Vulnerabilities / Threats
7/26/2017
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

10 Critical Steps to Create a Culture of Cybersecurity

Businesses are more vulnerable than they need to be. Here's what you should do about it.

Despite constant headlines about cyber attacks, organizations continue to leave their systems and data unnecessarily vulnerable. Cyber incidents result in the loss of reputation, enterprise value, and jobs, not to mention regulatory fines and civil litigation. According to Kaspersky Labs and the Ponemon Institute, 90% of businesses have experienced a cyber attack, with an average cost per breach of $3.6 million. Ponemon estimates that 27.7% of organizations surveyed will likely suffer another material breach within the next two years.  

Although eliminating all cyber incidents is impossible, a "unified governance" approach that combines security with data management and information governance (IG) can help create a business culture that promotes a strong defense. Here are 10 steps you can follow to create a culture of cybersecurity.

1. Bring everyone to the table.
Senior executive engagement is essential. Include your information technology, information security, legal, knowledge management, compliance, privacy, finance, communications, and human resources teams. A lack of participation equals a lack of investment and cooperation required to sustain the effort.

2. Avoid contributing to your own victimization.
Invest in the required technology, training, and business processes to avoid greater long-term costs related to incident response, remediation, fines, lawsuits, and losses to reputation, business, and enterprise value. Be transparent after a breach, and report it to law enforcement. Fear of the consequences causes inaction and exacerbates the harm associated with cyber incidents.

3. Eschew a compliance-only mentality.
Compliance is essential but insufficient to mitigate cyber-risk and improve incident response. Cybersecurity compliance is really about preventing victimization, not internal wrongdoing. 

4. Employ Information Governance best practices.
You cannot protect the unknown. To protect data — and successfully manage a breach — you must identify your data, its location, its value, users with access, and applicable legal obligations. Doing so enables you to ensure legal compliance, while deleting data that you don't need. "Defensible disposal" makes it easier to identify and protect what's really valuable. IG best practices have been codified in the latest Information Governance Process Maturity Model (IGPMM), developed by the Compliance, Governance and Oversight Counsel (CGOC), and the Information Governance Reference Model (IGRM) Guide. IG is a journey of continual maturation, not an all-or-nothing proposition.

5. Utilize information resources.
Plenty of resources exist for learning more about cybersecurity and improving your risk profile. You can participate in cyber outreach and information sharing programs sponsored by the FBI, U.S. Secret Service, Department of Homeland Security, and state and local governments, and you can join industry groups, including ISACs and ISAOs

6. Counter the insider threat.
Too many companies create perfunctory insider threat programs that employees sleep through or easily circumvent. Insider threats — whether intentional (for example, employees stealing sensitive information or damaging systems) or not (employees clicking on bad links or attachments)— should be a top concern for executives and an essential part of employee training. Employee training, though, doesn't ensure security. The realistic goal of training is to reduce, not eliminate, cyber-risk. 

7. Manage the third-party threat.
Your company is now part of a global chain of technologically interdependent computer users. Sensitive data is constantly on the move, and any computer can be used to exploit others to which it connects. Your contracts therefore must include all rights and obligations related to handling and securing sensitive information, as well as cooperating in cyber incident response. Technology solutions can now support this.

8. Control your endpoints.
You can protect your sensitive data only if you control the devices that access it. You must be able to manage all devices that connect to your network or access sensitive data. This includes laptops; tablets; mobile, wearable, and Internet of Things devices; portable storage media; and cloud accounts. You must control the types of devices and applications used, the data accessed, and who can access what. Mobile device management solutions allow you to remotely locate, monitor, and delete sensitive data.

9. Adopt the latest security best practices.
Cybersecurity best practices (such as multifactor authentication, encryption, and network segmentation) and tools (such as antivirus, anti-spam, anti-phishing, data loss prevention, intrusion detection/prevention software) are essential. Using them without proper IG practices, though, will leave gaping vulnerabilities in place.

10. Never assume that cybersecurity incidents are over.
Assuming that a cyber incident is isolated or "over" once remediation has begun is dangerous. What was the initial attack vector? What was compromised? Have all vulnerabilities been locked down? Are the attackers still in the network? Who attacked you and why? What other attacks may have been or might be launched? How does the incident fit into your cybersecurity history and profile? Forensic investigations must be thorough, objective, and conducted under legal privilege. The investigation of external attacks should include external incident responders. Poor investigations result in greater technical, reputational, and legal harm when the next incident occurs.

Related Content:

Edward J. McAndrew is a partner and co-chair of the Privacy and Data Security Group at Ballard Spahr LLP. He previously served for nearly a decade as a federal cybercrime prosecutor in Washington, DC, Northern Virginia and Delaware. His work spanned every major area of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
7/31/2017 | 1:59:52 PM
Engage the Hacker Underground
Or at least keep a finger on its pulse.  Creating a shiny steel silo and feeling confident all 10 critical steps are up-to-date and include knowledge only the hacker underground has is a risk.  Somehow as an InfoSec leader you have to engage the hacker underground, whether it is through occasional hiring of consultants or the monitoring of darkweb sources to see who is currently targeting you or your tech platform.  You have to watch the Packet Storms out there, read the latest exploit DB entries, and know when a zero day applies to you before even your tech vendors know.  While cyber laws make offensive security difficult, without some element of combatant mentality and underground knowledge, you are putting your data at risk.

  
ChannelSOC
100%
0%
ChannelSOC,
User Rank: Apprentice
7/29/2017 | 9:41:33 AM
Cyber Security Culture
Great artible!  You nailed in on the hammer.

I have seen time and time again, when organizations focus on the gaps in security, processes and  policy, they work toward the goal of lowering their risk and changing the culture for the better.

You cannot rely on a single user or person to do this, it starts from the top with outside help and it works itself down to the everyone.

ChannelSOC.com
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.