We’ve all attended security seminars and we frequently hear the general question, “How secure is your business?” It seems like a very general question until you start to take a look at what is involved to secure an organization. How do I develop a plan?
Some of the general factors I evaluate to help develop the plan to secure a business:
- Understand attack vectors into my business
- Disruption Technology
- Organization Cyber Security Capabilities
Today’s attack vectors into an organization have changed. Over the past 6 months, we have witnessed attacks that we never thought were possible. Over 25,500 CCTV hacked in 105 countries generating DDoS attacks on customers. Ransomware locking hotel guests out of their rooms for payment. Data centers are under attack with over 1Tb of traffic. Customers are victims of ransomware at an alarming rate. Phishing attacks are exposing how weak our overall cyber security strategy is to combat these attacks.
Cyber-attacks are becoming more frequent and harder to detect. When the WannaCry Ransomware hit, many organizations worked weekends to get systems patched so their organizations were protected. The question you need to ask yourself, “Why did these organizations need to work the weekend?” The reason is because good security isn’t being followed or in some cases security isn’t important to the organization, until something bad happens.
Hackers are looking for many ways into your organization. It is all about money. Your data is more valuable than you think. You have to think like a hacker in order to develop the protections needed to secure your organization’s data. If you have an open door or window they probably have already entered and are looking to laterally move to the next hop in your network.
The days are gone where we sit behind the firewall and perform all our work inside our corporate networks. Disruption technology such as mobile, cloud, IoT, social media and applications are changing how we work and are creating more opportunities for hackers to enter your organizations.
Will your organizations be compromised from IoT devices that are poorly segmented? Will that Samsung television in your breakroom be the attack vector into your organization? Will your organization have an employee click on a social media link to encrypt your SharePoint files. What applications are on your network? When we perform vulnerability and risk assessments, a common finding is that most organizations don’t have a good inventory of applications on their networks. How can you protect what you don’t know about? How do you keep up with all the security vulnerabilities for all of these disruption technologies?
As part of our cyber security plan, we need to factor in all our inputs and outputs from the disruption technology our organizations use. This must be factored into the plan to protect the organization.
Organization Cyber Security Capabilities
I’m frequently a speaker traveling around the country and one of the topics that I discuss at every cyber security event is common cyber security concerns that the executives have. Below is a list of the common cyber security concerns.
- I don’t know what I don’t know
- I don’t where to start
- Cyber is now a board issue
- Budget constraints
- Data theft
- Difficult to keep pace with new technology
- Security awareness
- Standards not followed
I’m finding that many organizations are having a difficult time with cyber security as they don’t have the staff or the understanding on where to start to address today’s cyber challenges. I’m finding that cyber security is even getting difficult for experienced cyber experts to keep up with as everything is evolving too quickly. How do you hire a cyber security expert when you don’t have an experienced cyber person in your organization? It is clear that there are many challenges and each organization will have a different approach. Some organizations do a great job and have the resources they need; other organizations will need assistance from organizations with cyber security expertise.
Continuous Risk Testing – Know your risks
Once you have factored in your attack vectors, your disruption technology and your cyber security capabilities the next step is to test your organization’s capabilities to identify, protect, detect, respond and recover to a cyber-attack. Test your people, process and technology and identify the vulnerabilities and build a roadmap to protect your organization. Don’t forget your partners are now an extension of your organization and should be a part of your security planning. Many organizations only focus on technology. Help your executive team understand the weaknesses and risk to your business. Know your risks and be able to communicate to senior management.
The Solution - Next Generation Risk Management (NGRM)
Presidio’s Next Generation Risk Management (NGRM) Baseline Assessment is a good starting point to help you achieve this initiative. The NGRM baseline will assess your people, process, technology and compliance requirements and provide a gap analysis and roadmap for you to protect your organization. NGRM provides a comprehensive dashboard so you can track risks, likelihood, threats and vulnerabilities. The NGRM dashboard provides insight into your risks so you can make better business decisions to protect your organization.