Cybersecurity ABCs
It is difficult today to avoid the headlines of the latest cyber security threats. From Equifax to Kapersky to Target to Russia hacking, we feel the daily onslaught of cyber attacks.
A normal person on the street might think of cyber security as simply preventing people from hacking or breaking into your system. In the industry, we know it means a lot more. There are so many attack vectors in any organization that it can seem insurmountable to protect them all. However, it simply boils down to Policies (defining what to protect), People (who will provide protection), and Processes (how to protect) to mount your defense.
The first step in protecting your organization is through the creation of your enterprise information asset policies. A policy document is important to codify the stance of how your organization values its information assets. The policy should be very broad in the areas it will cover and have depth to cover various use cases. The list of areas to cover is beyond this article but suffice it to say it should not solely be focused on the obvious things like passwords and virus protection. It should range into areas such as the following but not limited to:
- personnel security (hiring screening, badging, building access)
- cryptographic standards
- web application vulnerability assessments
- 3rd party vendor access controls
- mobile device standards
- audit log review
- intrusion detection
- authorization standards
- software and equipment patching standards
Ultimately, the policy will address risk management. The standards put in place at the time of writing the policies address the world as it existed at that point. Because technology and people evolve, the policy document must be modified and updated on a regular basis to continually address risk and risk acceptance. In fact, the policy document should contain a section on when and how often policies are reviewed and updated.
With an initial policy document in place, you will need people to implement the policies. Some department must have the responsibility to make policies come alive and it is vital to have executive buy in. If cyber security is left to some back room engineer whose sole job is to guard the gates of your information assets, your organization will likely become a cyber security victim. The policy document should even address implementation and education. The responsible department needs to have a budget not only for implementation but also for training and education. The cyber security landscape requires professionals to be updated on an ongoing basis. Lastly, the responsible department must be given authority to say no. If systems, processes or software would create a risk, this department must be able to stop the project to protect the company's information assets. Your policy document should even have a section on how to categorize risk and if they can be overridden by higher management.
Lastly, with policies and people in place, you can focus on the processes to implement your policies. This is no small task. It most likely will take quite some time and money to put the policies in place. It is a long road that has no end point destination. Focus on a few initial policies and each month or year activate additional policies. The choice of what to do first will be dictated by your risk assessments. Chose what you believe to be the most vulnerable areas as your first focal point.
Your policy document is a living document. Each year it will get updated as you re-assess current risks. There will most likely be failures. Human failures are inevitable. However, with a risk management focus and constant process review, you should be able to minimize your exposure to cyber security lapses. The Equifax breach is a great example of human or process failure. A Common Vulnerabilities and Exposures (CVE) was known in March of 2017 that addressed the software flaw hackers used to steal data from Equifax. It is not a stretch to assume Equifax has a comprehensive information assets policy document in place. But the failure to follow the policies and process to patch the software produced the latest in large scale data theft.
Safeguard your organization by following the ABCs of policies, people and processes. As a starting point, you could use the NIST Cybersecurity Framework if you don't already have any policy document.