Updated: Apr 5
How well does your organization detect and monitor potential cyber threats? Malicious actors are constantly developing new forms of attack, so you must validate the extent of your detection and monitoring to ensure you are truly defending against cyber-attacks.
To help assess your cybersecurity program, ask the following questions to better understand your detection and monitoring capabilities.
#1 - Does your network monitor cyber threats 24x7x365?
24x7 monitoring is critical as threat actors target organizations at all times and especially after working hours, during weekends, and holidays. Threat actors know that organizations often do not monitor during these times. It only takes minutes to fully compromise an organization and exfiltrate data, and with hours of unmonitored time, the risk of a breach increases.
#2 - What cyber threats are being monitored in your systems?
It is important to ask your IT Department what type of threats you are detecting and responding to. A lot of focus in organizations tends to be on system health and uptime. It is usually not their priority to understand potential threats and develop up-to-date detection capabilities. At a minimum, you should be monitoring phishing reports, endpoint detection, anomalous user behavior & login activity, anomalous network & perimeter activity, and internal and external scanning.
#3 - How are phishing events detected, reported, and responded to?
Phishing is the number one method for threat actors to compromise an organization. All organizations should have a system in place for users to report phishing emails and a response team should be ready to act on verified phishing threats, in near real time.
#4 - Who is responsible for investigating cyber threats?
It is important to have clear accountability for investigating cyber threats. Cyber monitoring and investigation should be handled by certified trained individuals who prioritize reducing cyber risk. For IT professionals, availability of systems is usually the priority, which means security monitoring tends to take a back seat.
#5 - How long does it take to investigate cyber threats?
Responding to cyber threats is a race against time. All threat monitoring providers should provide metrics that indicate how long it takes to investigate detected threats. The longer it takes to investigate threats, the higher the risk of critical compromise.
#6 - What percentage of detected threats are being responded to?
Cyber alerts can get to extremely high volumes. Overwhelmed IT teams report that conflicting priorities often lead to missed and ignored alerts. To avoid a security breach, it is important that all alerts get investigated in real time to identify risk and reduce false positives.
#7 - If a cybersecurity breach is discovered, who is notified and how?
To successfully combat threat actors, organizations should have an incident response plan with clear escalation and notification procedures. If monitoring is outsourced, vendors should have clear escalation and reporting SLAs to ensure that identified risk are responded to appropriately.
#8 - Who is responsible for incident handling and remediation?
When an incident does occur, organizations often struggle with what to do and who is in charge. It is important to know the extent of what your IT provider will handle and what responsibilities fall on your team. The incident response plan should document clear roles and processes so that the organization is able to respond quickly and efficiently.
#9 - Do you provide weekly security reporting?
Security vendors should provide reporting to ensure that all alerts are responded to and investigated in a timely manner. Vendors should be held accountable to provide insight and transparency to investigation volume, response time, handling time, and outcomes.
#10 - What standards are being used to measure your cybersecurity strength?
For organizations that choose to outsource IT, it is important that vendors are working within the framework of security best practices. IT vendors should be able to provide answers to what security framework their people, process, and technology aligns to.