of a security incident? What are our dependencies on supply chains and third parties that, if they were to suffer an incident and be unable to fulfill their obligations, how could that impact our ability to operate normally? We need to look at those considerations.

Healthcare’s Vulnerability and Why It Should Concern You

Healthcare remains one of the most frequent targets for attacks by these threat groups. The report explains the reasoning behind that. What we, as organizations, need to do is account for where the healthcare industry intersects with our business vertical. Remember, healthcare is a broad field; it encompasses more than just hospitals.

It’s all elements of the healthcare system, so hospitals, billing companies, insurance records, and all of it are part of it. There is a potential impact on our organization, even if we’re not in healthcare. Even if healthcare isn’t a part of our supply chain.

The Broader Impacts of Breaches on Your Workforce

Our people likely have healthcare coverage through the organization and certainly maintain some form of medical records. So, when there’s a breach of that information, everyone may feel an impact. There is a mental toll that many individuals go through when they learn that personal information that they expect to maintain their privacy, health, or financial information, gets exposed.

They have no idea how bad the impact will be on them. Can we build any measures to mitigate that risk? Can we incorporate a part of our security program that allows for resilience when a large breach may affect a large swath of our organization’s personnel, causing their focus and performance to be impacted by this new stress?

Think Like a Business Leader: Customer Industry Risk = Your Risk

Now, let’s look at it through more of a business lens. Your organization isn’t in healthcare. However, a significant portion of your customer and client base may be healthcare organizations. We’re using healthcare, but it can be any other industry that you serve or rely on to generate revenue as part of your operations.

Let’s say your organization provides a non-healthcare service to the healthcare industry. It’s one of your largest customer verticals and a focus of your go-to-market strategy. If that industry is experiencing an increase in attacks, they will need to address it with their resources. That means a shift in budget priorities. That may cause you to lose out on deals, have current customers cancel at renewal, and deter prospective clients because the budget dollars are no longer available.

Take a Holistic View of Threats Across Industries

We need to take a holistic approach when evaluating potential threats across the broader ecosystem. That means understanding where our organization overlaps with different business verticals and how attack trends in those sectors could affect us.

There is one other focus from this quarter’s report. We mentioned resilience earlier, and it is also mentioned in the report itself. No longer is security just about prevention and recovery; it’s also about how we set ourselves up to maintain resilience in the face of an attack.

It’s not only about disaster recovery (DR), but also about business continuity (BC), and increasing our focus on maintaining operations in the face of adversity, regardless of the threat. And it’s really about ensuring we’re true to the basics. The old, tried-and-true solutions that we’ve been hearing about for ages.

Security Basics Still Work If You Use Them

Vectors change, industries of focus change, and even what’s being ransomed or threatened changes, but what we can do to help protect ourselves has remained relatively consistent.

Key foundational practices include:

• Implementing multifactor authentication (MFA/2FA) for all accounts, especially those accessible from the internet
• Establishing a strong backup-and-recovery program that includes regular testing and a version of backups isolated from the corporate network
• Developing and regularly testing incident response plans and protocols to ensure staff are prepared for evolving attacker tactics
• Maintaining a disciplined patching and vulnerability management program to reduce exposure from both new and older vulnerabilities

These are just a few of the security basics that have been recommended for years and remain highly effective to this day.

The Quiet Risk: Unpatched Vulnerabilities

Patching and vulnerability management often receive little attention. It isn’t necessarily exciting. It’s usually not the program that gets folks to jump out of bed looking to conquer. The latest and greatest vulnerability, the one that’s large enough to make the news cycle, is the one that gets noticed and prioritized.

It’s the one that everyone’s asking about; how are we with this, are we protected? What do we need to do to be protected right now? Exploit development takes time, and threat groups work under the same ideas as regular businesses. If this still works for us, why should we incur the expense of changing just to chase the latest trend?

If you look at some of the highlighted vulnerabilities in the report, you’ll notice that they are typically one to two years old. They may not be related to recent headlines, or even garnered headline attention when they were first discovered, but they’re still being exploited today. And the reason they’re still being exploited is that there are still environments where these vulnerabilities remain unpatched. Therefore, threat actors have a sufficient market where what they developed years ago continues to generate a profit.

