There is no clear approach to cybersecurity. Learn some common mistakes and how to get on the right path.
Cybersecurity is becoming increasingly important because more and more attacks are taking place, which causes organizations to look for solutions. How can you protect your company against attacks and the resulting financial losses?
I discussed the subject with Alex Manea, head of security and privacy at Georgian Partners, a software solutions provider.
Scott Matteson: What mistakes do cybersecurity companies make?
Alex Manea: One of the worst things you can do is try to stop every attack, but that’s a fairly typical mistake.
It is crucial to understand that perfect cybersecurity is a goal that you should always strive for, but that you will never achieve. Make sure you understand your organizational limitations – whether they are technological, budgetary, or even political – and try to minimize the risk with the resources you get. See cybersecurity as a game of economic optimization.
On the other hand, you don’t want to make the mistake of ‘locking the door and leaving the window open’. Don’t spend the majority of your cybersecurity resources on tackling a single area or deploying a specific technology.
When dealing with security risks, consider the seriousness and the likelihood. Although you hear a lot about high-profile cyber attacks such as Stuxnet – complex, multi-layer attacks by elite hackers working for national entities – most cyber offenses are commonplace. In fact, you are much more likely to be hit by something like that
Wanna cry
, a relatively simple piece of ransomware that caused $ 4 billion in damage. It used a well-known Windows vulnerability that Microsoft had patched months before, but that many companies had not yet implemented.
Start by sitting with your team and asking if they have a holistic, end-to-end threat model of your company. Encourage them to think about it from the perspective of a hacker: what would they want to achieve and what is the easiest way to achieve it? Once you have identified your crown jewels and the path of least resistance, you focus on adding economically efficient obstacles to that path.
“If you have not yet set up a good cyber security architecture to monitor (security implementation), you are likely to be violated. The best defense is to think about cyber security as early as possible.”
Alex Manea, head of security and privacy at Georgian Partners, a software solutions provider.
Many companies also overlook the need to apply penetration testing to your own environment to see how hackable you are. If you do not have the necessary resources internally, hire professional penetration testers. They search for unpatched software vulnerabilities, test your firewall settings, try to install malware on your endpoints, perform SQL injection attacks on your web properties, and use targeted phishing campaigns to get into your network. Test your cybersecurity at least once a year and take the necessary steps to prioritize and resolve the identified vulnerabilities.
Finally, do not kick the can when it comes to implementing security in your product or service. It must be “baked in” throughout the entire process.
If you have not yet set up a good cybersecurity architecture to oversee this, there is a good chance that you will be violated. The best defense is to think about cybersecurity as early as possible. That includes setting up a security policy, establishing incident response mechanisms, and most importantly, assigning responsibility to a specific employee or team of employees. Keep in mind that if everyone is in charge of cybersecurity, infact, nobody is in charge.
Cyber attacks are becoming increasingly sophisticated with the potential to do more damage in an increasingly complex digital world. The good news is that it is never too late to correct an error.
Scott Matteson: What do companies do well?
Alex Manea: There is much to say to get started, and many have done that. The longer companies postpone investments in cybersecurity, the harder it becomes when they are inevitably forced to tackle the problem. The constant flow of high-profile data breaches is rapidly changing cybersecurity from a must-have to a must-have.
To do this yourself, you start by building a threat model. Think like a hacker: where would you start if you want access to the most valuable assets in the company? Follow the path of least resistance and place effective obstacles to make it harder to walk. You can never make sure you don’t get hacked, but you can make it hard enough that most hackers just move on to easier goals.
Once this has happened, you must ensure that cybersecurity is not an unambiguous task. Keep the conversation going by regularly discussing cybersecurity and potential risks.
Scott Matteson: How should companies train their employees?
Alex Manea: The most effective way to change the behavior of your employees is through action, responsibility, and cultural change. The most important message to convey is that you take security as a company seriously and that everyone is responsible for it. Ensure that your actions, processes, and systems support and reinforce this message; most employees detect and respond very quickly to perceived hypocrisy.
To anchor safety in your culture, you must always make it available. You can do this by including it as an agenda item at every important meeting and by making employees responsible for the security implications of their decisions. Recognize and reward good practice and assess security thinking in business strategy, culture, recruitment, and promotion.
Scott Matteson: Which systems or processes should they implement?
Alex Manea: Start by following the fundamental principles of least privilege, decentralization, and redundancy.
- The least privilege means never giving access to more resources than necessary to complete the task. This applies to software, but also to people-based systems, such as providing physical access to an office building after hours.
- Decentralization applies to both human processes and software architectures. When two people have to approve a financial processor add a user to a software system, a human process is decentralized.
- Finally, use services that are built-in redundancy. This means that multiple instances of your environment are made available to reduce the chance that an attacker can completely disrupt your services.
When things inevitably go wrong, learn from each incident by investigating and uncovering the cause. Finally, draw up a remediation plan and practice with it so that you can recover quickly.
Scott Matteson: Should there be some form of criminalization for ignoring cybersecurity rules?
Alex Manea: As much as governments and regulators try to control cybersecurity, the ultimate judge, jury, and executioner are the hackers themselves. The reputation damage of a serious breach can be a big blow to a growing company and will be used by competitors to cast doubt on your ability to process sensitive data for years to come.
Remember that decisions about cybersecurity have long-term, latent effects. The reason that we see so many large-scale data breaches today is because of decisions made five, ten or even twenty years ago. That means that the decisions you make today will ultimately determine how safe you are in the future.
Scott Matteson: How should IT and security departments try to automate cybersecurity?
Alex Manea: One of the most effective ways to automate cybersecurity is to implement a Security Orchestration, Automation and Response (SOAR) product. This new market segment has emerged in recent years to solve a problem that almost every Security Operations Center (SOC) faces: how to deal with the overloading of signals from different security solutions and understanding the entire life cycle of security incidents. An effective SOAR platform can help you manage your security activities end-to-end, automate the most common tasks and give you full insight into your environment.
Scott Matteson: What is the ROI on cybersecurity solutions?
Alex Manea: Most people think of ROI about cybersecurity in terms of reducing the risks of cyber-attacks and large-scale data breaches, but that is just the tip of the iceberg. The real ROI comes from building a strong, trusted brand with your customers, giving you a measurable competitive advantage and improving customer acquisition and retention.
Cybersecurity is only part of the trust puzzle. Start with good accountability in your organization, build a strong cybersecurity architecture, protect the privacy of customers, ensure fair trading practices, build a reliable system and be as transparent as possible. At Georgian Partners, we believe that companies that differentiate on the basis of trust will outperform their competitors in the long run, and we invest our money in this fundamental proposition.
Cyber Security Insider:
Strengthen the IT security of your organization by staying up to date with the latest news, solutions, and best practices for cybersecurity.
Thanks to our Source TechRepublic for this Information.