Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/26/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Commonsense Security: Leveraging Dialogue & Collaboration for Better Decisions

Sometimes, good old-fashioned tools can help an enterprise create a cost-effective risk management strategy.

Mitigating risks related to security threats and vulnerabilities can be a tricky business. What do you prioritize? Where's the cutoff in terms of how many tools and services you should use? What vulnerabilities might remain even after you've taken action?

There are also budget considerations, and for many organizations, a major shortage of available security skills to help address the growing number of threats. In fact, research from (ISC)² estimated a shortfall of more than 4 million cybersecurity experts worldwide, with 51% of respondents saying their organizations were at moderate to extreme risk because of the shortage.

To address these challenges effectively, we all need to take a more commonsense approach to security. Sometimes, honest dialogue and collaboration can help an enterprise create a cost-effective, real-world security posture. And sometimes, the commonsense answers are right in front of us, if only we take the time to look for them and act on them.

Let's look at a few examples of how this approach works.

Assessing the Risks
A small startup company might have a budget that only supports $1 million per year for cybersecurity tools, services, and one dedicated security employee. But the team responsible for IT acknowledges that this approach will not be sufficient, given the growing security threats facing the company.

Rather than just making do with less and hoping for the best, the team takes a proactive, collaborative approach and explains the possible risks to the company's senior leadership and board.

If the board assesses the situation and concludes that the risks are reasonable, it can approve the current strategy. Or it might say the risks are unacceptable and recommend doubling the budget and committing two staffers to security.

For example, I was on the board of a local, large business in Oregon. Company officials were debating whether to restrict the corporate website to just local web traffic in order to reduce the risk of an attack.

However, when it was pointed out that local businesses were responsible for only half of the company's overall revenue, officials agreed it did not make sense to restrict traffic. Instead, they devoted more budget to securing the company and its website.

Another example from my own company illustrates this point. We used to offer a "freemium" product, a free, limited version of our software that's great for generating leads. But we soon realized we were putting too many resources into managing this portion of the business. We also saw that the security exposure was too great and the strategy could backfire, hurting our reputation.

We decided to discontinue the version, redirecting the budget to marketing to attract enterprise customers, and ended up with much better results.

In another instance, I witnessed a CIO and CTO team face a ransomware attack. Over the course of a few hours on a Sunday, many computers used by the research and development team were compromised. All the data on these systems was encrypted as a result of the attack.

The attacker left a readme text file on a user's desktop, stating the files had been encrypted, and to decrypt, the user had to acquire a tool. That would entail sending an email including the user's personal identification, receiving a free test for decrypting a few files and then being assigned a price to recover the balance.

After receiving instructions from the attacker on how to pay for the decryption tool and then making the payment, the user would receive it. The message ended with a warning: "Do not try to do something with your files by yourself. You will [break] your data!!! Only we [can] help you!"

The good news for that particular team was that the company had a practice of separating production systems from R&D computers, and it had all its data backed up to the cloud on an hourly basis.

These two basic but strong measures allowed the IT organization to ignore the attack and recover 90% of its data from backup within less than 24 hours. And because of the practice of separating production and R&D systems, the company's production was not harmed in any way.

That's how common sense works with cybersecurity. Protecting systems and data doesn't have to be complicated or involve going through a long chain of command to get approvals. It's often a collaborative process and that involves clear explanations of the problems and how they can be solved.

Training's Role
Providing training for employees so they can recognize and handle potential threats is critical and gamifying the experience helps retention. For instance, cyber ranges allow for complex IT environments that provide hands-on experiences in real-world scenarios. Through these, learners can be challenged to handle realistic threats with exact tools. This interactive training approach has proven to be a strong proactive solution in mitigating risks. 

Better training can help organizations teach employees to avoid risks and traps, such as falling prey to phishing attempts, using unprotected external devices, and installing unsafe software.

There's never been a more important time for organizations to practice commonsense security and emphasize collaboration among stakeholders. New threats and vulnerabilities are emerging all the time, yet many companies are grappling with limited security budgets and the ongoing cybersecurity skills gap.

By being proactive about security and fostering an open, clear dialogue about threats and how to address them, companies can better protect their information assets. It's common sense.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Wendy Nather on How to Make Security 'Democratization' a Reality."

Dr. Zvi Guterman co-founded CloudShare in 2007. He previously co-founded and served as CTO at Safend, a leading endpoint security company, and performed as a chief architect in the IP infrastructure group of ECTEL, a leading provider of monitoring solutions for IP, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...