Practical Tips for Prioritizing Your 2024 Cybersecurity Improvements

This time of year, many organizations are prioritizing their cybersecurity planning and budgeting for next year. The cybersecurity threats that organizations have faced in the last year have been substantial, and it can be hard to determine what to prioritize. One way to start is to consider the top threats from this year and decide how your program should evolve to counter these new threats. Let’s look at a few high-level strategic guideposts to help your planning process. 

Cyber Threat Trends Can Help Guide Your Cybersecurity Planning 

One way to focus your planning is to consider today’s top threats, so let’s look at a case study of this year’s data breaches and consider the cybersecurity planning takeaway. In 2023, over 130 organizations were breached because of a zero-day vulnerability in the GoAnywhere software they used for secure file transfers. Companies like Proctor & Gamble, Crown Resorts, and others lost data in an attack that could have easily been prevented by placing this asset behind a firewall and blocking it from internet access. This would have likely prevented criminals from breaking into their data, even with GoAnywhere’s zero-day vulnerability. 

What can we learn from this example for cybersecurity planning? The GoAnywhere vulnerability illustrates the need for regular penetration testing to uncover these types of security risks, help you understand your security gaps, and improve your organization’s security posture. Yet with so many threat vectors to consider and many possible ways to reduce risk, it can be hard to construct a clear, prioritized plan. Below are a few strategic suggestions for how to select and prioritize your projects, recommendations for impactful initiatives, and tips for creating a successful cybersecurity plan.  

What to Consider in your Cybersecurity Plan 

1. Consider Risk: Cybersecurity program development and management should be structured based on risk. Identify what you need to protect (i.e., sensitive data, critical systems) and potential threats. Since risk is a combination of likelihood and impact, those are the two levers you can use to reduce your overall risk. Cybersecurity projects and initiatives can be thought of through this lens to support prioritization. 

• For example, phishing emails remain a top threat to all organizations. Ongoing security awareness training and regular phishing tests can reduce the likelihood that phishing will be the source of a security incident for your organization. Training is also a budget-friendly initiative, so there is rarely a good reason to put it off. 
• Similarly, attack surface monitoring is a valuable tool to prevent security breaches. Ongoing monitoring gives your team visibility to your exposure, allowing them to act quickly on any identified vulnerabilities or configuration errors. 
• To reduce the potential impact of an incident, tighten up your role-based access management, review privileged accounts for any no longer needed, or review your network segmentation strategy to limit the spread of ransomware or other malware. 

I suggest reading our Top Cybersecurity Controls of 2023 report for guidance on what to prioritize in your cybersecurity planning. The other option is to consider adding a Virtual CISO to your team. These fractional CISOs have deep cybersecurity experience and can help you prioritize your cybersecurity planning to ensure you maximize your risk reduction and have a multi-year security maturity plan. You can also conduct a risk assessment to gain a better understanding of any security gaps. For more tips on how to apply a risk-based approach to your security activities, see my previous blog on what to do after your cyber risk assessment. 

2. Leverage Existing Resources: As you consider your cybersecurity planning priorities, be sure to review any existing resources or repositories to plan your next steps. These may include: 

• Previous reports from technical testing or risk or controls assessments 
• An internal risk management tracking tool or spreadsheet 
• Any requirements provided by your cyber insurer 
• Records from previous incidents that may point to root cause or have remediation needs noted from the lessons learned 
• Projects in progress: In some cases, starting a cybersecurity project may get you some risk reduction benefits, but consider if you have done enough to get the intended risk reduction and benefit you are seeking. 
  • For example, devote more time to tuning a monitoring tool for maximum benefit, or pursue more training on a tool or system—or expand training to others on the team for better coverage.
  • Another example is dusting off a draft incident response plan to finalize it and share with the full team for training and testing. 

3. Focus on Top Threats: Earlier this month, LMG posted a blog on 2023 Cyberattack Trends. Review the list to consider which threats seem most relevant to your environment, then identify controls or activities to counteract the threat. Based on current threat trends, our team also selects one top cybersecurity control each quarter that will help counter current threat trends. For 2023 so far, these controls have been identity and access management, skilled cybersecurity leadership, and attack surface monitoring. If you don’t have these controls in place, these are some great places to start! Remember to check out our Top Controls Reports every quarter for updates on which controls will be most beneficial to counter today’s top threats.  

• If you don’t already have key controls and activities that are foundational to any cybersecurity program in place, consider prioritizing them. Top choices you should consider in your cybersecurity planning process include user training, regular vulnerability scans, consistent patch management, and strong authentication practices, such as long password requirements and multifactor authentication. 
  • Tip: Don’t pick too many priorities! Be realistic with your plan. Often it is good to focus time and resources on your top 1-2 initiatives, then add more once those have been completed.
• For organizations in the earlier stages of setting up a security program, I used a previous blog to describe 10 key areas to consider, with tips on approaching what can seem like a daunting project. 

We hope you found this information on cybersecurity planning helpful! If you are looking for personalized advice on what to prioritize, contact LMG Security for a complimentary 2024 Cybersecurity Planning Session. Our team will share top threats and recommendations, ask some questions about your current tech stack, then discuss suggestions relevant to your organization’s environment and interests. There’s no pressure and no obligations, just honest advice for current customers and members of our LMG community. Don’t hesitate to reach out if you’d like a little guidance on your cybersecurity planning!