Who Is The Cybersecurity Guy In Your Organisation?

Uploaded on 2016-04-04 in NEWS-Cybersecurity News, FREE TO VIEW

Too often, IT teams, if they address it at all, take a conventional approach to cybersecurity: lock all the doors, build a great firewall, restrict access, and eliminate any intruders. In today’s world, this is no longer sufficient or appropriate. Over the last few years, approaches to cyber-defense have, out of necessity, changed.

However, a few myths still permeate the debate. Most notably the ideas that 
1. Any problem can be solved by throwing a sufficient amount of money at it. 
2. That isolating yourself and securing only your own networks still in some way provides you with a competitive advantage. These myths in particular reflect poorly on companies’ ability to understand the future of the threat landscape.

Interestingly, the lack of clarity on the mandates and responsibilities for security within an organization rarely rank highly during company surveys of the primary barriers to ensuring an effective information security strategy is implemented.  Instead, external factors such as the increased sophistication of threats and emerging technologies are seen as the greatest challenges.

In line with this trend to underestimate the need for clear guidance on who should do what within an organization, various surveys often find that executives overestimate their companies’ ability to deal with cyber-attacks. In a recent survey, company employees showed extraordinary public confidence in their CEOs’ and directors’ security strategies. Despite industry research showing that it typically takes an average of 200 days to discover an attack on a network, 55% of the aforementioned respondents believed they could detect a breach within a matter of days; 25% answered a matter of hours.

Certainly, the threat landscape has changed, and we are ever more confident in the fact that new kit and gadgets can provide us with real-time snapshots of the activity on our networks. Cybersecurity software has also got clever: programs will learn patterns to stay ahead – intelligent locks if you like.

However, when dealing with an organization, be it large or small, cybersecurity has to start somewhere: with your employees. Account takeover remains the easiest way to enter a network. No need to force your way in through a complex web of security traps thought up by some savvy IT professional. Simply guess (rather intelligently in some cases through targeted open-source research) someone’s password and pivot your way through the network till you find what you’re looking for. If you’re lucky, an insider, preferably with administrator privileges, will even help you out whether they know it or not.

Training and direction remain some of the more essential components of a company’s security plan. Not only do we, in the United Kingdom, suffer from a shortage of skills within the cybersecurity industry itself, we also suffer from a lack of awareness of how to approach it on a day-to-day basis.
This is true at all levels of an organization. The board of directors is tasked with the responsibility of overseeing risk management – including cyber-risks – for shareholders, and yet many boards do not have any person or group on the board that possesses cybersecurity skills and is capable of functioning in that capacity. According to a 2014 board survey, 29% of corporate boards are not briefed on cybersecurity at all, while 30% are briefed once a year. The same survey found that 60% of companies do not have a Chief Cybersecurity or Chief Information Officer, and 61% of those companies allow cybersecurity duties to fall to the Chief Financial Officer.

We’ve established that employees need to have a basic understanding of their footprint on the network: which passwords they use, what files they should open or not, what information should be reported, and how to report that information. As a general rule, however, cybersecurity is not just a problem for a company’s IT department. As an organization-wide issue, companies must recognize that (1) not all data can be protected to a gold standard, (2) data that matters should be heavily protected and sufficiently isolated from a network’s weak points, and (3) not everyone is best placed to determine what data is important.

Overall, the board of directors and company Officers need to be supported in their risk management duties by competent security professionals who not only have a technical awareness of the issues at hand but, are also aware of the daily business practicalities that this entails.

Cybersecurity is everyone’s responsibility: the board must provide an informed overarching strategy to protect shareholders’ interest; the Officers must be kept up to date with latest trends and developments to keep both their IT staff and their other employees informed; and employees need to be made aware of the risk they could pose to their company’s network. Prioritizing the importance of data, based on its financial value and/or reputational attributes, remains a key consideration when handling both proprietary or third-party data.
Infosecurity: http://bit.ly/1RBQQC8

 

« Four Startup Companies That Are Harnessing AI In The Invisible Cyberwar
How The CIA Is Making Sense Of Big Data »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Gigamon

Gigamon

Gigamon provides intelligent Traffic Visability solutions that provide unmatched visbility into physical & birtual networks without affecting the performance or stability of production environments.

Cyberlytic

Cyberlytic

Cyberlytic applies artificial intelligence to combat the most sophisticated of web application threats, addressing the growing problem of high volumes of threat data.

OPSWAT

OPSWAT

OPSWAT is a software company that provides solutions to secure and manage IT infrastructure.

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

RBCCPS is an interdisciplinary research and academic centre within the Indian Institute of Science focused on research in cyber-physical systems.

Myra Security

Myra Security

Myra technology monitors, analyzes, and filters malicious internet traffic before virtual attacks can do any real harm.

SterlingRisk Programs

SterlingRisk Programs

SterlingRisk’s Cyber practice brings experience working with a wide array of clients across a broad spectrum of industries.

Seadot Cybersecurity

Seadot Cybersecurity

Seadot offer cybersecurity services to organizations with a high demand for regulatory compliance and security.

Redhorse

Redhorse

Redhorse provides top-tier consulting to help clients address mission-critical government problems in National Security, Networking Technology, Energy and the Environment.

Hex-Rays

Hex-Rays

Founded in 2005, privately held, Belgium based, Hex-Rays SA focuses on the development of fast, stable, and robust binary analysis tools for the IT security market.

Financial Services Information Sharing and Analysis Center (FS-ISAC)

Financial Services Information Sharing and Analysis Center (FS-ISAC)

The Financial Services Information Sharing and Analysis Center is the only global cyber intelligence sharing community solely focused on financial services.

Noetic Cyber

Noetic Cyber

Noetic provides a proactive approach to cyber asset and controls management, empowering security teams to see, understand, and optimize their cybersecurity posture.

EDGE Group

EDGE Group

EDGE is one of the world’s leading advanced technology groups, established to develop agile, bold and disruptive solutions for defence and beyond.

PCI Security Standards Council (PCI SSC)

PCI Security Standards Council (PCI SSC)

The PCI Security Standards Council is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments.

RADICL

RADICL

RADICL's mission is to give SMBs that serve America's Defense Industrial Base (DIB) access to strong, enterprise-grade cyber security protection.

ioSENTRIX

ioSENTRIX

ioSENTRIX offers tailored, risk-focused assessments that reduce true business risk.

Cyber Castle

Cyber Castle

Linux Demands Sophisticated, Purpose-Built Security. Cyber Castle is the solution. A safe, deployable platform down to the edge device for monitoring Linux security anywhere across the globe.