Why change?

Yes, patching and vulnerability management do have their complications. Timing a patch, potential downtime of a system to apply the patch, and any number of other concerns organizations face when a vulnerability is discovered. However, it remains one of our most effective tools for securing environments and strengthening organizational resilience.

Understand the Story Behind the Numbers

The difference in the numbers between Q2 and Q1 appears to be favorable. You notice a significant decline in attacks at first glance. But that’s why we have to dive deeper than just the initial numbers. We have to see where they’re focused and what that can really tell us. We must seek to understand what all these numbers are telling us and what those implications are for our business.

Review Q2’s Report.

The post Ransomware Trends Beyond the Headlines: A CISO’s Q2 2025 Perspective appeared first on CyberMaxx.

USB devices pose several risks, related to a higher number of threats than most people ever consider. It is important that these common, yet potentially dangerous, items are not forgotten in your security program. Regularly scanning for them, not just for connections or uploads to them, but their general activity, is a missed opportunity too often. That’s the first part of success here, knowing the full picture and vectors of the threat landscape, then accounting for them in your defense strategy. Going beyond simple awareness, scanning and monitoring for activity from the device are next-step tactics that are too often unknown.

The discovery of illegal activity, specifically activity of this nature here, is a possibility you have to be aware of in the world as a defender. Not every discovery you make fits nicely into standard buckets or procedures, things that can be easily automated, so you can just set it and forget it. No, some items, the nefarious items, require an understanding of the law and handling a sensitive investigation, without compromising the investigation or alerting the perpetrator that they’ve been discovered too soon.

All security programs should have an established working relationship with law enforcement. It requires human contact and human interaction. Not all events are the same, so being able to contact law enforcement, share your intelligence, and then take actions as proscribed by them, even if it means not overtly acting right away, requires understanding, coordination, and a moral sense of right and wrong.

It’s easy to sound the alarm as soon as any threat or malicious activity is discovered. But you always need to be able to consider the context and details specific to every single event. All your experiences provide insight, context, and guidance in every new incident that a security practitioner encounters. It requires taking that extra step, sometimes confirming the unthinkable, before acting. You must be aware of all risks, practically at all times. That includes the risks associated with being wrong about an initial analysis. Defenders must possess the wherewithal to confirm what they see, verify its accuracy, and know exactly what action to take next, given the totality of the circumstances.

Our ability to prevent cyber incidents for the companies we protect is very rewarding. It fills you with a sense of purpose, of pride. But being able to act and make an impact on those grander issues, the ones unthinkable, there is no greater sense of purpose than when you get to fulfill that. It takes fortitude and resilience. To see something abhorrent, yet know to act rationally, follow proper steps to allow for the greatest impact. To know when an event needs to be taken out of the usual procedural loop and acted upon with deference and sensitivity.

The post Tales from the SOC CISO Perspective: Key Takeaways from A Thumb Drive and a Criminal Investigation appeared first on CyberMaxx.

Threats do not exist in a vacuum. There can be direct impact to physical security from a cyber threat, and the same is true of a physical security threat implicating our cyber security. A strong monitoring program accounts for all potential threat vectors and ingests that information to greatly expand their sources of information. It is not uncommon for cybersecurity teams to become hyper-focused on only the digital threat landscape, forgetting that there is a physical element and physical world where we all exist.

What’s more, maintaining focus and awareness in both worlds provides for more information to be consumed, corroborated, and hidden connections or new insights to be obtained.

It’s not just your monitoring that needs to be continuous, but you should be able to have your response be continuous too. We often pigeon-hole response into specific circumstances; this is how we “respond” when we see this attack occurring or this incident is in progress. But Response truly goes beyond that paradigm. Every bit of information and intelligence that we take in offers us the ability to Respond in some manner. We can strengthen defenses, updates settings and configurations, create a period of hyper focus on an area of our environment, create awareness among our people for what to be on the lookout for, extrapolate information across the whole of our environment. Acting on new information received to proactively improve our security posture or increase our monitoring focus is a part of the whole Response paradigm.

