Stories of cyber-attacks have become routine, with cyber-attackers showing increasing levels of sophistication and damage inflicted. The race to discover new ways to exploit weaknesses in the defenses of every company’s data and IT systems does not stop, so it is absolutely key that transformational leaders are aware of the magnitude of the challenges they face and understand what is at stake.
Unless transformational leaders are relentless in responding to the threats posed by cyberattacks and put all the resources necessary to mitigate them, cyberattackers will exploit the flaws and weaknesses of the organization’s data and IT systems to hijack, distort, or simply interrupt the organization’s service. Without a doubt the damage inflicted by an attack on any company’s operational capacity will far outweigh any benefits the company has previously gained.
In this edition of the newsletter we examine the three key related factors that any successful cybersecurity program must consider: people, processes and technologies. Furthermore, we highlight that although many transformational leaders simplify the problem of cybersecurity by emphasizing the technological side of their cybersecurity strategy, i.e. by focusing their attention on firewalls, intrusion prevention systems and vulnerability scanning, the answers are more complex and should address much more than the technical components.
People
It is vital that organizations form a cybersecurity team and have a professional management framework dedicated to cybersecurity risk assessment that the team can align with at all times. This requires harnessing the leadership of the firm’s executive team to develop robust risk management processes and empower all firm personnel through ongoing training.
It is important that senior management views cybersecurity as an organization-wide issue and mobilize all employees to be accountable for risk management and oversight of cybersecurity as they would do with any other significant risk to the organization.
Establishing an information security oversight committee, chaired by the firm’s CEO or COO and involving executives from all business units of the firm, is a proven best practice in many organizations. The committee should meet regularly to review newly identified cybersecurity risks and update security policies and procedures.
The damage inflicted by an attack on any company’s operational capacity will far outweigh any benefits the company has previously gained
Once the team is formed, establishing the right links between people, processes, and security technologies is another key success factor for the organization’s cybersecurity program.
This is the time when the cybersecurity team will need to decide on the cybersecurity framework to use (e.g., NIST, ISO/IEC 27005, OCTAVE). The chosen framework should allow the team to document and assess its ability to prevent, detect, and respond to cyber-attacks, while applying good cybersecurity practices that integrate both a compliance-based approach and promote anticipation through proactive threat behavior.
The selection of the key controls to be implemented in the firm is an important step that must be decided based on the probability and impact that the threats may have, even more so considering the large number of providers that currently exist and the large number of technical controls that are available.
Processes
A cybersecurity framework establishes the model to be followed by the organization’s cybersecurity program. It contains the set of policies, rules, and procedures to be followed by the organization that guarantee that the cybersecurity measures and tools will be used consistently and effectively, and that they will be updated periodically. It also forms the basis for a cybersecurity auditor to examine the firm’s security framework and assess whether the program is achieving its objectives.
To evaluate and compare the effectiveness of the cybersecurity processes developed by the organization, the firm should develop key performance indicators (KPI) that focus, among other things, on the following indicators:
-
The probability and impact of the main threats.
-
The degree of compliance with internal and external standards.
-
The metrics from previous security incidents (i.e., the number, business impact and source of serious incidents, average incident detection/response time, etc.).
-
Cybersecurity awareness and culture indicators (i.e., clarity of rules, exemplary behavior, practicability, visibility, organizational openness, etc.).
-
The degree of progress of the key security initiatives with respect to the plans.
-
The level of current threat.
When considering a cybersecurity framework, transformational leaders should keep in mind that excessive application of security controls can also be a drag on innovation, without bringing additional benefits to organizational performance. For this reason, it is convenient to evaluate both the probability and the impact that each security threat has on the organization and thus decide which ones should be prioritized and will require an additional investment for the implementation of technical controls.
Technologies
When it comes to determining which cybersecurity technologies the firm should invest in, transformational leaders should try to optimize the elements that make up the organization’s cybersecurity program. Basic controls, such as firewalls and email filters, are essential elements that every firm should have, but there are also other essential components to consider.
-
Anti-spam/anti-virus software: It remains a vital piece of the cybersecurity puzzle in organizations, especially for blocking known malware on a large scale. However, it is no longer the only component that can be relied upon to keep the business safe from cyber threats. Organizations need to ensure their anti-spam/anti-virus software is always up to date to protect themselves from online threats.
-
Automated patch management: It is a process dedicated to automatically assessing which updates are critical (and which can be ignored) and applying them to the systems that need them, thus ensuring that risks are not increased by running older operating systems or software.
-
Perimeter security: It is about using firewalls (network devices that block certain types of network traffic) to protect the organization’s network and prevent unsolicited and insecure traffic. A good firewall must also provide visibility into any intrusion attempts and allow the firm to block access to unwanted websites and applications immediately. The firewall must also support remote access VPN networks to securely allow access to external users.
-
Data backup technologies: Data backups are the only certain guarantee against data loss. Data loss can be caused by human error, a cyber-attack, or a local disaster such as fire or flood. That is why it is important for the organization to ensure that the heart of its business (its data) is safe and sound no matter what. Once server-level and desktop-level backups are captured, the organization should periodically test them to ensure they are working properly.
-
Multi-Factor Authentication (MFA) (also known as dual-factor authentication or two-step verification): It creates an additional layer of security that forces cyber-attackers to have not only a username and password to gain access to the system, but also a token to authenticate remotely.
Once the organization has the above controls covered through foundational level technologies, there are much more advanced technologies that firms will need to invest in to counteract the cyber threats that are becoming more sophisticated and damaging. The following advanced security technologies are designed to provide greater visibility and control so the organization can successfully address today’s threat landscape.
-
DNS security, to prevent the organization’s systems from resolving and connecting to malicious domains.
-
Managed Detection and Response (MDR), for advanced threat hunting and incident response through continuous visibility.
-
Mobile Device Management (MDM), so that the organization’s control extends to mobile devices that have access to firm data.
-
Honeypots, or custom lures that simulate the organization’s data and intellectual property, including spreadsheets, documents and files, etc.
Conclusion
Traditional cybersecurity strategies and tools have become increasingly ineffective as the cyber threat landscape has continued to grow. Organizations have no other option but to continue responding to the new security needs that are emerging.
The mentality of transformational leaders will need to change from being mostly reactive to being proactive. Instead of only detecting malware and other types of threats days after they have been installed on the organization’s systems or after they have caused damage, firms will need to actively search for malware and all types of attacks lurking in cyberspace before being activated and causing damage within the organization.
Photo by Freepik