Given that businesses and customers are constantly working to become more connected and digital-first, there is a paramount need for them to protect their cyber assets and personal information as a result.
Analysts estimate that by 2020, 60 percent of all enterprises will be the victims of a major cybersecurity breach. As reported by Cybersecurity Ventures, cyber attacks are the fastest growing crime globally. Cybersecurity Ventures predicts cybercrime damages will cost the world $6 trillion annually by 2021, while70 percent of all annual cryptocurrency transactions will be for illegal activity. The “Cyber’s Most Wanted” list on the FBI website features 63 notorious people (up from 19 in 2016) that have conspired to commit the most damaging crimes against the U.S., including computer intrusions, wire fraud, identity theft, money laundering, false registration of domain names, espionage, theft of trade secrets, and other offenses. The unit chief at the FBI’s Internet Crime Complaint Center (IC3) has stated that the number of reported cyber crimes in the agency’s reports only represent 10 to 12 percent of the total number actually committed in the U.S. each year.
A company’s communication channels are often the first point of call for an attack. Companies are typically delivered via spam, phishing attempts or by taking advantage of out-of-date software. Because more and more businesses are shifting to the cloud, another apparent avenue for attack is ultimately provided for hackers.
The question becomes, how can companies put up adequate barriers to ensure they are protected against the most up-to-date and harmful cybersecurity threats? Answers lie in the following essentials companies should consider when aiming to make UC security fit for purpose.
Continued commitment to top management
Senior managers are often focused on functions that go beyond cybersecurity. Specifically, they are oriented to company profits, financial results and more, but typically do not have a good insight into the risks that lie in a weak cybersecurity process.
Strong cybersecurity initiatives within a company requires financial resources to secure infrastructure and sufficient staff to manage the overall process. Considering that senior management often are not security experts, these costs are sometimes viewed as not necessary, especially if they are not highlighted during budgeting.
All risks must be presented to senior management of the company, along with any apparent consequences if the security is breached. These include a robust assessment of the financial implications of a breach, as well as the reputational damage it will cost in the eyes of customers.
Don’t just stick to the ISO 27001 standard
Most well-known security standards or frameworks are not reactively designed and do not guarantee well-designed information security management systems. ISO 27001 is a standard whose main usage is informational security risk assessment, treatment and mitigating. However, this contains many risk factors by itself. Introducing best practices without any concrete technology, design or processes required, as well as describing procedures that delegate too much trust in the human factor in ISMS can prompt ISO 27001 to leave many open questions and gaps in a company’s cybersecurity capabilities.
Continually reviewing and optimizing the Information Security Management System
Continued maintenance and review is crucial to creating a well-oiled machine that won’t fail when it needs to perform. Companies should continually review and optimize their Information Security Management Systems (ISMS), which include security policies and procedures, security change management control and review of the risk register. Companies should adjust these on a regular basis relative to current threats and vulnerabilities.
Maintain a strong and effective Configuration Database (CMDB)
Keeping a strong, well-maintained, and effective Configuration Database (CMDB) is a concern for many companies, which often fail to maintain their respective CMDBs. This makes implementing security controls and procedures more difficult and time consuming, encouraging mistakes and opening companies up to cyber attacks.
Apply clear responsibilities and ownership of your CMDB and keep equipment up to date. The better managed it is, the easier threats are to prevent. Doing this is particularly important when upgrading infrastructure and for those in transition of modernising the workplace.
Thorough crisis and incident management
Security crises are not an exception but rather a rule, and any security incident is a potential crisis if not processed properly.
Incidents can be classified with different priorities depending on the potential impact. It is extremely important that the different priorities are properly described and the employees who process them are well trained to provide a timely, correct and detailed response. Security management systems generate different types of reports which we can use to analyze a company’s cybersecurity vulnerabilities and take remedial action and calculate the risk for the company.
A crisis indicates an unstable and dangerous situation related to a large part of the company or the company as a whole, potentially damaging business to a great extent, and requiring the commencement of minute action. Unfortunately, many companies do not have an optimized crisis management process or proper staff training procedures in place.
Best practice dictates that everything needs to be clearly documented; crisis management be led by a member of the senior management team; and that teams meet regularly to update on actions and activity parts. The company may also have external partners to consult during a crisis, such as a cybersecurity specialist, or governmental organization with which to co-operate to master the crisis faster, and this needs to be factored in as well.
Consider the National Institute of Standards and Technology (NIST) framework
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory, and a non-regulatory agency of the United States Department of Commerce. This voluntary framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk designed for U.S. private sector organizations. The steps illustrated in the NIST framework are Identify, Protect, Detect, Respond and Recover. But, positioning “Identify” as step one means the framework approach can be classified as a reactive only solution. “Respond” and “Recover” also contribute to the reactive nature. Listing “Identify” at the beginning of the cycle suggests actions are started only in case of business impact. “Planning” is not a part of this high-level structure and can be a crucial step for proactive measures or in attempting to predict future issues.
Good processes should include more transparent, structured, and fast-working cybersecurity systems. Planning is also crucial. Yet good security officers should not wait for an issue to improve security or to close themselves within borders of predefined standards like ISO 27001. Instead, they need to plan daily, be able to respond to different environments, and create a cybersecurity- focused culture across their entire business. If they do that correctly, then the business will give itself the best chance to defend itself against the next devastating cyber attack.
The convenience of globalization is clear but the consequences of it provide frightening results which becomes more challenging with each passing day. Businesses must be faster than ever when it comes to developing and optimizing technologies, standards, and frameworks because the evolution of cyber threats is extremely fast. The subject must be prioritized, and organizations must agree on an approach designed to unite all forces in a same place.
Mariana Peycheva is Chief Security Officer at Unify, and a member of Atos Global Group Security