Our Response to this new intel information and cross-referencing across our environment, review our defenses, puts us in a stronger position than we would have been to respond once the event or incident does occur. It’s the old saying, “failing to plan, is planning to fail.” You can’t plan without information, without knowing all the factors that you’re up against, and how you want to set yourself up for success.

There are plenty of alerts and “chatter” that we will come across as we gather intel to learn what new threat is out there, or how an existing one is modifying its approach. Simply taking that information and sharing it, or filing it away for awareness, is not a full approach to securing our stacks. We have to act upon that information.

Read the Tales from the SOC eBook.

The post Tales from the SOC CISO Perspective: Key Takeaways from A Physical Threat to Cyber Defense appeared first on CyberMaxx.

The knowledge of that progression allows an analyst to go back through the logs and search for the various activities that are often a prelude to the action that was just noisy enough to draw attention to itself. In a vacuum, viewed as a singular event, it would likely not cause much additional action or review. But to a person with knowledge of TTP’s and the knowledge of how those actions flow, the move to discovery sits less on the immediate flag being thrown and moves towards the prior events that it likely followed.

The compromise of a single account or system for a threat actor is a win, but the ability to expand that compromise across multiple accounts and/or systems really provides them with a greater foothold in their target environment. We know this to be a preference and one of the first goals they look to accomplish when they’ve gained initial entry into an environment. Once you’ve worked your way back to this point, revoking that access becomes a priority.

That’s a lot of work and a lot of time. The ability to see activity at scale, work backwards through it to look for the inciting events you know likely preceded the point where you are at now, takes you to that moment of initial foothold. When you combine all those capabilities and add in the ability to rapidly respond to not just the one, but any of the accounts that have been compromised, that gets you out of playing whack-a-mole and allows you to take mass action.

A lot of organizations may think to change the password on a compromised account, but that doesn’t necessarily have the desired effect. Knowing how access is maintained once an account authenticates, through what are known as sessions, means you need to go further and revoke any active session associated with that user. It’s the devil-in-the-details kind of knowledge that a SOC can provide, giving you both the breadth and depth of insight into the actions to take.

What’s more, by seeing the TTPs and identifying the action the threat actor is using to spread further across the environment, an organization can take additional preventative steps too. Notifying everyone of the malicious email, the malicious file, and pulling out of any mailbox it may be present in, before the next recipient ever sees it.

This is going beyond the single response to the one identified event, the mailbox rule. The knowledge of context and execution allows you a stronger, broader response, that increases the likelihood of quelching the attack from doing the worst damage it could.

Read the full Tales from the SOC eBook.

The post Tales from the SOC CISO Perspective: Key Takeaways from Malicious Inbox Rule appeared first on CyberMaxx.

Just like we saw with “The Call That Protected Four Clients,” that sense of, “I have a bad feeling about this,” and a scope with which to run down that feeling, creates an opportunity for discovery of a threat that an organization could take far longer to discover when working in isolation. Much like when statisticians talk about the importance and relevance of sample size, a SOC from an MDR can apply discovery to an exponentially larger sample than any one organization could itself.

That provides the opportunity to take advantage of an attacker taking their quietness for granted. It’s about that expanded sample size. It’s one thing to be a singular dot in a small cluster. But to be the same, singular dot in multiple clusters, that becomes noticeable much faster. It’s no longer an anomaly in an environment. Its repetitive nature in multiple environments belies its identification as an anomaly. It reminds me of the saying, “once is happenstance, twice is a coincidence…” But the catch for a security practitioner is that we don’t like coincidence. It’s too neat and clean of an explanation. The presence of a coincidence makes us want to dig deeper and prove it as such.

It’s that element of human curiosity that you can’t truly automate. Sure, once the curiosity is piqued, I can automate their ability to conduct searches and queries, provide the results, but it’s still that human curiosity that is the catalyst to digging deeper, doing more to ensure that a coincidence is just that.

We hear that attackers are automating a lot, but there’s still a human at their initiation point too, which means they can’t help but act according to their normal behavior. That creates a pattern that is discoverable once you start to look for it. What may seem quiet as a singular one-off becomes a flashing red light when you see it repeated over and over again.

