Table of Contents
Cyberattacks surged in Q1 2025, setting new records and leaving CISOs exhausted by yet another uptick in threat activity. But behind the bleak headlines lies opportunity; a chance to recalibrate your cybersecurity strategy and regain control.
Reframing the Cybersecurity Strategy When the Numbers Look Grim
It’s simple to look at the initial numbers comparing Q1 2025 to Q4 2024 and see that the number of attacks increased, again. It’s also clear that we set a new record for most attacks in a quarter, again. And when faced with that, it’s fair to wonder, what’s the point?
It feels like every step we take, every move we make, they’re watching us (now you’re humming the tune) and adjusting, constantly gaining the advantage. The pressure to keep up makes it easy to adopt a defeatist attitude and just forge ahead, focusing only on what seems best for the business. As a result, security projects often get pushed aside because the effort just doesn’t seem to make a dent.
On the surface, our prospects seem grim. Indeed, witnessing the scope of attacks, along with a rising number of threat groups, often triggers a strong emotional response. That kind of pressure can lead to the urge to step back and redirect our efforts toward other priorities.
However, the real value lies beneath these numbers. The tactics, techniques, and procedures employed by the attackers provide us with valuable lessons to learn from. In this case, going toward the light is precisely what we should do.
A Cybersecurity Strategy Starts by Acknowledging the Threat Landscape
First things first, let’s get the “negative” out of the way. You can’t plan until you know what you’re up against, so you need to see the whole board and then see where you can gain an advantage. The increase in the number of attackers would logically lead to a rise in the number of attacks. It may simply be that the attack rate reflects a volume issue rather than a shift in tactics.
It’s a small consolation, but we’ll take the wins where we can. However, we can’t ignore the fact that the number of attacks increases. The trend continues even if we believe it’s tied to the growing number of players in the game. As a result, we have to acknowledge an uncomfortable truth. Operating in a connected world increases the likelihood that our organization will become a target.
So, if the odds of an attack are increasing in likelihood, risk management tells us to take action. We need to examine how to either reduce the probability or mitigate the impact of these events. And here’s where we find our hope and build our action plan.
Two Key Vectors: Vulnerabilities and Credentials
There appear to be two primary factors contributing to many of the attacks observed in Q1 2025: the exploitation of vulnerabilities and credential compromise. You may hear these referred to as “threat vectors.” Basically:
- How does the threat enter your environment?
- What vector is used to gain entry?
That’s good, that gives us a starting point. If I know where they’re more likely to attack, that helps narrow my scope somewhat of where I want to start my efforts in shoring up the defenses.
Vulnerabilities and credentials aren’t rare, which means there are likely multiple options available to us. We prefer to build our defense in depth, allowing us to add layers by stacking our options. Already, we can see that the light at the end of the tunnel is getting brighter and the way out is becoming clearer.
That light at the end of the tunnel isn’t an oncoming train, after all. What else can we learn from the quarterly report?
What Targeted Attacks Reveal About Your Cybersecurity Strategy
Preferred targets. It appears that threat actors have preferred target profiles, specifically businesses or business verticals, where they tend to focus their efforts.
It makes sense. Threat actor groups operate similarly to many companies. They have an organizational structure, a business plan, and make their decisions on ROI and cost-benefit analysis. It doesn’t make sense for them to spend more on an attack than they can expect to gain, so they want to maximize their impact.
So, what are the preferred target profiles? They tend to focus on businesses that can afford little to no downtime due to operational interruption, namely the healthcare and financial services industries.
Okay, that makes sense. Both require immediate access to data and systems to support snap decision-making and analysis. They also handle higher-stakes issues, namely healthcare, where the responsibility involves human life. There is no higher stake than that. So that’s one component.
Business Models of Threat Actors
Then we see that the compromise of the business system, Cleo, seems to have thrown off the numbers a bit, due to how many of their clients were impacted by the compromise of their system.
Hmm. That feels familiar.
It wasn’t that long ago that SolarWinds was at the center of a similar compromise that led to widespread impact. Therefore, we can conclude that threat actors are prioritizing their attacks on vendors that supply utilities to a wide range of businesses.
Vendors that many companies rely on for their own operational functionality. That tells me the vulnerability vector actually splits into two. One part involves vulnerabilities on my vendor’s systems, and the other involves vulnerabilities on the systems I directly control.
There probably isn’t one solution that addresses both areas. I need to treat them separately and match each with the right response. That’s good, I’m getting a lay of the land. However, it also means that I must consider all of my vendors and providers as potential threat vectors, so we’ll need to account for that as well.
Why Legacy Systems Are a Blind Spot in Cybersecurity Strategy
Then there’s this bit about “legacy” systems. What does that mean? Was the system approved because a related parent or grandparent system had already been implemented? Did it go forward mainly for that reason?
