Four Steps To Managing Cyber Security Better

Uploaded on 2017-04-10 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Consulting

Around the world 2016 was a somewhat successful year for attackers and consequently a challenging year for defenders.

Organisations around the world are now more aware of the risks and know they must take deliberate steps to address the threats. But how?

While high-profile breaches are not new news, the growing list of victims including Yahoo, Wendy's, the University of Central Florida and the Bangladesh Bank illustrate the continuing threat of cyber-attacks, 2016 demonstrated that the threats are ongoing and can target every type of organisation in every industry. No sector or group is immune.

Here are four approaches that companies can embark on immediately to more effectively mitigate risks and respond to the threats that they face:

1.    Double down on the basics.

Many organisations insufficiently invest in and execute on the fundamentals or “the basics” of cyber-security, identifying the assets that they need to protect and ensuring that the most recent patches and updates have been applied shortly after vulnerabilities are announced.

Each organisation needs to answer some basic questions: What is our strategy? Who owns the responsibility? What is their specific process and plan? Without a clear framework, dedicated resources and accountability, problems are inevitable.

In 2017, every organisation should commit to a strategy and adopt a cybersecurity framework to help them more effectively understand their current level of maturity and what the desired state should be. 

A framework should help an organisation identify key assets, how those assets are going to be protected and monitored, and how they would respond and recover should a breach occur. The NIST Cybersecurity Framework (CSF) is one option that is gaining momentum and adoption, as it is designed to be within reach of any organisation regardless of their current level of cyber-security maturity.

2.    Watch and secure the supply chain.

One of the fastest growing trends in recent breaches is for attackers to gain access to their victim’s sensitive data through unsuspecting third parties. 

For example, the intrusion into the US Office of Personnel Management in 2015 that resulted in the compromise of personal information on approximately 21.5 million people began in the network of a third-party OPM contractor.

While companies need to build and execute on their own internal security programs, they cannot neglect the “extended enterprise” composed of all of the of third parties, law firms, payroll agencies, marketing firms, etc. with whom they share sensitive data or privileged relationships that can be exploited.

The growth of outsourcing and online services has blurred or completely dissolved the boundary of the traditional network. The day has arrived where it is no longer sufficient for organisations to protect themselves. They also have to actively monitor and manage the security risks of those with whom they do business.

It is important to keep in mind that the management of third party risk is increasingly becoming part of new regulations and it is certainly necessary to check with your government information concerning the cyber regulations and requirements. 

3.    Invest in employee training.

It is almost a cliché now that when a breach is announced, the company states that the attack originated from an inbound malicious email or phishing attempt. An employee opened an email from an attacker and either downloaded a malicious attachment or was tricked into revealing sensitive system passwords.

For example, Snapchat revealed in February “with real remorse and embarrassment” that attackers obtained confidential data about 700 current and former employees by tricking an employee into opening an email that impersonated the CEO and clicking on a link that installed malware.

It has been widely reported that John Podesta, Clinton campaign chief, fell victim to a phishing scheme, a fake “account reset” email purporting to be from Google.

Technical controls should be put in place to neutralise some of these attacks (such as multi-factor authentication against password theft); however, technical controls are not sufficient. 

Organisations need to educate employees on the risks and how to respond. Humans make mistakes and will click on links and fall victim to attacks. A combination of technical controls and trained employees may be able to more rapidly identify issues and respond in order to limit the damage.

Employees should learn about potential threats and how to report suspicious activity within the company. Additionally, organisations need to make sure they have a detection and recovery plan in place for when, despite the training, the mistakes happen.

4.    Track metrics and work as a team.

Effectively mitigating against cyber risks requires a collective effort. The responsibility cannot simply fall on a single individual or group.

Having established a framework, organisations should set and track benchmarks to help them assess the effectiveness of their own efforts as well as of their critical third parties. Corporate risk and information security teams should be actively involved in developing and tracking performance metrics.

Cyber-security also should be a high-priority matter at the board level. Senior leaders should actively engage the board in discussing the strategy, the initiatives and the company’s progress and performance over time against its objectives. Performance and key benchmarks should be a regular item on board meeting agendas.

Given the risks and its fiduciary responsibility, the board must understand the need for and then support the development and maintenance of a robust cybersecurity program.

Boards cannot abdicate this responsibility or simply assume that senior management is taking care of everything. History has taught us that the reputational damage and financial impact associated with failing to execute is high.

The threats will continue unabated in 2017 and defenders will continue to be challenged. Organisations will be much better positioned by taking these steps in the year ahead.

Information Management

Directors Report January 2017. Cyber Security Checklist For Management (£):

Are Employees Your Weakest Link When It Comes To Security?:

Board-level Cyber Literacy Is Low, Discomfort High:

Cybersecurity Breaches Cost UK Businesses Close To £30bn Last Year:

 

 

« Geolocation, Russian Hackers & False Flag Operations
Google Lawsuit Could Be Fatal For Uber »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clearpath Solutions Group

Clearpath Solutions Group

Clearpath Solutions Group expertise covers virtualization and data storage technologies, networking, security and cloud computing.

ACI Worldwide

ACI Worldwide

ACI Worldwide powers electronic payments for more than 5,000 organizations around the world.

Cloudmark

Cloudmark

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world’s inboxes from wide-scale and targeted email threats.

Seric Systems

Seric Systems

Seric is a technology business specialising in security, infrastructure and data management.

u-blox

u-blox

u-blox deliver leading wireless technology to reliably and securely locate and connect people and devices.

TAC Security (TAC Infosec)

TAC Security (TAC Infosec)

TAC Security (aka TAC Infosec) is a leading and trusted cyber security consulting partner that specializes in securing the IT infrastructure and assets of enterprises.

BIO-key

BIO-key

BIO-key is a pioneer and innovator, we are recognized as a leading developer of fingerprint biometric authentication and security solutions.

Consistec Engineering & Consulting

Consistec Engineering & Consulting

Consistec Engineering & Consulting GmbH is an information technology and services company offering solutions for monitoring the security of IT and OT infrastructure.

Digitpol

Digitpol

Digitpol’s Cyber Crime Investigation experts investigate hacking incidents, ransomware, extortion and conduct security audits and IT upgrades.

MillenniumIT ESP (MIT ESP)

MillenniumIT ESP (MIT ESP)

MillenniumIT ESP provides solutions and services around Core Infrastructure, Cloud, Cyber Security, Enterprise Applications, Intelligent Automation and Data, Smart Buildings, and Managed Services.

Perygee

Perygee

Perygee is a fully integrated platform for operational security. Companies depend on Perygee to identify and streamline the most important security practices for their operations.

ITSEC Asia

ITSEC Asia

ITSEC Asia works to effectively reduce exposure to information security threats and improve the effectiveness of its clients' information security management systems.

GLIMPS

GLIMPS

GLIMPS-Malware automatically detects malware affecting standard computer systems, manufacturing systems, IOT or automotive domains.

Borwell

Borwell

Borwell delivers software and IT solutions to the UK MoD and to UK Government departments, which are secure by design.

Xeol

Xeol

Software free of vulnerabilities, built and distributed by trusted entities. Our mission is to help customers secure their software from code to deploy.

Sublime Security

Sublime Security

Sublime is an adaptive email security platform that combines best-in-class effectiveness with unprecedented visibility and control.