Vulnerabilities / Threats

7/26/2017
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

10 Critical Steps to Create a Culture of Cybersecurity

Businesses are more vulnerable than they need to be. Here's what you should do about it.

Despite constant headlines about cyber attacks, organizations continue to leave their systems and data unnecessarily vulnerable. Cyber incidents result in the loss of reputation, enterprise value, and jobs, not to mention regulatory fines and civil litigation. According to Kaspersky Labs and the Ponemon Institute, 90% of businesses have experienced a cyber attack, with an average cost per breach of $3.6 million. Ponemon estimates that 27.7% of organizations surveyed will likely suffer another material breach within the next two years.  

Although eliminating all cyber incidents is impossible, a "unified governance" approach that combines security with data management and information governance (IG) can help create a business culture that promotes a strong defense. Here are 10 steps you can follow to create a culture of cybersecurity.

1. Bring everyone to the table.
Senior executive engagement is essential. Include your information technology, information security, legal, knowledge management, compliance, privacy, finance, communications, and human resources teams. A lack of participation equals a lack of investment and cooperation required to sustain the effort.

2. Avoid contributing to your own victimization.
Invest in the required technology, training, and business processes to avoid greater long-term costs related to incident response, remediation, fines, lawsuits, and losses to reputation, business, and enterprise value. Be transparent after a breach, and report it to law enforcement. Fear of the consequences causes inaction and exacerbates the harm associated with cyber incidents.

3. Eschew a compliance-only mentality.
Compliance is essential but insufficient to mitigate cyber-risk and improve incident response. Cybersecurity compliance is really about preventing victimization, not internal wrongdoing. 

4. Employ Information Governance best practices.
You cannot protect the unknown. To protect data — and successfully manage a breach — you must identify your data, its location, its value, users with access, and applicable legal obligations. Doing so enables you to ensure legal compliance, while deleting data that you don't need. "Defensible disposal" makes it easier to identify and protect what's really valuable. IG best practices have been codified in the latest Information Governance Process Maturity Model (IGPMM), developed by the Compliance, Governance and Oversight Counsel (CGOC), and the Information Governance Reference Model (IGRM) Guide. IG is a journey of continual maturation, not an all-or-nothing proposition.

5. Utilize information resources.
Plenty of resources exist for learning more about cybersecurity and improving your risk profile. You can participate in cyber outreach and information sharing programs sponsored by the FBI, U.S. Secret Service, Department of Homeland Security, and state and local governments, and you can join industry groups, including ISACs and ISAOs

6. Counter the insider threat.
Too many companies create perfunctory insider threat programs that employees sleep through or easily circumvent. Insider threats — whether intentional (for example, employees stealing sensitive information or damaging systems) or not (employees clicking on bad links or attachments)— should be a top concern for executives and an essential part of employee training. Employee training, though, doesn't ensure security. The realistic goal of training is to reduce, not eliminate, cyber-risk. 

7. Manage the third-party threat.
Your company is now part of a global chain of technologically interdependent computer users. Sensitive data is constantly on the move, and any computer can be used to exploit others to which it connects. Your contracts therefore must include all rights and obligations related to handling and securing sensitive information, as well as cooperating in cyber incident response. Technology solutions can now support this.

8. Control your endpoints.
You can protect your sensitive data only if you control the devices that access it. You must be able to manage all devices that connect to your network or access sensitive data. This includes laptops; tablets; mobile, wearable, and Internet of Things devices; portable storage media; and cloud accounts. You must control the types of devices and applications used, the data accessed, and who can access what. Mobile device management solutions allow you to remotely locate, monitor, and delete sensitive data.

9. Adopt the latest security best practices.
Cybersecurity best practices (such as multifactor authentication, encryption, and network segmentation) and tools (such as antivirus, anti-spam, anti-phishing, data loss prevention, intrusion detection/prevention software) are essential. Using them without proper IG practices, though, will leave gaping vulnerabilities in place.

10. Never assume that cybersecurity incidents are over.
Assuming that a cyber incident is isolated or "over" once remediation has begun is dangerous. What was the initial attack vector? What was compromised? Have all vulnerabilities been locked down? Are the attackers still in the network? Who attacked you and why? What other attacks may have been or might be launched? How does the incident fit into your cybersecurity history and profile? Forensic investigations must be thorough, objective, and conducted under legal privilege. The investigation of external attacks should include external incident responders. Poor investigations result in greater technical, reputational, and legal harm when the next incident occurs.

Related Content:

Edward J. McAndrew is a partner and co-chair of the Privacy and Data Security Group at Ballard Spahr LLP. He previously served for nearly a decade as a federal cybercrime prosecutor in Washington, DC, Northern Virginia and Delaware. His work spanned every major area of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/31/2017 | 1:59:52 PM
Engage the Hacker Underground
Or at least keep a finger on its pulse.  Creating a shiny steel silo and feeling confident all 10 critical steps are up-to-date and include knowledge only the hacker underground has is a risk.  Somehow as an InfoSec leader you have to engage the hacker underground, whether it is through occasional hiring of consultants or the monitoring of darkweb sources to see who is currently targeting you or your tech platform.  You have to watch the Packet Storms out there, read the latest exploit DB entries, and know when a zero day applies to you before even your tech vendors know.  While cyber laws make offensive security difficult, without some element of combatant mentality and underground knowledge, you are putting your data at risk.

  
ChannelSOC
100%
0%
ChannelSOC,
User Rank: Apprentice
7/29/2017 | 9:41:33 AM
Cyber Security Culture
Great artible!  You nailed in on the hammer.

I have seen time and time again, when organizations focus on the gaps in security, processes and  policy, they work toward the goal of lowering their risk and changing the culture for the better.

You cannot rely on a single user or person to do this, it starts from the top with outside help and it works itself down to the everyone.

ChannelSOC.com
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.