Crash Course on Cybersecurity
For most companies, cyber-attacks are simply unavoidable. Cybercrime damages are expected to reach $6 trillion by 2021 which is up from the $3 trillion in 2015. This reality makes cyber awareness an utterly important topic for conversation.
So what is cybersecurity? What is information security? Why should you care? Why and how does it apply to your business and personal life? These are the questions we hope to answer while moving your education on the subject further down the line so you can start asking questions that help build better security policies and implement the architecture behind them. These questions will not only help you create a better cyber strategy for your company but also formulate an understanding of the risks associated with the digitization of services, products, and information.
Technology and the role it plays in our lives continues to change; therefore, a strong strategy should align with the company’s business offerings and, if implemented correctly, should increase operations, regulatory compliance, reputation, and user experience.
What is Cybersecurity?
Computer security, cybersecurity, or information technology security is the protection of computer systems from the theft of or damage to their hardware, software, firmware or electronic data, as well as from the disruption or misdirection of the services they provide.
This definition is further explained in the security field as the CIA Triad:
The triad was designed to guide policies for information security within an organization.
Confidentiality is a framework to limit user access to information by designating permission levels for each user.
Integrity ensures the data has avoided tampering as it goes from the source to the destination, while also including data at rest.
Availability refers to the means at which data and resources must be kept available for use by only those who are authorized. The principle of least privilege can further explain availability within an organization, where the promotion of minimal user profile privileges on computers is implemented based on the employee’s role and requirements. The principle of least privilege ensures assets and data are available for those who need to know and when they need to know it to do their job.
Risk is one of the most important aspects of a business. If a business cannot operate and create revenue, then the company won’t be around for much longer. We have to remember that the goal is not risk elimination but risk management. What is a tolerable level of risk that allows the maximum return on cyber investment while also aligning with the company’s vision?
The National Institute of Standards and Technology (NIST) provides a useful framework for looking at risk in a holistic approach, starting at the top with senior management:
“The Risk Executive Function is an individual or group (e.g., board members, CEO, CIO) within an organization responsible for ensuring that: (i) risk-related considerations for individual systems are viewed from an organization-wide perspective, taking into consideration the overall strategic goals of the organization in carrying out its core missions and business functions, and (ii) the management of system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risks in order to ensure mission/business success. Responsibilities include, but are not limited to:
- Defining a holistic approach to addressing risk across the entire organization;
- Developing an organizational risk management strategy;
- Supporting information-sharing amongst authorizing officials and other senior leaders within the organization; and
- Overseeing risk management related activities across the organization.”
At a deeper level, determining the risky behavior of employees can be advantageous to identify those who need to undergo security awareness training. Teaching employees through security awareness training can reap benefits for your company in the form of protecting your customers, reputation, and company data.
Spotting high-risk security employees is not always a simple task, but a good starting point is to look at their user behavior:
- Users who have tried to visit websites blocked by the company’s proxy
- Users who have been infected by malware multiple times over a certain period
- Users who break the security policy during work-related activities
- Users who lose devices or have devices stolen
These are just a couple of points to look at when assessing an employee’s risk, which, of course, varies from company to company. But understanding this risk reverts to the principle of least privilege. Having a high-risk employee with high permissions is a recipe for a breach of some sort.
Safeguards against the behavior of a high-risk employee could be increasing malware scans, email scanning more restrictively, or removing the ability for specific programs to run on the user’s endpoint.
While the movies consistently represent a hacker as someone furiously typing away at their keyboard with zero-day exploits at their fingertips, the reality is that the basic techniques of social engineering employees through phishing, baiting, spear-phishing, and vishing are the most common. Hackers rarely want to use their best tools to gain access if a simple technique works just as well.
Training employees to become “human firewalls” along with security awareness training (e.g., simulated phishing attacks) can significantly increase a company’s security posture.
Big data is an increasingly important aspect of how companies are analyzing data to enhance their business offerings. The increasing volume of information that is collected provides challenges in itself. Processing data coming from multiple sources, in a variety of formats, plus disaster recovery plans for lost data can increase the already high costs associated with an organization’s budget.
Another, often overlooked, consideration with big data is the data analysis tools and the third-party vendors supplying them. Effective planning around assessing and mitigating risks posed by third parties (e.g., suppliers and partners) is a massive undertaking at scale.
With the increasing island-hopping technique that hackers are utilizing, understanding the risks associated with vendors within your supply chain is essential. How quickly does the vendor push patches on their software? Does that timeline comply with any regulations your company is adherent to? Are the risks associated with integrating this vendor’s software going to add an attack vector to your organization? Should you encrypt all of the data? What are the costs of encrypting the volumes of data from a time and resources perspective? Can you balance information protection and accessibility?
These are just some of the questions organizations need to ask as the push towards the digital economy continues, and third-party risk becomes realized. Companies such as CyberGRX offer potential solutions such as their third-party cyber risk exchange platform.
Mentioning big data brings up the emerging topic of increasing regulation surrounding data collection and data storing compliance. Whether that be compliance with PCI/DSS, HIPPA, or GDPR, understanding regulations is becoming a necessity for how companies can collect and use data. These increased regulatory requirements bring up many audit and risk management functions. These challenges can also represent strategic opportunities if organizations can develop core competencies in these areas beyond those of their competitors.
Ransomware is malicious software that locks and encrypts a victim’s computer or device data, then demands a ransom to restore access. Norton provides a helpful breakdown of the types of ransomware attacks and excellent prevention tips in this article.
With the increase of ransomware attacks, having a disaster recovery plan is a must. According to PheonixNAP:
- 93% of companies without disaster recovery who suffer a major data disaster are out of business within a year
- 96% of companies with a trusted backup and disaster recovery plan were able to survive ransomware attacks
There are two core concepts when creating a disaster recovery plan: RTO and RPO.
Recovery Time Objective (RTO) refers to the time needed to recover all applications in the event of a disaster. Recovery Point Objective (RPO) refers to the amount of data loss that you risk losing during disaster recovery, calculated in relation to the amount of time required to complete the process.
Start the disaster recovery planning process by taking your organization through a risk assessment. Establishing priorities and identifying the scope of damage with a simple risk matrix like this one is an excellent place to start:
After analyzing the disaster’s potential impact and the threat to different systems in your business, the next step is to create a plan based on budget, resources, tools, and partners. The final step is to test your plan with a possible dry run under different conditions (e.g., what do you do if a specific team of managers is unreachable?).
Cybersecurity planning is an iterative process that must be continuously updated and monitored. Taking the right approach and instilling a security mindset is becoming increasingly crucial to an organization’s success and sustainability, and provides the necessary resilience to get the organization back on its feet in the event of an attack.