[BreachExchange] Practical steps every business can take to mitigate cybersecurity risks

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 9 18:54:56 EDT 2018


When it comes to cybersecurity, no information is safe and no industry is
immune. 2017 was once again filled with data breaches – both big and small
– that were financially damaging to those who were directly affected.
Unfortunately, it has become increasingly easier for cybercriminals to
spread malware or ransomware, and to infiltrate networks and steal data.

For the first half of 2017, according to the Breach Level Index, healthcare
was the hardest hit sector in terms of the number of breaches. The
healthcare industry experienced 228 breaches (25 percent of the total),
with 31 million records stolen. The financial services industry suffered
125 data breaches with 5 million records stolen. Other industries totaled
53 breaches, with 1.34 billion records stolen.

The financial impact of a cyber breach can have devastating effects to an
enterprise. According to the Ponemon Institute’s 12th annual "Cost of Data
Breach Study," the average total cost of a data breach is $7.35 million in
the U.S., which represents a five-percent increase over the previous year.
Globally, the average total cost of a data breach in 2017 hit $3.62 million.

For any company or business, it’s no longer a question of whether you will
be attacked but when. Instead of panicking, companies need to take the
necessary steps to survive and mitigate cyber attacks and data breaches,
which should lead organizations to pose the question: How strong is our
ability to secure our data, processes, and procedures?

Approaches to Cybersecurity

There are many possible approaches that a business can take to mitigate
cyber risks, each with their own set of best practices. One approach that
has had only limited success is to delegate the responsibility for
cybersecurity solely to the IT department. Even using IT security best
practices, this approach is unlikely to meet current needs because it does
not cover all the potential attack vectors. A stronger approach is to
implement a holistic program across the entire enterprise, from senior
management up to the C-suite. This approach is far more likely to be
successful, and is the primary recommendation.

For the most effective programs, cybersecurity must have the attention of
every employee, and should include not only general awareness training but
also specific knowledge and procedures for each type of position. Here are
a few of the recommendations that will help protect most organizations,
organized by type:

1. Conduct staff training: Every member of the organization will benefit
from basic cybersecurity education and awareness training. Many successful
network breaches begin with a ‘socially engineered’ email that includes a
link that downloads malicious software. Every staff member should be aware
of these types of messages and on the lookout for them. Similarly, they
need to understand and recognize phishing emails.
2. Practice good password hygiene: Establish and enforce a password
management policy to ensure that passwords are changed regularly and
default passwords are not used. No equipment should be permitted to use the
default passwords provided by the manufacturer. Current password best
practices emphasize length over complexity – longer is better. And, failed
login attempts should be logged, limited, and locked out.
3. Keep software up to date: It sounds simple, but it is critical to ensure
that all software throughout the entire system should be updated at all
times, including firmware. If possible, automate this process.
4. Manage access privileges: Each type of network user – including
administrators, operators, users, casual users, and visitors – should be
assigned the rights and privileges necessary for their assigned functions,
and no more.

All of these are basic components of a holistic approach to mitigating
cyber risks that can help almost every organization. There are many more
additional steps that can be taken for specific circumstances, but these
few are a strong starting point.

Testing and Automation

Testing is another key aspect of a cyber risk mitigation strategy. Testing
procedures should include manual testing, such as interviewing all
administrative personnel to confirm that all users are assigned a unique ID
for access to system components and data. In addition, automated network
testing can be used for a range of factors including periodic discovery of
every attached device. Reports from such tests should include audit trails
for all system components, including user ID, date and time, type of event,
and more.

Automating physical surveillance and security functions can be an
additional method to mitigate cyber risks. For example, in addition to
businesses, airports, municipalities, hospitals and mass transportation
facilities have experienced video surveillance outages as a result of a
cyber breach. Companies should implement an automated camera firmware
update manager, which allows cameras to be updated automatically. This
saves a significant amount of time spent manually updating each camera and
also assures everything is up to date with the latest updates.

In many enterprises, physical security and IT personnel monitoring a system
in real time are no match for intense and relentless cyber-attackers
unleashing bot nets executing scripted attacks. Not only are humans
incapable of keeping up with the sheer volume of incoming threats, but
their ability to make quick and impactful decisions to manually address
such attacks may not be enough to stop them. As a result, automation is
becoming a powerful and an effective component of cybersecurity risk
mitigation efforts.

Using automation to mitigate cyber risks offers several benefits, including
streamlining of workflows to create an efficient environment. Not only does
the organization become stronger in terms of security, but it also becomes
more cost-effective, a point on which the C-suite will likely take notice.
Another benefit is fewer errors, of which humans are prone to, but machines
are limited to. Automation removes the error-prone human element from some
or all of the process.

Automation can also incorporate the use of video analytics, where security
failures are automatically detected and corrected. That leads to a
proactive approach to mitigating risks, versus simply reacting to events.
In addition, automation leads to data gathering with a more advanced type
of analysis to solve a security problem. Lastly, with an automated system,
there is no doubt with compliance with various regulations, as the system
is set-up to monitor for issues that would violate security protocols.

With the number of data breaches increasing each day, and the average
annual cost of cyber-attacks reaching up to $400 billion for global
enterprises, every enterprise needs an effective strategy to mitigate cyber
risks. The key is to engage the C-suite and all employees, incorporate
testing and automate many security functions and equipment maintenance
processes to create a strong line of defense that will outsmart hackers and
stand the test of time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180509/e1b83b6d/attachment.html>

More information about the BreachExchange mailing list