By expanding the sample size and applying that innate doubt about “coincidences,” patterns begin to emerge that tell a more detailed story of activity. That’s where the SOC shines brightly. That’s a capability that I can’t replicate as a standalone organization. It’s a pattern I won’t be aware of until others start reporting it as an “anomaly” too, and by then, it’s almost too late and a compromise has occurred.

Read the Tales from the SOC eBook.

The post Tales from the SOC CISO Perspective: Key Takeaways from One IP Address, Two Organizations Saved appeared first on CyberMaxx.

Information sharing groups are great because they provide that information in a bit more targeted forum. I’m in this industry, this threat is being seen by my industry, so it helps with prioritizing. But that’s just the tip of the iceberg too, when it comes to triaging information and working through threat intelligence.

That’s what stands out to me about “The Call that Protected Four Clients.” It is a prime example of getting to the crux and being able to act on information. An organization itself would have to hope that the call that one client made would have been shared within our business community. That’s a lot to expect. Organizations are hesitant to share information because of the view that we are mostly competitors. Sharing a potential weakness feels like we are unnecessarily exposing ourselves to a risk not worthwhile.

But here, we have a company entrusting information to their shared partner protector. The fortunate component is that the partner is a trusted partner to many organizations in the same vertical. That allows them to apply knowledge from one to many, which collectively provides additional security to an exponential number of companies from a threat that they might not be aware of yet themselves.

This is the greatness of strength in numbers. I’m in a position where my focus is on the application of a potentially active threat, as opposed to working me through any number of infinite possible threats that may be theoretical at best. My vertical, my organizational size, those are two factors when I triage the threat landscape itself that I need to prioritize parsing out, and here that work is already done when I first hear about the threat.

That puts my organization and me in a position to be proactive in our reactive response. Yes, we’re reacting to the information, but our response is proactive, even if it’s just a little bit, we’re hardening defenses and taking action prior to an active incident in our environment. Preventive measures in a proactive stance allow for more forethought and calm minds to make determinations, since we’re not operating under the intensity of an active incident.

Context and critical thinking, plus that gut feeling, are components I don’t take for granted. There’s always something to be said for them, something to trust, and to lean into. If I can get them from a source of expertise, it allows me to focus on execution, not excavation.

Read the full eBook: Tales from the SOC: Security Success Stories Powered by Proactive Intelligence and Real-Time Response

The post Tales from the SOC CISO Perspective: Key Takeaways from The Call That Protected Four Clients appeared first on CyberMaxx.

Reframing the Cybersecurity Strategy When the Numbers Look Grim

It’s simple to look at the initial numbers comparing Q1 2025 to Q4 2024 and see that the number of attacks increased, again. It’s also clear that we set a new record for most attacks in a quarter, again. And when faced with that, it’s fair to wonder, what’s the point?

It feels like every step we take, every move we make, they’re watching us (now you’re humming the tune) and adjusting, constantly gaining the advantage. The pressure to keep up makes it easy to adopt a defeatist attitude and just forge ahead, focusing only on what seems best for the business. As a result, security projects often get pushed aside because the effort just doesn’t seem to make a dent.

On the surface, our prospects seem grim. Indeed, witnessing the scope of attacks, along with a rising number of threat groups, often triggers a strong emotional response. That kind of pressure can lead to the urge to step back and redirect our efforts toward other priorities.

However, the real value lies beneath these numbers. The tactics, techniques, and procedures employed by the attackers provide us with valuable lessons to learn from. In this case, going toward the light is precisely what we should do.

A Cybersecurity Strategy Starts by Acknowledging the Threat Landscape

First things first, let’s get the “negative” out of the way. You can’t plan until you know what you’re up against, so you need to see the whole board and then see where you can gain an advantage. The increase in the number of attackers would logically lead to a rise in the number of attacks. It may simply be that the attack rate reflects a volume issue rather than a shift in tactics.

It’s a small consolation, but we’ll take the wins where we can. However, we can’t ignore the fact that the number of attacks increases. The trend continues even if we believe it’s tied to the growing number of players in the game. As a result, we have to acknowledge an uncomfortable truth. Operating in a connected world increases the likelihood that our organization will become a target.

So, if the odds of an attack are increasing in likelihood, risk management tells us to take action. We need to examine how to either reduce the probability or mitigate the impact of these events. And here’s where we find our hope and build our action plan.

