We hear a great deal about rising cyber threats. It seems every day a new cyber threat arises, which leads to a great deal of activity to determine how to react to it. This is a strategic mistake. Focusing solely on cyber threats is a losing proposition as there will always be a new cyber threat to deal with, it is technologies version of cyber ‘wack-a-mole’. You need to stop playing cyber wack-a-mole and begin to take the offensive against the predators that infest the cyber eco-system we all inhabit.
Instead what you need to do is to identify and manage your cyber exposures so you are not always playing catchup. That is not to say you should ignore cyber threats. You need to deal with ones that are prevalent in your cyber eco-system. Rather, you need to also, if you want to get ahead of cyber threats, identify and deal with your organizations cyber exposures. By ‘cyber exposures’ we mean the vulnerabilities that arise from inhabiting the cyber eco-system. You need not be doing anything exotic or leading edge just use computers, smart devices, networks and the Internet and you are in a cyber eco-system that has predators hunting for vulnerabilities. Realize that these vulnerabilities are not just technical but rather are rooted in human behavior, legal and compliance matters, use of social media, the cloud and the Internet of Things (IoT).
You need to identify as near as possible all your cyber exposures. You need to know if you have major cyber exposures and so that you can begin to prioritize and address them. If you are not aware of all your cyber exposures then you will be defending your organization from the known threats while leaving major access paths into your organization for predators to exploit. And the predators are like most people, they will go for the easy prey.
To accomplish this you need to understand how to identify your cyber exposures and then understand how best to manage those the you have found. We suggest that to do this, if you do not have the current knowledge and ability, you can either take our course, ‘Managing Cyber Exposures’ available on the Global Risk Academy (see the links section for the URL) or consult an outside expert.
Internet of Things (IoT)
The Internet of Things (IoT) consists of all the intelligent devices and systems that are connected to your network and thence to the Internet. They can represent a wide open door into your organization if not secured.
The problem arises in that many of the devices have minimal security and are installed using default settings, which are known to the bad guys out there. And in many cases the installations occurred with no coordination with IT or security functions, as they are, other than the network connection, independent devices paid for and used by business functions for managing their specific function. And in many cases needed only the approval of their management chain, so no one else knows they are there.
Some of the places IoT devices may reside are building control systems (HVAC, UPS, electrical distribution, lighting systems, elevators, or similar systems.), process control systems (manufacturing lines, machine tools, chemical processes, ovens, and the like), automated warehousing/distribution systems (automated picking conveyor systems, loading and unloading systems and equipment such as forklifts, or similar systems), intelligent equipment or devices (such as phone systems, office copiers, fax machines, scanners, communication systems, intercoms, or like devices), and building services including those that process maintenance requests and tracking, managing building control systems, scheduling building resources, managing visitor traffic, or the like. For each IoT device found you need to inventory the specifics, including the responsible party, determine what security, if any are in use, make sure the operation is monitored, audited and tested on a regular basis to assure safe and secure operation.
Cyber Security Culture
A key to successfully addressing the many cyber exposures your organization faces is understanding the mindset of the members of your organization – the cyber security culture. This can be done by examining attitudes towards cyber exposure, responsibilities towards cyber security, and awareness of the cyber threats in general. In other words how does your organization view cyber security? Is it only a technical concern? Not a real problem? An annoyance to be circumvented? The answers to these and similar questions will go a long way towards understanding the approach you take to improve your organizations cyber defenses. If your culture treats cyber security poorly then your organization is much more likely to experience a cyber event.
You may wish to consult with experts in the field of culture management, or we have included a link to our Cyber Security Culture Barometer which is free, and can provide some initial guidance.
In summary: cyber security culture matters and cyber security culture can be managed.
You need to, with the guidance and advice of a trusted legal advisor, review your cyber operations to make sure you are in compliance with all the regulations that apply to your organization. This is not a simple task since many jurisdictions have unique regulations that may apply and if you have a presence on the Internet you may inadvertently be operating within jurisdictions and not know of it.
In addition, you need to make sure you are in compliance with supra national regulations that may apply should you process credit cards. Specifically the Payment Card Data Security Industry Standard (PCI DSS). Others may apply which is why you need to enlist a trusted legal advisor to determine what applies.
Use of cloud services for data storage and processing is growing and brings cost benefits which can lead to entry into agreements that do not reflect the necessary security and other protections. First you need to determine if any such agreements are in place in your organization and then make sure they consider the following.
Whether your organization’s data will be stored only in your home jurisdiction to resolve any jurisdictional issues in the event of a dispute with your provider; and the financial stability of the provider, including reviewing third party audit reports of the provider’s security and privacy practices, a copy of their cyber liability insurance, the results of internal audit reports, a copy of the provider’s Disaster Recovery/Business Continuity plan and the results of the latest comprehensive test of this plan.
The following items should be discussed in any contract you agree to:
• where your transactions and data will be stored and how you can remove them, and at what cost
• how the removal of your company’s transactions and data may be moved from the provider, including the security and cost of such a move;
• what kind of security safeguards will the provider apply to your transactions and data
• what terms of limits of liability is the provider imposing on the transaction
• who will control breach incident response and bear the cost
• whether the provider will indemnify the organization and, if so, under what circumstances
You need to also find out whether your cloud provider does the following:
• conducts network penetration tests of its cloud service infrastructure regularly as prescribed by industry best practices
• Segment and recover transactions and data for a specific customer in the case of a failure or data loss
• Sanitizes all computing resources of your transactions and data once you have ended the arrangement
• Provide documentation that sets out the process and rationale for moving transactions and data from one physical location to another
• encrypts transactions and data at rest within its environment, and that in transit
• has anti-malware programs installed on all systems that support the cloud service offerings?
• maintain logs for traffic monitoring and auditing including who accessed your account, what they accessed and how long they were logged in
There are several keys to addressing cyber exposures arising from privacy concerns. They are:
• Identifying all the sensitive information2 that resides in, or is processed by your cyber eco-system along with the responsible party for that information.
• Making sure such sensitive information is secure, monitored and audited at all times.
• Making sure such sensitive information does not leave your facilities unless secured and a responsible party identified. This includes staff intelligent devices used for work purposes, the disposal of equipment, and off site storage.
Education & Communication
Key is that you have a set of cyber security policies and procedures that you distribute throughout the organization. It is important that you have programs in place that educate all personnel not only in these policies and procedures but why they exist, the rationale behind needing cyber security and its importance.
This also needs to apply to all levels of the organization.
This education should occur on an ongoing basis since the cyber threats you face and the cyber exposures that exist will continue to evolve as the predators create new was to disrupt your operations, new technologies arise, and you and your business partners change your business practices and procedures.
You also should consider having an internet accessible site that has your cyber security policies, procedures, and best practices available. You might also consider having a newsletter that updates all staff on new threats, practices and other cyber security considerations.
Article by Douglas Nagan at Nagan Research Group