Vulnerabilities / Threats

7/26/2017
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

10 Critical Steps to Create a Culture of Cybersecurity

Businesses are more vulnerable than they need to be. Here's what you should do about it.

Despite constant headlines about cyber attacks, organizations continue to leave their systems and data unnecessarily vulnerable. Cyber incidents result in the loss of reputation, enterprise value, and jobs, not to mention regulatory fines and civil litigation. According to Kaspersky Labs and the Ponemon Institute, 90% of businesses have experienced a cyber attack, with an average cost per breach of $3.6 million. Ponemon estimates that 27.7% of organizations surveyed will likely suffer another material breach within the next two years.  

Although eliminating all cyber incidents is impossible, a "unified governance" approach that combines security with data management and information governance (IG) can help create a business culture that promotes a strong defense. Here are 10 steps you can follow to create a culture of cybersecurity.

1. Bring everyone to the table.
Senior executive engagement is essential. Include your information technology, information security, legal, knowledge management, compliance, privacy, finance, communications, and human resources teams. A lack of participation equals a lack of investment and cooperation required to sustain the effort.

2. Avoid contributing to your own victimization.
Invest in the required technology, training, and business processes to avoid greater long-term costs related to incident response, remediation, fines, lawsuits, and losses to reputation, business, and enterprise value. Be transparent after a breach, and report it to law enforcement. Fear of the consequences causes inaction and exacerbates the harm associated with cyber incidents.

3. Eschew a compliance-only mentality.
Compliance is essential but insufficient to mitigate cyber-risk and improve incident response. Cybersecurity compliance is really about preventing victimization, not internal wrongdoing. 

4. Employ Information Governance best practices.
You cannot protect the unknown. To protect data — and successfully manage a breach — you must identify your data, its location, its value, users with access, and applicable legal obligations. Doing so enables you to ensure legal compliance, while deleting data that you don't need. "Defensible disposal" makes it easier to identify and protect what's really valuable. IG best practices have been codified in the latest Information Governance Process Maturity Model (IGPMM), developed by the Compliance, Governance and Oversight Counsel (CGOC), and the Information Governance Reference Model (IGRM) Guide. IG is a journey of continual maturation, not an all-or-nothing proposition.

5. Utilize information resources.
Plenty of resources exist for learning more about cybersecurity and improving your risk profile. You can participate in cyber outreach and information sharing programs sponsored by the FBI, U.S. Secret Service, Department of Homeland Security, and state and local governments, and you can join industry groups, including ISACs and ISAOs

6. Counter the insider threat.
Too many companies create perfunctory insider threat programs that employees sleep through or easily circumvent. Insider threats — whether intentional (for example, employees stealing sensitive information or damaging systems) or not (employees clicking on bad links or attachments)— should be a top concern for executives and an essential part of employee training. Employee training, though, doesn't ensure security. The realistic goal of training is to reduce, not eliminate, cyber-risk. 

7. Manage the third-party threat.
Your company is now part of a global chain of technologically interdependent computer users. Sensitive data is constantly on the move, and any computer can be used to exploit others to which it connects. Your contracts therefore must include all rights and obligations related to handling and securing sensitive information, as well as cooperating in cyber incident response. Technology solutions can now support this.

8. Control your endpoints.
You can protect your sensitive data only if you control the devices that access it. You must be able to manage all devices that connect to your network or access sensitive data. This includes laptops; tablets; mobile, wearable, and Internet of Things devices; portable storage media; and cloud accounts. You must control the types of devices and applications used, the data accessed, and who can access what. Mobile device management solutions allow you to remotely locate, monitor, and delete sensitive data.

9. Adopt the latest security best practices.
Cybersecurity best practices (such as multifactor authentication, encryption, and network segmentation) and tools (such as antivirus, anti-spam, anti-phishing, data loss prevention, intrusion detection/prevention software) are essential. Using them without proper IG practices, though, will leave gaping vulnerabilities in place.

10. Never assume that cybersecurity incidents are over.
Assuming that a cyber incident is isolated or "over" once remediation has begun is dangerous. What was the initial attack vector? What was compromised? Have all vulnerabilities been locked down? Are the attackers still in the network? Who attacked you and why? What other attacks may have been or might be launched? How does the incident fit into your cybersecurity history and profile? Forensic investigations must be thorough, objective, and conducted under legal privilege. The investigation of external attacks should include external incident responders. Poor investigations result in greater technical, reputational, and legal harm when the next incident occurs.

Related Content:

Edward J. McAndrew is a partner and co-chair of the Privacy and Data Security Group at Ballard Spahr LLP. He previously served for nearly a decade as a federal cybercrime prosecutor in Washington, DC, Northern Virginia and Delaware. His work spanned every major area of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
7/31/2017 | 1:59:52 PM
Engage the Hacker Underground
Or at least keep a finger on its pulse.  Creating a shiny steel silo and feeling confident all 10 critical steps are up-to-date and include knowledge only the hacker underground has is a risk.  Somehow as an InfoSec leader you have to engage the hacker underground, whether it is through occasional hiring of consultants or the monitoring of darkweb sources to see who is currently targeting you or your tech platform.  You have to watch the Packet Storms out there, read the latest exploit DB entries, and know when a zero day applies to you before even your tech vendors know.  While cyber laws make offensive security difficult, without some element of combatant mentality and underground knowledge, you are putting your data at risk.

  
ChannelSOC
100%
0%
ChannelSOC,
User Rank: Apprentice
7/29/2017 | 9:41:33 AM
Cyber Security Culture
Great artible!  You nailed in on the hammer.

I have seen time and time again, when organizations focus on the gaps in security, processes and  policy, they work toward the goal of lowering their risk and changing the culture for the better.

You cannot rely on a single user or person to do this, it starts from the top with outside help and it works itself down to the everyone.

ChannelSOC.com
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...
CVE-2018-12559
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS filesystem anywhere (e.g., outside of the /home directory tree) by passing directory traversal sequ...
CVE-2018-12560
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. Arbitrary unmounts can be performed by regular users via directory traversal sequences such as a home/../sys/kernel substring.
CVE-2018-12561
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. A regular user can inject additional mount options such as file_mode= by manipulating (for example) the domain parameter of the samba URL.
CVE-2018-12562
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The wrapper script 'mount.cifs.wrapper' uses the shell to forward the arguments to the actual mount.cifs binary. The shell evaluates wildcards (such as in an injected string:/home/../tmp/* string).