Cyber Security is a illusive concept that constantly evolves every time you think you have figured it out. If you feel like you are chasing the digital rabbit down a never ending hole, rest assured that this is completely normal and expected. Let’s discuss how to plug a few rabbit holes and establish a good foundation for security.
So what does it really mean to be “cyber secure”? Simply put, it means that the assets that make your business money are adequately protected and monitored to assure a continued state of security.
No matter how general this statement may seem, it captures the essence of the approach every Cyber Security professional will take to assess your business. Because security is usually an afterthought, in most cases, companies have no idea what their digital assets are as they miss the opportunity to understand them while complexity piles on top of once simple business functions. To secure any business you must define what needs to be protected and prioritize these systems so that investment decisions can be made.
Step one of improving your posture is to make Cyber Security an official business process that is managed with an assigned and empowered leader. Imagine the gambling game where a ball is placed under a red plastic cup and manipulated in a manner to cause the betting party to lose track of the ball. The moment attention is taken off of the shifting cups the probability of knowing where the ball is becomes greatly reduced. The hustler in this scenario is the potential bad guy who is waiting for you to become distracted, the cups are your evolving assets and the ball is the attack that you will catch or it will slip past.
When security is not integrated into every process, you have taken you eye off the ball. Your Chief Information Security Officer (CISO) should be an integral part of your change management process and business decisions to ensure that you remain proactive rather than reactive. You should be in a position to consciously accept risk rather than being the victim of it. With that said, security costs money, it is an investment. You can pay now or you can pay later, but the cost you will pay later will always be more significant.
Now that you have a professional on board with his eyes firmly on the ball, he has identified what needs to be protected and you have invested in systems to guard your assets. Here comes your next challenge, tuning and oversight. Your cyber solution should be configured with a baseline of what is expected activity then it should be tailored to detect abnormal behaviour. With the increasing presence of Artificial Intelligence (AI) and Machine Learning (ML), activity can be monitored in an automated manner and threat signatures can be detected from vast collaborative databases. Invest in the right technology that compliments human efforts while leveraging technological advances. Many companies spend a significant amount on cyber security solutions and still experience unnecessary compromises due to a lack of adequate oversight on the implement systems. If logs are not reviewed and security metrics are not monitored for effectiveness, then you have wasted money. Know what your paying for and how you plan to extract value. Cloud based solutions are great to remain agile and flexible in your security strategy.
While many believe that vulnerabilities are exploited through highly technical means, this is usually not the case. Most attacks are crimes of opportunity by folks who have kept their eye on the ball. Blockchain is built on various cryptographic algorithms, so how are businesses compromised? We have two main attack vectors, internal human error and public facing entry points.
This brings us to the final point, check your work and mitigate human error of customers and employees. Digital products have a DNA code that has the potential to contain exploitable errors.
Checks such as “input validation” should be conducted to ensure that only expected information can be presented to a system through user interfaces such as a website. For example, if I can enter numbers into a field where a name should go, that’s a problem. This creates a perfect environment for a hacker to input code on a user interface to be executed on a backend database. There are some coding best business practices that can be adopted for traditional coding languages and as lessons learned emerge from the crypto space, they should be evaluated and applied within Cyber strategies.
Hackers often attack the weakest link in an unusually secure process. This can be a person, policy or process with an exploitable aspect. Employees are susceptible to phishing and social engineering attacks. They can also introduce vulnerabilities through the use of poor password practices and introduction of compromised systems into the work space such as storage devices, computers or mobile devices. Customers can also be exploited through compromised software downloads, website redirects or phishing attacks.
Flawed business processes can create an easy target for a potential attacker such as sensitive information being emailed without encryption between employees, visitors being allowed into work spaces without an established authorization process or employees given more rights than what they require to operate in their environment. Luckily all these things can be resolved with proper policy implications and regular reviews.
While the cyber threat is constantly changing you can stay ahead by simply understanding your business and its assets. Every change in people, processes or technology introduces a new risk to be evaluated and mitigated to an acceptable level. There is no such thing as zero risk, but there is such a thing as zero readiness.
To summarize:
• Make Cyber Security an integral business process by empowering a team leader to fulfil this critical function.
• Inventory your assets to be protected and manage your cyber security investments. Understand what your paying for and constantly evaluate for effectiveness.
• Check your work; the slow right answer will cost less than the quick wrong answer.
• Establish and evaluate policies, process and standards that mitigate risk. There are lots of international organizations with great templates that can used for this purpose.
Author: Michael Philbert. Cybersecurity expert and cofounder -The Advisory Network April 2019