By Jack Buckle
Technology plays such a critical role in organizations, and their consequent environmental threats are numerous and dynamic. In light of this, how can your business proactively maximize cybersecurity, as opposed to approaching it in a reactive manner?
It’s a cliché, but it’s true – 100% security is not possible. However, steps can be taken to improve the security posture of your organization, allowing it to operate efficiently and competitively while protecting data, systems, employees, shareholders and clients.
Threats
It is critical to be aware of where online threats to your organization may lie. Identifying threats requires an understanding of multiple factors. These range from the environment you operate in to the technology you employ. It is as important to understand how your business activities may attract the attention of threat actors, such as hacktivists, as it is for your technical people to be aware of a recent spate of attacks against a particular type of software that you may use. As such, identification and profiling of threats should be conducted from top to bottom; drawing on the knowledge of the board room, down to the technical understanding of those maintaining and securing the systems your organization relies on.
Furthermore, it should be a continuous process that reflects and meets the challenges of dynamic and constantly evolving threats. Threat monitoring is an activity that should draw on shared knowledge from your sector and the research of the cybersecurity community, as well as the security and assurance activities you undertake.
Assets
A good understanding of the information and systems that your business relies on can help accurately direct security spending and effort. Do not assume this must just be at a technical level, as it’s also critical to define the role and value a given asset has in your organization.
This should tie in with broader corporate governance. Your business should question how critical a given system is: What sort of data does it hold? What is the likely impact if the confidentiality, availability or integrity of this system were compromised? A business-focused evaluation of assets should guide the technical measures to protect them and the enable you to get the most out of the assurance activities you undertake.
Culture
Culture is the heart of good security – a grounded and shared sense of awareness, with buy-in from the board room to the shop-floor. Security should be a key driver in strategy and operations, and should not only appear on the agenda when things go wrong.
On a day-to-day basis, while your organization can lock-down systems and reduce your technological risk, if culture and consequent behaviors do not value and reflect good security practices, then you are far more likely to lose the battle. While a stringent password policy may be enforced, it is less effective if your employees are leaving their passwords on sticky tabs next to their screens.
Furthermore, ensuring that employees adhere to both the letter and the spirit of corporate IT security policy is vital. Your IT policies cannot account for everything; you need your people to think security. In an increasingly connected world with the rise of social media and BYODs, your business needs people to be aware and pause before they download an application or share a file using their personal webmail.
Developing a culture that values security is both cost-effective and long lasting. While IT systems require continued and costly maintenance, a culture that values security will be adopted by those who join, maintained by employees and outlast those who leave.
Monitor
Monitoring activities provides a vital source of information. Gathering this data can help identify attacks or malware within your systems, employee activities that contravene corporate policies and forensic evidence.
Monitoring activities should be suitable to your organization and the information gathered must be current, relevant and available. It should also be continuous and acted upon; audit logs are no use if they are not reviewed. Monitoring and acting on the information is particularly imperative with the rise of advance persistent threats (APTs) and dynamically evolving malware.
Assure
Assurance activities should be continual, appropriate and well directed. Understanding your organization’s threats and key assets can help to direct where, when and what sort of assurance activities are undertaken.
Make effective use of the knowledge gained from assurance activities; this should include monitoring. Act upon it; use it to direct future activities and employ the knowledge organization-wide. If an issue has been identified in one system and the technology affected is used elsewhere, the ‘issue’ may now be ‘issues’. Equally, use the knowledge gained to inform development of new systems, policy and guidelines.
Diversify and vary your assurance activities. Traditional control audits and penetration testing are vital, but should be supplemented by other services. Consider using probes on the network to enhance monitoring. Conduct social engineering, physical penetration testing and simulated cyber-attacks to determine response and resilience. By doing this, you can demonstrate what an attacker might achieve in reality, given an extended period of time a broader scope.
Collaborate
In the spirit of ‘two minds are better than one’, collaboration is vital to improved cybersecurity. Sharing knowledge of attacks, threats and solutions – technological or otherwise – can help improve your security posture. This should be internally across teams and departments, but also externally with other organizations, vendors and relevant government organizations. Furthermore, draw on the community. Make use of those resources available like OWASP, CIS and CESG guidance.
Collaboration should not just be premeditative or historical, but where applicable be performed in real-time. Recent cybersecurity exercises such as that performed in the London banking sector, led by the Bank of England, demonstrate the importance of communication and sharing of information as events unfold. While this is particularly relevant to certain industries, such as banking and critical infrastructure, it is broadly applicable.
Wrapping it All Up
There's no magic formula or silver bullet. However, by making use of the knowledge available, fostering a shared culture of security and using the technology and services available, the security posture of your organization can be maximized.
Jack Buckle is a Technical Security Consultant at IRM Plc.