Two Key Vectors: Vulnerabilities and Credentials

There appear to be two primary factors contributing to many of the attacks observed in Q1 2025: the exploitation of vulnerabilities and credential compromise. You may hear these referred to as “threat vectors.” Basically:

• How does the threat enter your environment?
• What vector is used to gain entry?

That’s good, that gives us a starting point. If I know where they’re more likely to attack, that helps narrow my scope somewhat of where I want to start my efforts in shoring up the defenses.

Vulnerabilities and credentials aren’t rare, which means there are likely multiple options available to us. We prefer to build our defense in depth, allowing us to add layers by stacking our options. Already, we can see that the light at the end of the tunnel is getting brighter and the way out is becoming clearer.

That light at the end of the tunnel isn’t an oncoming train, after all. What else can we learn from the quarterly report?

What Targeted Attacks Reveal About Your Cybersecurity Strategy

Preferred targets. It appears that threat actors have preferred target profiles, specifically businesses or business verticals, where they tend to focus their efforts.

It makes sense. Threat actor groups operate similarly to many companies. They have an organizational structure, a business plan, and make their decisions on ROI and cost-benefit analysis. It doesn’t make sense for them to spend more on an attack than they can expect to gain, so they want to maximize their impact.

So, what are the preferred target profiles? They tend to focus on businesses that can afford little to no downtime due to operational interruption, namely the healthcare and financial services industries.

Okay, that makes sense. Both require immediate access to data and systems to support snap decision-making and analysis. They also handle higher-stakes issues, namely healthcare, where the responsibility involves human life. There is no higher stake than that. So that’s one component.

Business Models of Threat Actors

Then we see that the compromise of the business system, Cleo, seems to have thrown off the numbers a bit, due to how many of their clients were impacted by the compromise of their system.

Hmm. That feels familiar.

It wasn’t that long ago that SolarWinds was at the center of a similar compromise that led to widespread impact. Therefore, we can conclude that threat actors are prioritizing their attacks on vendors that supply utilities to a wide range of businesses.

Vendors that many companies rely on for their own operational functionality. That tells me the vulnerability vector actually splits into two. One part involves vulnerabilities on my vendor’s systems, and the other involves vulnerabilities on the systems I directly control.

There probably isn’t one solution that addresses both areas. I need to treat them separately and match each with the right response. That’s good, I’m getting a lay of the land. However, it also means that I must consider all of my vendors and providers as potential threat vectors, so we’ll need to account for that as well.

Why Legacy Systems Are a Blind Spot in Cybersecurity Strategy

Then there’s this bit about “legacy” systems. What does that mean? Was the system approved because a related parent or grandparent system had already been implemented? Did it go forward mainly for that reason?

Well, no, legacy means something different here. Generally, legacy systems typically include tools implemented long ago or championed by senior leadership. These systems usually don’t receive the support that modern systems do.

Many legacy system vendors no longer support their older products. Some offer a newer version and expect organizations to migrate to it. Others release updates or patches only in extreme cases. In some situations, the vendor is no longer in business.

Legacy systems make IT and security professionals nutty. They feel like systems running on a countdown timer to failure. The timer has been ticking for a long time. You get the sense it should have reached zero already And, at this point, you’re operating on borrowed time.

How to Prioritize Focus Areas in Your Cybersecurity Strategy

Now that we’ve established the playing field, I can focus on determining where to apply my efforts and resources. If we look at the playing field, we start to see several critical areas take shape. The first is vendor risk management, which lays the groundwork for evaluating external dependencies. Next is inventories, which help track and manage system assets.

Vulnerability and patch management follow, ensuring that known issues are addressed in a timely manner. Identity and credential management also rise to the top, offering control over who accesses what. Finally, I want my organization to understand where it fits into the larger ecosystem, because no system operates in isolation.

That sounds like a lot, but it’s actually more straightforward than it first appears.

Mapping Your Ecosystem Connections

Let’s start with the last one: how our organization fits into the larger ecosystem. Well, the first question I need an answer to is, what exactly is it that we do here? I need to understand what our business offers and how we generate revenue. After all, that’s the whole point of a business: to make money.

