Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/26/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Commonsense Security: Leveraging Dialogue & Collaboration for Better Decisions

Sometimes, good old-fashioned tools can help an enterprise create a cost-effective risk management strategy.

Mitigating risks related to security threats and vulnerabilities can be a tricky business. What do you prioritize? Where's the cutoff in terms of how many tools and services you should use? What vulnerabilities might remain even after you've taken action?

There are also budget considerations, and for many organizations, a major shortage of available security skills to help address the growing number of threats. In fact, research from (ISC)² estimated a shortfall of more than 4 million cybersecurity experts worldwide, with 51% of respondents saying their organizations were at moderate to extreme risk because of the shortage.

To address these challenges effectively, we all need to take a more commonsense approach to security. Sometimes, honest dialogue and collaboration can help an enterprise create a cost-effective, real-world security posture. And sometimes, the commonsense answers are right in front of us, if only we take the time to look for them and act on them.

Let's look at a few examples of how this approach works.

Assessing the Risks
A small startup company might have a budget that only supports $1 million per year for cybersecurity tools, services, and one dedicated security employee. But the team responsible for IT acknowledges that this approach will not be sufficient, given the growing security threats facing the company.

Rather than just making do with less and hoping for the best, the team takes a proactive, collaborative approach and explains the possible risks to the company's senior leadership and board.

If the board assesses the situation and concludes that the risks are reasonable, it can approve the current strategy. Or it might say the risks are unacceptable and recommend doubling the budget and committing two staffers to security.

For example, I was on the board of a local, large business in Oregon. Company officials were debating whether to restrict the corporate website to just local web traffic in order to reduce the risk of an attack.

However, when it was pointed out that local businesses were responsible for only half of the company's overall revenue, officials agreed it did not make sense to restrict traffic. Instead, they devoted more budget to securing the company and its website.

Another example from my own company illustrates this point. We used to offer a "freemium" product, a free, limited version of our software that's great for generating leads. But we soon realized we were putting too many resources into managing this portion of the business. We also saw that the security exposure was too great and the strategy could backfire, hurting our reputation.

We decided to discontinue the version, redirecting the budget to marketing to attract enterprise customers, and ended up with much better results.

In another instance, I witnessed a CIO and CTO team face a ransomware attack. Over the course of a few hours on a Sunday, many computers used by the research and development team were compromised. All the data on these systems was encrypted as a result of the attack.

The attacker left a readme text file on a user's desktop, stating the files had been encrypted, and to decrypt, the user had to acquire a tool. That would entail sending an email including the user's personal identification, receiving a free test for decrypting a few files and then being assigned a price to recover the balance.

After receiving instructions from the attacker on how to pay for the decryption tool and then making the payment, the user would receive it. The message ended with a warning: "Do not try to do something with your files by yourself. You will [break] your data!!! Only we [can] help you!"

The good news for that particular team was that the company had a practice of separating production systems from R&D computers, and it had all its data backed up to the cloud on an hourly basis.

These two basic but strong measures allowed the IT organization to ignore the attack and recover 90% of its data from backup within less than 24 hours. And because of the practice of separating production and R&D systems, the company's production was not harmed in any way.

That's how common sense works with cybersecurity. Protecting systems and data doesn't have to be complicated or involve going through a long chain of command to get approvals. It's often a collaborative process and that involves clear explanations of the problems and how they can be solved.

Training's Role
Providing training for employees so they can recognize and handle potential threats is critical and gamifying the experience helps retention. For instance, cyber ranges allow for complex IT environments that provide hands-on experiences in real-world scenarios. Through these, learners can be challenged to handle realistic threats with exact tools. This interactive training approach has proven to be a strong proactive solution in mitigating risks. 

Better training can help organizations teach employees to avoid risks and traps, such as falling prey to phishing attempts, using unprotected external devices, and installing unsafe software.

There's never been a more important time for organizations to practice commonsense security and emphasize collaboration among stakeholders. New threats and vulnerabilities are emerging all the time, yet many companies are grappling with limited security budgets and the ongoing cybersecurity skills gap.

By being proactive about security and fostering an open, clear dialogue about threats and how to address them, companies can better protect their information assets. It's common sense.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Wendy Nather on How to Make Security 'Democratization' a Reality."

Dr. Zvi Guterman co-founded CloudShare in 2007. He previously co-founded and served as CTO at Safend, a leading endpoint security company, and performed as a chief architect in the IP infrastructure group of ECTEL, a leading provider of monitoring solutions for IP, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.