Cyber security, collaboration and board-level accountability
February 21, 2019
Robin Ferris, solutions architect, Pulsant, gives advice on how to stay ahead of cyber criminals who are capitalising on the power of the cloud to help them stage attacks.
There’s tremendous opportunity in the cloud. Everyone says so. And they’re right — boosting agility, improving cost savings, speeding up time to market, spurring growth… the list goes on. However, what’s not on the list is the advantage that cloud delivers to cyber criminals.
Just as organisations are reaping the benefits of cloud, cyber criminals are capitalising on its power to help them stage attacks; such as using public cloud capabilities to support a distributed denial-of-service (DDoS) attack.
But that’s not to say that cloud is unsafe, or that your data isn’t secure. As a business you just have to ensure you have the right practices and procedures in place to secure your data and systems, and effectively mitigate the risk of a cyber attack.
In addition, we’re increasingly being helped along by other technologies, like automation and machine learning, that can go a long way toward improving security and IT compliance posture.
For example, as soon as something on your IT estate falls out of compliance, such as an out of date patch or exposed logon credentials, you can be instantly alerted to ensure the situation is quickly remediated.
On a practical level, what does ‘accountability’ actually mean? For the boardroom specifically it’s about taking ownership and responsibility.
In today’s environment of massive, high-profile hacks and data breaches, cyber security is about more than getting different stakeholders in the business involved in developing and maintaining a cyber strategy.
Now it’s about the board paying more attention to the threats, the subsequent risks, and what the business (and its staff) need to do to mitigate them. Ultimately, when it comes to cyber security, it needs to be driven from the top.
This approach means there’s a better chance of getting all staff involved and engaged. While education plays a role in giving all employees a level of understanding around threats, the importance of a strategy and best practices, for board executives it’s also about leading by example.
Your staff need to know what cyber security best practices are, what they look like, and why they’re important. Most importantly, they must understand the consequences of getting them wrong. If there is no visible management support, will your employees really be motivated to comply?
To make cyber security effective across your business you need three key elements to work together in harmony — your chief information security officer (CISO), a robust cyber culture, and ensuring cyber security forms fundamental part of your company’s future direction and business objectives.
Your board is tasked with a number of responsibilities that influence the overall health of your business. As a result, the role that your CISO plays is vital, helping other board members maintain focus by translating the cyber threat into business issues.
In this way, the board gets a more in-depth understanding of the threats and becomes more proactive and forthcoming in assigning budget and resources when developing IT security plans.
The CISO is also the crucial link the company and its IT, not just in ensuring that the organisation’s risk management framework is aligned to an industry proven set of principles, but in mapping cyber threats back into the business’ overall strategy.
Collaboration between the CISO, IT, security partners, and the rest of the board is also essential to ensuring best practices are being heeded.
This ties in with creating an organisational culture that is focused on good cyber security, not just at the onboarding stage, but on a day-to-day basis too.
The threats to your cloud infrastructure are the same as those targeting your website and company network. While the media headlines are filled with breaches and attacks against global brands it helps to understand some of the specific threats:
Human error / insider threat
People are fallible. Regardless of how good your security solutions are, your staff can still be fooled. As IT users, they click on links, open attachments and don’t change their passwords often enough. Human error is often cited as the leading cause of data breaches.
This means educating staff is vital when it comes to developing a cyber security strategy, not just during the onboarding process in terms of best practices, but ongoing training to make them aware of the threats and the risks they pose to overall business operations, as well as what they should (or shouldn’t) be doing.
Cyber criminals don’t need to steal data to make money. Every business has information, systems and applications they can’t live without. As a result, these can be held for ransom. Businesses need to pay up in order to get access restored.
You need to look at what policies your organisation has in place to deal with the ransomware threat, does user education form part of it; and whether you have the right back up strategy in place to support you. Addressing these issues, as well as incorporating your plans into a wider cyber strategy, can help prepare your business for such an attack and deal with the fallout.
Data breaches and hacking
Data walks out the front door. The harder it is to breach your organisation, the more likely hackers will go somewhere else. You need to understand the threat levels. One of the key areas here is that many breaches go undetected for days, weeks, months. As a result, you need to be able to know as soon as a breach has occurred so that you can mitigate the risk, close any gaps in defence and get back to business as usual, as quickly as possible.
Outdated software / patching
This is one of the basics that you have to get right. Hackers are largely opportunistic and once they’ve identified a vulnerability, will use it to gain access to your organisation. The solution? Patch. Patch. Patch. As an IT professional, you need to ensure you have a strategy in place to implement patches as soon as they’re available across the entire business.
The success of phishing relies on the human element. Cyber attackers send out mass phishing emails in hope that someone will take the bait. This method is on the rise and is getting more and more difficult to avoid.
Phishing emails don’t always come from strangers; criminals spoof legitimate email accounts within a company and trick employees into revealing credentials or performing an action like paying an invoice. Again, education is crucial here so that staff know how to identify a phishing email and don’t fall victim to them.
Cyber security is an evolving discipline and should be an ongoing initiative in your organisation. While everyone in your business needs to be engaged in your process, cyber security needs to be driven from the top down and supported at all levels. In this way, you can implement best practices, educate your staff and use this integrated approach to successfully mitigate the risk of an attack.
Image under licence from iStockPhoto, credit Alvarez