Understanding CYBER ATTACKS Before They Happen
The last several years have taught corporations across the globe that no one is immune from cyber attacks. From the smallest franchise restaurant to the largest Fortune 500 companies, businesses of all sizes are actively being targeted, creating a new norm for the information security world. Nearly every new report on cyber security indicates the volume and types of attacks are on increase. Among the many threats companies need to worry about are: for-profit criminals, organized crime, rogue nations, as well as hacktivists. The notion that an impenetrable perimeter can be built to keep the bad guys out is fantasy. Every company will have security incidents. How bad those incidents are, and whether they turn into full-blown data breaches is highly dependent on the quality of the information security program.
Corporate networks are becoming more and more complex, and the speed at which companies need to adapt and adjust their networks in order to service employees and customers is increasing. With a tech-savvy generation of employees requesting to use their own devices, run multiple operating systems, and work when, where and how they want, the attack surface that information security needs to protect is vast.
Through the growing complexity in networks, it is imperative that every company fully understands the threats from cyber attackers and be able to measure the risks these threats pose
Because of the growing complexity in networks, it is imperative that every company fully understand the threats from cyber attackers and be able to measure the risk these threats pose. Like any other business risk, such as stock market volatility or customer loyalty, security risks must be acknowledged and contained.
Do My Staff Have The Right Level Of Cyber Intel Education?
Educate your staff on the current threats facing the business and the changing threat landscape. This includes high-level information about the volume of attacks hitting the network as well as background on what the attackers are trying to achieve. It is crucial to understand the types of attackers and their motivations, be it for fun, profit, business advantage, etc. This understanding helps drive the point that information security is not a “one-and-done” task—attackers and their tactics are always evolving and so must information security teams and programs.
Are We Prepared For An Attack?
Having a good incident response plan is critical. Make sure the plan integrates not just IS, but also legal, HR and corporate communications. Conduct periodic incident response exercises, both live system drills and tabletop exercises, which test the readiness to respond to real attacks. Information security teams and executives should be part of these exercises to understand how cyber attacks and incident response occurs, their individual roles in preventing future attacks on the company, and their roles in maintaining business continuity. Capturing lessons learned from these exercises is a good way to identify gaps in the plan and to strengthen its effectiveness.
How Do We Obtain Buy-In For Our Information Security Program?
Understand the impact of various security incidents and the effect they may have on share price, profits, reputation, and action by regulators. Executives armed with this information can help drive information security investments. Cyber incidents happen to almost every company on a daily basis. The vast majority of these are minor, localized and have very little if any impact on business operations. Occasionally, a larger event may occur, causing some minor disruptions. Properly staffed and equipped information security teams are what keep these small events from becoming larger events and major risks for a company. It is essential the company’s executives understand the importance of the day-to-day activities of basic monitoring, detecting, blocking, analyzing and acting.
Do We Have The Right People?
It is vital that company executives have a working knowledge of the makeup and responsibilities of the information security team. Understanding the various roles, such as security operations, incident response, architects, governance and threat intelligence, and what each covers, is key to the company’s success. These groups are composed of highly trained and specialized individuals. There are some areas in the United States where hiring quality information security professionals is hard and the only way to fill some of these gaps is to identify and hire talent wherever they may be located. This may mean altering the company’s view on remote workers.
We Are Compliant But Are We Secure?
Compliance is not security. Often companies focus on checking the box for compliance. One should understand that most of these checkboxes indicate the minimum standards; companies should strive to do more than just what’s required for compliance. A well-run, well-rounded information security program focused on key elements and standards will take care of many of the compliance requirements facing today’s businesses.
How Do We Encourage Prioritizing Information Security?
All too often a company suffers from a serious breach, and in the aftermath, becomes victim of what’s known as the “cyber security bell curve.” Before a breach, security is not given the investment needed. Then, in the months and quarters after the breach, money and personnel flood into information security; tools are purchased and bolted onto the existing infrastructure. But after a period of calm when nothing bad happens, those expensive tools start to idle or are tossed aside; people leave and are not backfilled, and the company is left with the same broken system that led to the initial breach. A less educated company would see the breach as a singular event and expect that a massive expenditure would solve the problem. A well-educated organization would know that new tools and automation can help a solid team, but a good foundation is the key to success.
In conclusion, getting information security right from the ground up keeps a company secure and can also add huge value by preventing and mitigating cyber attacks, particularly for service-related companies. More and more clients are demanding information about information security when they are vetting vendors. Having a solid and professional team protecting your company, one that is supported from the basement to the boardroom, will define the difference between winning and losing a deal. Often it is the only differentiator between you and your competitors.
Deputy CISO David Dunn, Deputy CISO Aaron Kiemele, Threat Intelligence Manager Mary Fernandez, SOC 2 Program Manager Sharon Siegfried and Director of Information Security (EMEA) Jerry Palmer also contributed to this article.