Monday, April 23, 2018

Cybersecurity - What's in your strategy?



Our constant connectivity to the Internet exposes us all to a hostile environment of rapidly evolving threats. Because of the size, complexity, and continual evolution of the cyber environment, there is no simple, one-size-fits-all approach to managing the risks associated with cybersecurity. In this post, we will discuss five components of a cybersecurity strategy.  This is not an exhaustive list, by any means.  I highlight some key attributes that can establish a sound strategy with limited resources and, as I did in the two previous posts, I include links to some helpful resources.

Understand your network and your potential exposure
The best way to start is with an identification of your company network systems, hardware, and software and their location(s).
·       Physical devices and systems
·       Software platforms and applications
·       Maps of network resources, connections, and data flows
·       Connections to the company’s networks

Network physical and system security
The physical security of your network and IT assets (computers, networks, servers, smartphones, multi-media printing devices, etc.) is a cybersecurity first line of defense. The effect of a stolen laptop or smartphone can be just as disruptive to an organization as a cyber-attack. Below are six best practices for consideration.
·       Install anti-virus and anti-spyware programs and firewall on all computers. Ensure that they are enabled and configured for automatic updates.
·       Keep all security programs, along with the operating system and software, current with the most recent updates. If the operating system is discontinued, support may no longer be available.
·       Upgrade to a newer operating system. Centrally manage both physical and systems access. Audit system activities, such as successful and failed user logins, file and system access. All operating systems, and most applications such as firewalls, have the ability to audit system activities. 
·       Back up files incrementally (daily) and fully (weekly). Test restore function to ensure backups are working as intended. Keep backups off-site.
·       Employees should put away sensitive items before leaving their work area. In addition, a clean desk will keep sensitive information out of the hands of personnel who do not have a legitimate reason for accessing this information.
·       Restrict access to your computer’s contents by locking the screen when you are away.

Personnel screening and insider threat
An insider threat is defined by Wikipedia “as a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.”  Here are six areas where an insider threat can pose a risk to the organization.
·       A disclosure of confidential  – jeopardizing an organization’s relationships
·       Fraud
·       Loss of intellectual property
·       Monetary loss
·       Regulatory repercussions
·       Embarrassment, public relations and/or reputational risk issues

By recognizing the potential harm posed by current or departing employees, you can mitigate the damage that may arise from insider threats.  Regularly auditing the network for suspicious activity, promptly removing system access when an employee departs, and monitoring for system use by former employees are three best practices to protect again insider threats.

Cybersecurity awareness and training
When it comes to a cybersecurity strategy many organizations focus heavily on the technical aspects of network security (we even discussed first the technical and physical security solutions in this post).  However, most of these technical controls can be ineffective when employees lack a general awareness of cybersecurity. Employees can take risks online that greatly increases cyber-related risks to their organization. Risky activities include opening suspicious emails and not protecting sensitive information stored on, or transmitted from, their computers. Employee education and a culture of cyber awareness are often just as impactful to the overall strategy as the implementation of the most advanced cybersecurity systems. Here are eight best practices to create a cybersecurity awareness.
·       Implement policies covering the acceptable use of, and the secure use of, computer systems.
·       Make cybersecurity training and awareness mandatory for all personnel. This includes executives and the C-suite.  Creating a culture needs to begin at the top of the organization.
·       Instruct users not to open suspicious emails or click on suspicious links, regardless of the source.
·       Instruct users not to connect devices to the network and are using pre-approved devices.
·       Instruct users to follow good password practices.
·       Train users about the dangers and safe use of external media (USB sticks and CDs).
·       Train users not to download or install unauthorized applications. (Restricting administrative access to computers so general users cannot download software or applications is a good practice).
·       Provide continuing education for executive management and employees to include videos, webinars, policy updates or articles that educate users.

Assessment of threats and vulnerabilities
Cybercriminals continue to take advantage of basic security vulnerabilities in computer systems. Organizations that do not scan for vulnerabilities and proactively address weaknesses in their network face an increased likelihood of having their systems compromised. A vital element of a cybersecurity program is to a perform a risk assessment of all systems, sub-systems, and devices to determine what vulnerabilities are present.
·       Run an automated vulnerability assessment tool against all systems on the network on a regular basis.
·       Develop a prioritized list of the most critical vulnerabilities and an action plan to mitigate or resolve.
·       Stay aware of emerging threats and exposures.  (Most network security software companies have user groups or blogs to help keep you up to speed with the latest threats)
·       Ensure that the vulnerability scanning tools you use are regularly updated and contain the latest security vulnerabilities information.
·       Ensure computer software/applications are updated with security patches regularly.

Resources
For additional information on how you can protect yourself and your business from criminal activity and data loss, below are several good resources I have discovered. 

U.S. Department of Transportation, National Highway Traffic Safety Administration  - McCarthy, C., Harnett, K., & Carter, A.. (2014, October). A summary of cybersecurity best practices. (Report No. DOT HS 812 075). Washington, DC: National Highway Traffic Safety Administration.
Microsoft - Internet Safety for Enterprise & Organizations offers tools to help your employees learn the skills they need to work more safely online and better defend company and customer data and their own personal information.

Norton by Symantec - Norton Small Business Resources offers information on scams, IoT, family safety and more.

IoTCrimes.com – All Internet of Things (IoT) devices are at risk of theft, damage or destruction

Department of Homeland Security - DHS, has created a webpage that has information and resources on cybersecurity and combating the threat of cybercrime.

Until next time, stay safe and be kind to one another.

No comments:

Post a Comment