[BreachExchange] How To Develop Good Cybersecurity Practice
Destry Winant
destry at riskbasedsecurity.com
Sun Jan 13 23:52:32 EST 2019
https://www.cybersecurityintelligence.com/blog/how-to-develop-good-cybersecurity-practice-4024.html
The potential business revenue from rising compliance requirements and
security threats is hard to ignore. The increasing press coverage of
ransomware attacks and fines for non-compliance is driving awareness
and urgency.
Even the slow adopter business owners and managers know something
needs to be done to limit their corporate risks and individual
exposure, and time isn’t on their side.
What tools are necessary, how to integrate it into the IT services
offering, how to market it? What are the best ways to go about
developing sound cybersecurity policies and practices in 2018 that
could be used for commercial gain as well as internal commercial
security? Here are some recommendations.
1.Update Software and Systems
After Spectre struck in Jan 2018, Apple issued security fixes for its
iOS 11 operating system This is no different from what other IT
vendors do when they discover a security vulnerability. However, the
rub for IT is making sure that the diversity of devices that are in
the hands of users are all updated with the latest versions of a bevy
of OSs.
This requires centralised policy making in IT that likely adopts a
'push' methodology, forcing new security updates onto a user's device
when they connect to the network, instead of a 'pull' methodology,
which notifies the user that a new security patch is available and
gives them the option to load this new software when it's convenient.
2.Conduct Top-To-Bottom Security Audits
If your company hasn't already done so, it should conduct a thorough
security audit of its IT assets and practices. This audit will review
the security practices and policies of your central IT systems, as
well as your end user departments and at the 'edges' of your
enterprise, like the automated machines and IoT you might be employing
at remote manufacturing plants.
The audit should look not only at the software and hardware techniques
you have in place to protect security but also at remote site
personnel habits and compliance with security policies.
These audits should be carried out by an independent cyber-audit
business that brings a clear understanding of cyber security to the
business being audited, this would be similar to a Financial Audit and
so it should also bring a certification of completion and security
each year.
3.Don't Forget Social Engineering
As part of your end-to-end IT audit, you should include social
engineering, which reviews whether your employees are demonstrating
vulnerability when it comes to offering up confidential information
This social engineering can be as simple as someone shouting a
password to a co-worker over an office partition, or it could be a
user who pulls up a website at work and surrenders passwords or other
vital information that ultimately gets into the wrong hands.
4.Demand Audits from Vendors and Business Partners
According to a 2017 report by Commvault and CITO Research more than 80
percent of companies see the cloud as integral to their technology.
But with the move away from internal data centers, it's also become
more important to demand regular IT audit reports from your vendors
and business partners. Companies should have policies in place that
require regular security audit reports from vendors they are
considering before contracts are signed.
Thereafter, vendors, as part of their SLAs, should be expected to
deliver security audit reports on an annual basis.
5.Provide New and Continuing Security Education
Cyber-security education should be a staple of every new employee
orientation, with new employees signing off that they have read and
understood the training.
On an annual basis, a refresher course in cyber-security practices
should also be given to employee’s companywide. This ensures that
security policies and practices stay fresh in employees' minds, and
that they understand any policy additions or changes.
6.Watch the Edge
Manufacturing 4.0 and other remote computing strategies are moving
computing away from data centers and out to the edges of companies.
This means that a manufacturer with a remote plant in Ireland is
likely to have manufacturing personnel operate automated robots and
production analytics with local servers in the plant.
Software and hardware security must be maintained on these devices,
but the devices must also be locally administered under accepted
cybersecurity policies and procedures by personnel who are asked to do
these jobs without an IT background.
This is a security exposure point for the company and for IT that
requires training of non-IT personnel in IT security policies and
practices, as well as oversight by IT and auditors.
7.Perform Regular Data Backups that Work
If your data is compromised or held hostage in a ransomware attack, a
nightly data backup will at least enable you to roll back to the
previous day's data with minimal loss. It’s a simple enough policy and
practice to enact.
Unfortunately, a bigger problem for companies is not so much that they
don't perform data backups, it's that the backups don't always work.
One of the most important cyber-security policies that corporate IT
can put in place is a requirement that data backups and disaster
recovery minimally be full-tested on an annual basis to ensure that
everything is working properly.
8.Physically Secure Your Information Assets
Even if software, hardware, and network security are in place, it
doesn't help much if servers are left unsecured on manufacturing
floors and in business units.
Physical security, like a locked 'cage' for a server in a plant that
is accessible only to personnel with security clearance, is vital.
Security policies and practices should address the physical as well as
the visual aspects of information.
9.Maintain Industry Compliance
Especially for companies in highly regulated industries like
healthcare, insurance, and finance, regulatory compliance that
concerns IT security should be closely adhered to.
Companies in these industries should annually review security
compliance requirements and update their security policies and
practices as needed.
10.Inform Your Board and CEO
A successful cybersecurity strategy is one where you never find
yourself in front of the CEO or the board having to explain how a
cyber breach happened and what you are doing to mitigate it.
Unfortunately, great security systems are 'invisible', because they
never give you problems.
This makes it important for CIOs, CSOs, and others with security
responsibilities to clearly explain cybersecurity technologies,
policies, and practices in plain language that the CEO, the board, and
other nontechnical stakeholders can understand.
If the non-technical people in your organisation can't understand why
you are enacting a certain policy or asking for a sizeable investment
for a cybersecurity technology, you're going to have trouble making
your case, unless you're all suffering through an embarrassing
security breach that could end careers and put the entire company's
survival on the line.
More information about the BreachExchange
mailing list