• Are we a service provider or a system supplier to other companies?
• If that’s the case, what’s our connection to the healthcare and financial services spaces?
• Are we a prime target because we offer threat actors a single point of entry that could gain them access to multiple endpoints?

I also need to look at this from the other end:

• Are we dependent on healthcare or financial services to provide us with business?
• What’s the likelihood that my organization could be collateral damage because of an attack on one of those other institutions?

I want to be able to map those connections and track them in my risk register. Then I want to ensure that this is an exercise I perform regularly, so I’m aware of any changes and can adapt accordingly.

Asset Inventory and Visibility in a Cybersecurity Strategy

Since we’re already considering external forces, let’s stay external and examine the Cleo connection. It’s not just my connections to a business vertical I need to identify and track; it’s also the vendors I use for my own operations.

What vendors or solutions are our departments using for their operations, file sharing, and online applications, such as Software as a Service (SaaS)? I also want to know what they use for databases, CRM, ERM, IT management, email, and other essential services.

That also relates to inventories. If I don’t know that a system is in use, it can’t be on my risk register, which means I’m not accounting for it when I look at my defense posture and future planning. I can’t properly plan how to attack that particular castle.

Okay, so of those vendors:

• Which ones are prevalent, or at least, which ones are widely used by healthcare and financial services?
• Where’s my crossover?

Those systems become a priority. Now I’m starting to compile a good list of my vulnerabilities. And now we move internally.

• Do I know what systems are running internally?
• How good is my asset inventory?

In other words:

• Do I know what systems and versions are running within my environment?
• Do I know what they’re running on, both in terms of software and hardware?

There’s a reason asset inventory consistently appears when referencing various best practice frameworks and standards, and it emerges early in the process. You can’t properly plan if you’re not aware of all of your assets (just ask Wesley, as he plans the castle assault in The Princess Bride).

Let’s presume my asset inventory is pretty solid. How do I stay on top of their vulnerabilities? The simplest method is to regularly scan my system using utilities that maintain a database of known vulnerabilities. These tools can generate a report, which I can then review to determine how to address them.

In many instances, vendors regularly issue patches and software updates that not only address vulnerabilities but also add or improve features. That comes under our Patch and Vulnerability Management practice.

Strengthening Vendor Due Diligence in Your Cybersecurity Strategy

I’m aware of my third-party vectors, so what else can I do? I can conduct vendor due diligence, ask them about their security practices, and assess whether I’m comfortable with the answers. You may already be doing this; it’s where our vendor questionnaires and SOC 2 reports come into play.

Many organizations are diligent about sending questionnaires and requesting SOC 2 reports, but too few actually read them. These are far more valuable than you may realize, and I cannot encourage organizations enough to actually read and review these reports.

I also want to know if the vendor provides notifications about new vulnerabilities and alerts when internal patches are available. Relying solely on online updates isn’t ideal. Clients should be alerted directly when a vulnerability is identified. That communication should also reach the general public and include clear instructions for system users.

But I can also combine efforts here. See, one way to protect myself within the vendor is to ensure that I protect who is able to access my part of their system, at least to the best extent I can, and that means protecting my user accounts—their credentials. And since credential protection practices don’t just apply to third-party systems, I can double up for internal protections.

Making Patch Management Work in a Cybersecurity Strategy

The big one for me here is ensuring that multifactor authentication is enabled and enforced. Having it as an option at the vendor is nice. However, optional settings aren’t enough. I need to make sure it’s enforced in every case, whether through vendor controls or my own.

Then, I want to check any system I have where someone enters credentials to gain access and ensure that multifactor authentication is enabled and enforced by default. Computers, systems, VPN providers, cloud solutions —whatever it is—if you have to log in, you want to ensure there’s an MFA component.

Now, that sounds like it could get cumbersome to my users. To some extent, it might, so I need to strike a balance. Organizations can configure their systems to recognize safe activity and reduce the frequency of repeated MFA prompts. Users benefit from smoother access while maintaining security integrity. Attackers with stolen credentials still fail to log in because MFA stops them at the gate.

We’re not getting into that here, but know that it exists, and you have options there, too.

Look at the progress we’ve made already. What’s next?