Well, no, legacy means something different here. Generally, legacy systems typically include tools implemented long ago or championed by senior leadership. These systems usually don’t receive the support that modern systems do.
Many legacy system vendors no longer support their older products. Some offer a newer version and expect organizations to migrate to it. Others release updates or patches only in extreme cases. In some situations, the vendor is no longer in business.
Legacy systems make IT and security professionals nutty. They feel like systems running on a countdown timer to failure. The timer has been ticking for a long time. You get the sense it should have reached zero already And, at this point, you’re operating on borrowed time.
How to Prioritize Focus Areas in Your Cybersecurity Strategy
Now that we’ve established the playing field, I can focus on determining where to apply my efforts and resources. If we look at the playing field, we start to see several critical areas take shape. The first is vendor risk management, which lays the groundwork for evaluating external dependencies. Next is inventories, which help track and manage system assets.
Vulnerability and patch management follow, ensuring that known issues are addressed in a timely manner. Identity and credential management also rise to the top, offering control over who accesses what. Finally, I want my organization to understand where it fits into the larger ecosystem, because no system operates in isolation.
That sounds like a lot, but it’s actually more straightforward than it first appears.
Mapping Your Ecosystem Connections
Let’s start with the last one: how our organization fits into the larger ecosystem. Well, the first question I need an answer to is, what exactly is it that we do here? I need to understand what our business offers and how we generate revenue. After all, that’s the whole point of a business: to make money.
- Are we a service provider or a system supplier to other companies?
- If that’s the case, what’s our connection to the healthcare and financial services spaces?
- Are we a prime target because we offer threat actors a single point of entry that could gain them access to multiple endpoints?
I also need to look at this from the other end:
- Are we dependent on healthcare or financial services to provide us with business?
- What’s the likelihood that my organization could be collateral damage because of an attack on one of those other institutions?
I want to be able to map those connections and track them in my risk register. Then I want to ensure that this is an exercise I perform regularly, so I’m aware of any changes and can adapt accordingly.
Asset Inventory and Visibility in a Cybersecurity Strategy
Since we’re already considering external forces, let’s stay external and examine the Cleo connection. It’s not just my connections to a business vertical I need to identify and track; it’s also the vendors I use for my own operations.
What vendors or solutions are our departments using for their operations, file sharing, and online applications, such as Software as a Service (SaaS)? I also want to know what they use for databases, CRM, ERM, IT management, email, and other essential services.
That also relates to inventories. If I don’t know that a system is in use, it can’t be on my risk register, which means I’m not accounting for it when I look at my defense posture and future planning. I can’t properly plan how to attack that particular castle.
Okay, so of those vendors:
- Which ones are prevalent, or at least, which ones are widely used by healthcare and financial services?
- Where’s my crossover?
Those systems become a priority. Now I’m starting to compile a good list of my vulnerabilities. And now we move internally.
- Do I know what systems are running internally?
- How good is my asset inventory?
In other words:
- Do I know what systems and versions are running within my environment?
- Do I know what they’re running on, both in terms of software and hardware?
There’s a reason asset inventory consistently appears when referencing various best practice frameworks and standards, and it emerges early in the process. You can’t properly plan if you’re not aware of all of your assets (just ask Wesley, as he plans the castle assault in The Princess Bride).
Let’s presume my asset inventory is pretty solid. How do I stay on top of their vulnerabilities? The simplest method is to regularly scan my system using utilities that maintain a database of known vulnerabilities. These tools can generate a report, which I can then review to determine how to address them.
In many instances, vendors regularly issue patches and software updates that not only address vulnerabilities but also add or improve features. That comes under our Patch and Vulnerability Management practice.
Strengthening Vendor Due Diligence in Your Cybersecurity Strategy
I’m aware of my third-party vectors, so what else can I do? I can conduct vendor due diligence, ask them about their security practices, and assess whether I’m comfortable with the answers. You may already be doing this; it’s where our vendor questionnaires and SOC 2 reports come into play.
Many organizations are diligent about sending questionnaires and requesting SOC 2 reports, but too few actually read them. These are far more valuable than you may realize, and I cannot encourage organizations enough to actually read and review these reports.
I also want to know if the vendor provides notifications about new vulnerabilities and alerts when internal patches are available. Relying solely on online updates isn’t ideal. Clients should be alerted directly when a vulnerability is identified. That communication should also reach the general public and include clear instructions for system users.
But I can also combine efforts here. See, one way to protect myself within the vendor is to ensure that I protect who is able to access my part of their system, at least to the best extent I can, and that means protecting my user accounts—their credentials. And since credential protection practices don’t just apply to third-party systems, I can double up for internal protections.
Making Patch Management Work in a Cybersecurity Strategy
The big one for me here is ensuring that multifactor authentication is enabled and enforced. Having it as an option at the vendor is nice. However, optional settings aren’t enough. I need to make sure it’s enforced in every case, whether through vendor controls or my own.
