Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/26/2017
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

10 Critical Steps to Create a Culture of Cybersecurity

Businesses are more vulnerable than they need to be. Here's what you should do about it.

Despite constant headlines about cyber attacks, organizations continue to leave their systems and data unnecessarily vulnerable. Cyber incidents result in the loss of reputation, enterprise value, and jobs, not to mention regulatory fines and civil litigation. According to Kaspersky Labs and the Ponemon Institute, 90% of businesses have experienced a cyber attack, with an average cost per breach of $3.6 million. Ponemon estimates that 27.7% of organizations surveyed will likely suffer another material breach within the next two years.  

Although eliminating all cyber incidents is impossible, a "unified governance" approach that combines security with data management and information governance (IG) can help create a business culture that promotes a strong defense. Here are 10 steps you can follow to create a culture of cybersecurity.

1. Bring everyone to the table.
Senior executive engagement is essential. Include your information technology, information security, legal, knowledge management, compliance, privacy, finance, communications, and human resources teams. A lack of participation equals a lack of investment and cooperation required to sustain the effort.

2. Avoid contributing to your own victimization.
Invest in the required technology, training, and business processes to avoid greater long-term costs related to incident response, remediation, fines, lawsuits, and losses to reputation, business, and enterprise value. Be transparent after a breach, and report it to law enforcement. Fear of the consequences causes inaction and exacerbates the harm associated with cyber incidents.

3. Eschew a compliance-only mentality.
Compliance is essential but insufficient to mitigate cyber-risk and improve incident response. Cybersecurity compliance is really about preventing victimization, not internal wrongdoing. 

4. Employ Information Governance best practices.
You cannot protect the unknown. To protect data — and successfully manage a breach — you must identify your data, its location, its value, users with access, and applicable legal obligations. Doing so enables you to ensure legal compliance, while deleting data that you don't need. "Defensible disposal" makes it easier to identify and protect what's really valuable. IG best practices have been codified in the latest Information Governance Process Maturity Model (IGPMM), developed by the Compliance, Governance and Oversight Counsel (CGOC), and the Information Governance Reference Model (IGRM) Guide. IG is a journey of continual maturation, not an all-or-nothing proposition.

5. Utilize information resources.
Plenty of resources exist for learning more about cybersecurity and improving your risk profile. You can participate in cyber outreach and information sharing programs sponsored by the FBI, U.S. Secret Service, Department of Homeland Security, and state and local governments, and you can join industry groups, including ISACs and ISAOs

6. Counter the insider threat.
Too many companies create perfunctory insider threat programs that employees sleep through or easily circumvent. Insider threats — whether intentional (for example, employees stealing sensitive information or damaging systems) or not (employees clicking on bad links or attachments)— should be a top concern for executives and an essential part of employee training. Employee training, though, doesn't ensure security. The realistic goal of training is to reduce, not eliminate, cyber-risk. 

7. Manage the third-party threat.
Your company is now part of a global chain of technologically interdependent computer users. Sensitive data is constantly on the move, and any computer can be used to exploit others to which it connects. Your contracts therefore must include all rights and obligations related to handling and securing sensitive information, as well as cooperating in cyber incident response. Technology solutions can now support this.

8. Control your endpoints.
You can protect your sensitive data only if you control the devices that access it. You must be able to manage all devices that connect to your network or access sensitive data. This includes laptops; tablets; mobile, wearable, and Internet of Things devices; portable storage media; and cloud accounts. You must control the types of devices and applications used, the data accessed, and who can access what. Mobile device management solutions allow you to remotely locate, monitor, and delete sensitive data.

9. Adopt the latest security best practices.
Cybersecurity best practices (such as multifactor authentication, encryption, and network segmentation) and tools (such as antivirus, anti-spam, anti-phishing, data loss prevention, intrusion detection/prevention software) are essential. Using them without proper IG practices, though, will leave gaping vulnerabilities in place.

10. Never assume that cybersecurity incidents are over.
Assuming that a cyber incident is isolated or "over" once remediation has begun is dangerous. What was the initial attack vector? What was compromised? Have all vulnerabilities been locked down? Are the attackers still in the network? Who attacked you and why? What other attacks may have been or might be launched? How does the incident fit into your cybersecurity history and profile? Forensic investigations must be thorough, objective, and conducted under legal privilege. The investigation of external attacks should include external incident responders. Poor investigations result in greater technical, reputational, and legal harm when the next incident occurs.

Related Content:

Edward J. McAndrew is a partner and co-chair of the Privacy and Data Security Group at Ballard Spahr LLP. He previously served for nearly a decade as a federal cybercrime prosecutor in Washington, DC, Northern Virginia and Delaware. His work spanned every major area of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/31/2017 | 1:59:52 PM
Engage the Hacker Underground
Or at least keep a finger on its pulse.  Creating a shiny steel silo and feeling confident all 10 critical steps are up-to-date and include knowledge only the hacker underground has is a risk.  Somehow as an InfoSec leader you have to engage the hacker underground, whether it is through occasional hiring of consultants or the monitoring of darkweb sources to see who is currently targeting you or your tech platform.  You have to watch the Packet Storms out there, read the latest exploit DB entries, and know when a zero day applies to you before even your tech vendors know.  While cyber laws make offensive security difficult, without some element of combatant mentality and underground knowledge, you are putting your data at risk.

  
ChannelSOC
100%
0%
ChannelSOC,
User Rank: Apprentice
7/29/2017 | 9:41:33 AM
Cyber Security Culture
Great artible!  You nailed in on the hammer.

I have seen time and time again, when organizations focus on the gaps in security, processes and  policy, they work toward the goal of lowering their risk and changing the culture for the better.

You cannot rely on a single user or person to do this, it starts from the top with outside help and it works itself down to the everyone.

ChannelSOC.com
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-0488
PUBLISHED: 2021-04-15
In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-178754781
CVE-2021-27129
PUBLISHED: 2021-04-15
CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.
CVE-2021-27544
PUBLISHED: 2021-04-15
Cross Site Scripting (XSS) in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "sername" parameter.
CVE-2021-27545
PUBLISHED: 2021-04-15
SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter.
CVE-2020-7270
PUBLISHED: 2021-04-15
Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...