What Does a Cyber Security Strategy Look Like?

Uploaded on 2016-01-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Consulting

Have people at the board and all levels that own the cyber security problem, its implementation and response.

Understand your adversary and how they will attack you. Know your systems, all its end points, and all of its vulnerabilities. Have proactive intelligence on who is scanning you and try to identify why. Understand what normal looks like so you can spot abnormalities. Build trust groups internally and externally to understand your threat vectors and changes in attack methodologies, as well as exchanging ideas and best practice.

Identify and isolate what is important to you, such as your IPR (Intellectual Property Rights), customer data, financial data, etc.

Review current access and limit access to sensitive data to only those who actually need to access it and need to know the content. Not those who think they should have access. Identify your critical infrastructure and lock it down.

Be proactive and not reactive to the threats and vulnerabilities. Know when a wheel nut has come loose, don’™t wait for the wheel to fall off before responding. Be as proactive in knowing what is leaving your network as to knowing what is trying to enter your systems.

Recognise your risks, relevant to your mission and ambitions, and have clearly defined boundaries as to what your risk appetite is.

For example:

  • Is it OK for your website to be down for 30secs, 30mins, 30hours?
  • Who are you going to call in a crisis, where is your documented IR plan written down and who can access it?
  • What do your agreements say they will do to assist you in crisis, think about reviewing their contracts?
  • What is your press statement going to look like and who is your talking head going to be?
  • Plan for breaches, anticipate breaches, rehearse and exercise your response, don’t wait till it happens so that you have to make decisions in crisis.
  • What will be your single public message? (Lots of good examples out there deployed in recent events)
  • How will your staff, vendors and outsourced capability respond on Christmas Eve or even Christmas Day if you need help?

Understand how you are going to communicate during a crisis, if your systems are owned by a miscreant, it is no use using the corporate email system to decide and share your battle plan.

Still Have and Keep:

  • Patch management
  • Good password rules
  • Regular pen testing
  • Sans top 20 critical security controls

In the UK, I always find it is worth reviewing what the UK Government has on the subject on their gov.uk site on best practice for cyber security advice.

When it goes wrong, know whom you are going to call.

Lastly, it’s all about the people, not the technology; your people are your asset, but never forget they can be exploited and can be a vulnerability, so invest time in educating them and getting their buy in.

Team Cymru: http://bit.ly/1P3apDT

 

« Facebook Rule Change After Privacy Ruling
Email Data Breaches: The Threat Keeps Giving »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Orolia

Orolia

Orolia are experts in deploying high precision GPS time through network infrastructure to synchronize critical operations.

European Society of Criminology (ESC)

European Society of Criminology (ESC)

The ESC Working Group on Cybercrime is focused on cybercrime, its causes and offenders, impact on victims, and our response to it at the individual, corporate, and governmental levels.

Honeywell Process Solutions (HPS)

Honeywell Process Solutions (HPS)

Honeywell's Industrial Cyber Security Solutions help plants and critical infrastructure sectors defend the availability, reliability and safety of their industrial control systems.

Exponential-e

Exponential-e

Exponential-e provide Cloud and Unified Communications services and world-class Managed IT Services including Cybersecurity.

Quantstamp

Quantstamp

Quantstamp are experts in Smart Contract Security Audits. We provide verification that your decentralized system works as intended.

Deduce

Deduce

Deduce use a combination of aggregate historical user data, identity risk intelligence, and proactive alerting to deliver a robust identity and authentication solution.

Internet Security Research Group (ISRG)

Internet Security Research Group (ISRG)

ISRG's mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.

Intel

Intel

Intel products are engineered with built-in security technologies to help protect potential attack surfaces.

Vancord

Vancord

Vancord is an information and security technology company that works in collaboration with clients to support their infrastructure and data security needs for today and tomorrow.

Guardey

Guardey

Guardey protects thousands of SME's environments. Whether your team works at the office, at home, at the customer or remotely. We protect your business. We do this in an accessible and affordable way.

Cognilytica

Cognilytica

Cognilytica’s Cognitive Project Management for AI (CPMAI) training and certification is recognized around the world as the best practices methodology for implementing successful AI & ML projects.

SE Ventures

SE Ventures

SE Ventures provides capital to big ideas and bold entrepreneurs who can benefit from Schneider Electric's deep domain expertise, R&D assets, and global customer base.

Northdoor

Northdoor

Northdoor provides a comprehensive set of services around information security and works with leading global technology vendors to deploy and manage cyber security solutions.

Jericho Security

Jericho Security

Jericho Security is on a mission to defend the world from the new threats of generative AI cyber attacks.

Pulsar Security

Pulsar Security

Pulsar Security is a team of highly skilled, offensive cybersecurity professionals with the industry's most esteemed credentials and advanced real-world experience.

Foresights

Foresights

Foresights is a Nordic company utilizing advanced intelligence tradecraft and extensive cyber security capabilities to deliver services and advisory tailored to our client’s critical requirements.