Patch and vulnerability management. We have already identified it, so I want to ensure I’m doing everything I can to put my IT and security teams in a solid position to implement the program. That means resources and prioritization.

Are they comfortable, and is the business comfortable? You have to marry the two, which means both will likely need to compromise from their ideal state. You typically need to account for a system being offline, even for a brief period, to apply a patch or update. It’s just the nature of how systems apply them.

As much as you want 24/7/52 uptime for your systems, you’re going to need to budget in some downtime to allow for patching and general maintenance. There are ways to achieve both, but again, it requires resources, and we won’t delve into all of that here today.

Your patch responders are also likely to want to patch everything quickly, as soon as it’s released. Well, that’s not really feasible either. I’ll grant you downtime, but you have to grant me a window that the business determines is the least impactful to operations.

I also don’t want patches to be applied as soon as they’re released. I want to stay cutting-edge without taking unnecessary risks, so I track public response to patches and test them in controlled environments. Once they mature and I feel confident, I’ll move forward with a full rollout. So we need to ensure we’re all comfortable with the final process.

Adding Business Resilience to Your Cybersecurity Strategy

The last point we addressed in this quarterly report was a decrease in the number of companies paying ransoms. Well, that sounds good. How’d they manage that? Resilience.

Organizations have refocused their efforts on business resiliency. Backups, redundancies, restoration, and failover of all components come into play. That seems like an awful lot of effort to combat ransomware, doesn’t it?

When every other measure already substantially reduces the risk, what justification is there for additional investment in resiliency? The chance of a ransomware attack feels minimal. Well, here’s a not-so-secret secret: resilience applies beyond ransomware.

Resilience Beyond Ransomware

All organizations need to have a Business Continuity and Disaster Recovery (BC/DR) plan. Resilience is the primary focus of these plans.

• How do I keep my business running until I can resume normal operations?
• How do I recover my business to a state where I can resume normal operations?

Resilience plans aren’t just for ransomware; they’re for whatever negative impact my organization may face. Therefore, focusing on my business’s resilience will address multiple areas of concern.

Regardless of the threat, whether it’s ransomware or a natural disaster, I need a resilience plan. That plan often includes overlapping components, which allows me to address multiple risks at once, and that is always a plus.

Why Testing Is Critical to Any Cybersecurity Strategy

So, how do I feel about my resilience plan? When was the last time it was reviewed? When was the last time I tested it?

A plan remains theoretical unless it’s tested and proven functional. Backups are meaningless unless they’re successfully restored. System recovery becomes a reality only when it’s performed and validated. Confirmation of timing and real-world testing is essential.

Restoring just one file doesn’t prove resilience; it only creates an illusion. Entire systems must undergo full restoration. Those systems also need to meet defined recovery windows.

If you know you can’t function without a system for more than 48 hours or you’ll go out of business, that timeline becomes non-negotiable.

But if you don’t test your restoration and resilience efforts:

• How do you know you’re meeting your timeline needs?
• Who cares how good a resilience system you’ve built if it takes 96 hours to implement it?

You’d have had to close your doors two days before the restoration was completed, making it worthless.

Final Thoughts: Cybersecurity Strategy—Back to Basics, Forward with Intent

Wow, that’s a lot covered. But I would argue it isn’t really.

In fact, everything that’s covered is all in line with what we know to be best practices anyway. It reinforces these practices and establishes our baseline when we build towards resiliency and defense.

When we take the fight forward, we take an offensive mindset to our defensive posture. All of these elements help secure our operations. When approached with the right mindset, they create an environment that allows our users to excel and meet or exceed our expectations and desires.

It all comes down to understanding that perhaps there’s nothing new to learn; instead, we should return to our basics and ensure we’re keeping up with current technologies and solutions.

But the premise is the same. It’s everything we want to be doing anyway. It’s simply a matter of identifying our assets and attacking that “castle” effectively. While our fortunes may seem bleak when we see how the attacks are trending, we can derive a lot of value from just a few simple, concerted efforts. Just have to pull on the threads.

Now we’re prepared and can plan. So go ahead. Have fun storming the castle.

The post Cybersecurity Strategy: Key Takeaways from Q1 2025 Ransomware Research Report appeared first on CyberMaxx.