Then, I want to check any system I have where someone enters credentials to gain access and ensure that multifactor authentication is enabled and enforced by default. Computers, systems, VPN providers, cloud solutions —whatever it is—if you have to log in, you want to ensure there’s an MFA component.
Now, that sounds like it could get cumbersome to my users. To some extent, it might, so I need to strike a balance. Organizations can configure their systems to recognize safe activity and reduce the frequency of repeated MFA prompts. Users benefit from smoother access while maintaining security integrity. Attackers with stolen credentials still fail to log in because MFA stops them at the gate.
We’re not getting into that here, but know that it exists, and you have options there, too.
Look at the progress we’ve made already. What’s next?
Patch and vulnerability management. We have already identified it, so I want to ensure I’m doing everything I can to put my IT and security teams in a solid position to implement the program. That means resources and prioritization.
Are they comfortable, and is the business comfortable? You have to marry the two, which means both will likely need to compromise from their ideal state. You typically need to account for a system being offline, even for a brief period, to apply a patch or update. It’s just the nature of how systems apply them.
As much as you want 24/7/52 uptime for your systems, you’re going to need to budget in some downtime to allow for patching and general maintenance. There are ways to achieve both, but again, it requires resources, and we won’t delve into all of that here today.
Your patch responders are also likely to want to patch everything quickly, as soon as it’s released. Well, that’s not really feasible either. I’ll grant you downtime, but you have to grant me a window that the business determines is the least impactful to operations.
I also don’t want patches to be applied as soon as they’re released. I want to stay cutting-edge without taking unnecessary risks, so I track public response to patches and test them in controlled environments. Once they mature and I feel confident, I’ll move forward with a full rollout. So we need to ensure we’re all comfortable with the final process.
Adding Business Resilience to Your Cybersecurity Strategy
The last point we addressed in this quarterly report was a decrease in the number of companies paying ransoms. Well, that sounds good. How’d they manage that? Resilience.
Organizations have refocused their efforts on business resiliency. Backups, redundancies, restoration, and failover of all components come into play. That seems like an awful lot of effort to combat ransomware, doesn’t it?
When every other measure already substantially reduces the risk, what justification is there for additional investment in resiliency? The chance of a ransomware attack feels minimal. Well, here’s a not-so-secret secret: resilience applies beyond ransomware.
Resilience Beyond Ransomware
All organizations need to have a Business Continuity and Disaster Recovery (BC/DR) plan. Resilience is the primary focus of these plans.
- How do I keep my business running until I can resume normal operations?
- How do I recover my business to a state where I can resume normal operations?
Resilience plans aren’t just for ransomware; they’re for whatever negative impact my organization may face. Therefore, focusing on my business’s resilience will address multiple areas of concern.
Regardless of the threat, whether it’s ransomware or a natural disaster, I need a resilience plan. That plan often includes overlapping components, which allows me to address multiple risks at once, and that is always a plus.
Why Testing Is Critical to Any Cybersecurity Strategy
So, how do I feel about my resilience plan? When was the last time it was reviewed? When was the last time I tested it?
A plan remains theoretical unless it’s tested and proven functional. Backups are meaningless unless they’re successfully restored. System recovery becomes a reality only when it’s performed and validated. Confirmation of timing and real-world testing is essential.
Restoring just one file doesn’t prove resilience; it only creates an illusion. Entire systems must undergo full restoration. Those systems also need to meet defined recovery windows.
If you know you can’t function without a system for more than 48 hours or you’ll go out of business, that timeline becomes non-negotiable.
But if you don’t test your restoration and resilience efforts:
- How do you know you’re meeting your timeline needs?
- Who cares how good a resilience system you’ve built if it takes 96 hours to implement it?
You’d have had to close your doors two days before the restoration was completed, making it worthless.
Final Thoughts: Cybersecurity Strategy—Back to Basics, Forward with Intent
Wow, that’s a lot covered. But I would argue it isn’t really.
In fact, everything that’s covered is all in line with what we know to be best practices anyway. It reinforces these practices and establishes our baseline when we build towards resiliency and defense.
When we take the fight forward, we take an offensive mindset to our defensive posture. All of these elements help secure our operations. When approached with the right mindset, they create an environment that allows our users to excel and meet or exceed our expectations and desires.
It all comes down to understanding that perhaps there’s nothing new to learn; instead, we should return to our basics and ensure we’re keeping up with current technologies and solutions.
But the premise is the same. It’s everything we want to be doing anyway. It’s simply a matter of identifying our assets and attacking that “castle” effectively. While our fortunes may seem bleak when we see how the attacks are trending, we can derive a lot of value from just a few simple, concerted efforts. Just have to pull on the threads.
Now we’re prepared and can plan. So go ahead. Have fun storming the castle.
