[BreachExchange] A CEO’s Guide to Effective Security Compliance
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Sep 12 18:35:33 EDT 2016
http://chiefexecutive.net/a-ceos-guide-to-effective-security-compliance/
While juggling many business functions, CEOs just don’t have the time to
worry about small intricacies. New security breaches like ransomware make
security a more pressing concern for enterprises than ever before.
With security experts in place, the IT staff needs to be trusted to make
the infrastructure operate without data breaches. Without getting into the
weeds, CEOs should know the company’s security processes and how to keep
the business running without being breached. Here’s how CEOs can keep tabs
of their security landscape without being entrenched in every
time-consuming detail.
1. Train individuals for cybersecurity. Cybersecurity awareness training
should be at the top of the agenda. Security awareness training is one of
the most effective ways of reducing a company’s exposure to cybersecurity
threats. It simultaneously increases both detection and incident response.
It is highly recommended that training start at the top of the organization
and work down. CEOs should appoint a cybersecurity ambassador within each
department to assist in the detection and incident response for potential
cybersecurity threats and risks. This helps expand the efficiency of any IT
security team, while ensuring there is someone in the organization who is
accountable for implementing and maintaining cybersecurity measures.
2. Encourage separate passwords. As we get older, it becomes increasingly
harder to memorize which one of our two to three go-to passwords we used
for a certain login. Most likely, we use our same personal passwords for
our work passwords. And when a very complex password is required, many
employees revert to writing them down due to difficulty in remembering
them. This leads to a possible external threat which companies should
continuously assess.
In an advanced threat, an attacker will spend a large amount of time
researching a list of potential targets, gathering information about the
organization’s structure, clients, etc. Employee social media activities
will be monitored to extract information about the systems and forums
favored by the user and any technology vulnerabilities assessed. Once a
weakness is found, the next step the attacker will take is to breach the
cyber perimeter—the basic security most companies adopt—and gain access,
which, for most attackers, is easily done. To avoid such an impact on
business, CEOs should ask the CIO to implement a company-wide password
change every so often and provide suitable training for employees on best
practices for password choice.
3. Have a small access circle. A CEO needs to implement the concept of
“least privilege.” Least privilege means that the employee will only be
granted access to the resources and applications they require to do their
work and therefore do not have elevated privileges that could result in a
cyber catastrophe. Take a quick count of who has privilege to what access
and redistribute access rights, if needed.
Companies need to invest more to detect when employees inside the secured
perimeter are potentially engaging in malicious activities and reduce the
breach “dwell time.” It’s an average of 205 days before an attack is
detected; a time in which the attacker has gained access, avoided
detection, taken information and left without a trace.
4. Be deceptive and unpredictable. Having predictable security procedures
can make the company vulnerable. Establish a mindset with your staff in
which systems are updated and assessed on an ad hoc basis. Most
organizations look to automation to help assist in their cybersecurity
defenses. But for many, this lends itself to predictability.
Scans are run at the same time every week, patches take place once per
month and assessments are made once per quarter (or even per year). As the
CEO, be one step ahead of the hackers and randomize your security activity.
This will increase the company’s capability in detecting active and
potential cyber attacks and breaches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160912/4b0b8be9/attachment.html>
More information about the BreachExchange
mailing list