[BreachExchange] How to protect your business from security threats

[Audrey McNeil]

http://www.itproportal.com/2016/04/26/how-to-protect-your-business-from-security-threats/

So we’re all aware by now that big multinational organisations have to
worry about IT security, but what about the rest of us with no real secrets
to protect? What risks do we have to worry about?

We are all at risk of security breaches, in fact a major breach could be
even more devastating for a small organisation than for a large
corporation. If your customers lose confidence in you then that could put
you completely out of business! Some of the common risks that you need to
think about are:

- Ransomware. If your systems are infected by ransomware you could lose all
of your data. How would you recover from this?
- Hackers. If a hacker breaches your systems and uses them to attack one of
your large customers you could be held responsible for their losses. Can
you afford the potential legal battle this might lead to?
- Data leaks. If you accidentally leak a large number of customers’ credit
card details you could be shamed in the press, and it’s likely that many of
your customers will take their business elsewhere. How would you deal with
this situation?

Can’t we just leave the risks to the security people to deal with?

You certainly need to employ some people with security expertise to help,
but you are the one with responsibility for the business. You need to
decide what you are trying to protect, what level of risk you are prepared
to live with, and how the balance should be set between taking risks and
going for business opportunities. If you leave all of these decisions to
people whose only focus is security then they could make decisions that do
your business more harm than good. Even worse they could design and
implement controls that are so out of line with how you run your business
that everybody ignores them – resulting in all the expense of security with
none of the benefits.

Are there really lots of security risks associated with the cloud? Would we
all be better off running everything on our own servers?

You need to consider the risks and benefits of cloud services in exactly
the same way as you consider other risks and benefits. Nothing is ever
completely safe, it’s a matter of understanding what the risks are, and
deciding if they are worth accepting. Using cloud services isn’t risk free,
but running your own servers isn’t risk free either and a cloud service
provider might have much better technical security controls than you could
implement yourself. If you are thinking of using a cloud service you need
to make sure you understand who is responsible for protecting your data,
and what risks you are running, and then make a balanced decision.

So we’ve installed our firewalls, and we’ve got anti-virus software on all
the PCs. Surely we’re protected now? Or are there other tools we need as
well?

Security is about much more than implementing technical controls. You do
need the sort of controls you’re describing here; anybody who doesn’t use
these will almost certainly have regular security breaches, but you also
need to think about your people and your processes. What people and process
controls do you need to complement your technology controls?

For example, do your staff all understand the risk of phishing attacks and
how to protect themselves? Do people make sure that all sensitive data is
encrypted whenever it’s copied to portable devices? There’s no point in
having lots of great security technology if you don’t use it properly.
Every time there is a report of a major security breach, the underlying
cause includes somebody doing the wrong thing, either through ignorance or
because it made their life easier. You need to ensure that your people are
part of your security solution, not part of the problem.

What about phones, tablets and the Internet of Things? Are there any
special security issues connected with them?

The constant connectivity that we get from our phones and tablets is
fantastic for business productivity. My people really need this to get
their work done, and I certainly don’t want to limit them. They do,
however, introduce some extra security concerns, and you need to manage
these. The solution to this is, like most areas of security, a balance of
people, process and technology controls. The technology includes things
like data encryption, to ensure that lost devices don’t cause leaked data;
VPN connectivity to protect against eavesdropping in hotels and coffee
bars; and mobile device management, to help ensure that patches are
installed and everything is configured correctly – and to enable you to
remotely wipe sensitive data and disable a device if, as will inevitably
happen at some point, one gets lost or stolen.

Even more important are the people controls – your staff need to understand
the things they must do to support information security. For example, they
should know what data can be stored on portable devices, and what should
only be kept on secure servers in the office. They need to be able to
recognise risky apps that could compromise their security and take care
never to install them, and they need to be careful about any links they
follow from emails and social media. You need documented company policies
to cover all of these requirements and, just as important, you have to make
sure that everyone understands the policies, and understands the importance
of following them.

But what if the worst happens? You think you’ve got everything protected
and then there’s a security incident. Now what?

You do need to plan your response to security incidents. It’s almost
impossible to get things right if you haven’t planned and practiced what
you need to do. If you detect security incidents quickly, and respond
effectively, then you can often contain the damage, turning a potential
disaster into an inconvenience. These are the things you need to think
about:

- How do you detect security events and how are they then reported?
- Who makes the initial response and what will they do? For example, is it
more important to preserve evidence or to recover the business?
- What triggers a need to escalate? If you do need to escalate who takes
the next steps and what are they? What documentation should be created
about the incident and the response to it?
- Who owns the security incident once it has been escalated? Often this
will be an emergency response team including senior management and
communications experts as well as technology experts. How will they balance
conflicting needs to communicate, to preserve confidentiality, to restore
service, to preserve evidence etc.? What skills, knowledge and tools do
they need? You may want to create standard communication templates to help
you get your messaging right, but you will need to modify these during any
specific incident to cover the exact situation you find yourself in.
- After you have resolved an incident, what else needs to be done? At a
minimum you need to document any vulnerabilities that allowed the incident
to occur and make sure that you eliminate them across all services, not
just the one that was affected this time. You also need to hold a final
incident review. This should include reflecting on what was well managed
and on anything that could have been managed more effectively, so that you
can keep improving your security incident management process itself.

You need to rehearse your incident management plan in a variety of
scenarios. It’s much better to detect that it doesn’t work properly when
the impact is negligible than to wait for a real incident.

Security incident management seems very complex. Wouldn’t it be better to
have such good protection that there are never any incidents at all?

However careful you are, and however many security controls you implement,
you can’t completely prevent every possible security incident. You could
reach a point where you have so many controls that you just can’t do
business any more, and this still wouldn’t be enough to defend against all
possible attacks. You need to get the balance right between controls that
prevent incidents, and controls that allow you to detect incidents and
respond to them.

There have been cases where security breaches haven’t been detected for
many months, allowing the attackers to keep extracting data – so make sure
that you can detect unusual activity that may be an indication of a
security breach, and that you always investigate this to detect incidents
quickly. A breach that only lasts a few minutes will have a much smaller
impact than one that goes on for months or years.

Is there anything else we should be doing?

The most important thing to remember about information security is that
EVERYONE is involved. You need to make sure that all of your people
understand the risks, and that they all take an active part in protecting
your information and your organisation. Train people to think about
security and keep issuing reminders in ways that make them stop and think.
Carry out regular audits to ensure that the controls you think you have in
place are actually working. And never stop trying to improve.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160426/ecead8fc/attachment.html>