News of data breaches and brand-new cybersecurity dangers on a global scale dominated 2017. The hacks of Equifax and Verizon private accounts and ransomware attacks like WannaCry took headlines once the sole purview of wars and natural disasters.
Organizations now have to view the Internet as a universe of commercial opportunity and as a domain fraught with threat. Corporate boards and the owners of Small and Medium-sized Enterprises (SMEs) have to mobilize their resources to defend against a constant barrage of invasions from cybercriminals.
Four critical areas organizations with more than a few dozen staff need to address to adequately protect themselves include:
- Policies – the evolving state and national regulatory framework for enterprise IT security;
- People – the executives, staff and IT personnel responsible for securing sensitive data;
- Processes – the internal guidelines and controls the business follows to meet regulatory requirements
- Technology – the combination of hardware, software and protocols intended to protect an organization from malicious intent.
Both houses of Congress and both major political parties agree on the urgency of the cyber threat by nation-states and organized crime. Though they were able to pass a data sharing bill in 2015, efforts to create a unified cyber security federal mandate have stalled since then. Read more about Federal efforts at an overarching cybersecurity policy here.
The vacuum that federal inactivity on the topic has left the states to act. Half of state governments have enacted laws that define behaviors and punitive measures to protect data and networks. One of the most dramatic local moves came in New York State.
In 2016, the New York State Department of Financial Services (DFS) issued a draft of what it called a ‘first-in-the-nation cybersecurity regulation’ for New York regulated financial services. The regulation came into effect in March 2017. A telling aspect of the policy is how Boards Of Directors are accountable for ensuring the security of their IT infrastructure. Another feature is the active role the government agency is taking in policing an organization’s data protection measures. Read more about the State regulation on here.
Organizations need to stay informed about new cybersecurity regulatory measures. They should also be proactive in implementing protections to reduce the risk of intrusion into IT networks. Federal and state legislators are moving toward putting the jobs and reputations at stake for Board members and executive staff who are in leadership positions when criminals steal data from organizations.
Successful cybersecurity stewardship, however, depends on the people in the enterprise.
Organizations need to consider three groups of stakeholders related to ensuring the enterprise meets its responsibility for the integrity of its data:
- Technical resources
- General Staff
One of the most significant regulations to come into force in the DFS model involves a C-level role devoted to cybersecurity that reports directly to the Board Of Directors. A 2013 Ernst & Young report indicated that only 35 percent of organizations have their information security officers report to the board or top governing structure on a quarterly basis.
DFS’s guidelines specify that “covered entities” should designate a “certified person” referred to as a Chief Information Security Officer (CISO). The directive implies that Boards Of Directors will not be able to plead ignorance in the case of hacks of enterprise IT systems. The regulation echoes the intent of the European Union’s implementation of the General Data Policy Regulation (GDPR) to hold a company’s leadership responsible for network compromises.
One of the greatest challenges facing modern organizations is finding and retaining qualified cybersecurity staff. IT market analysts estimate that by 2021 3.5 million job openings in cybersecurity will go unfilled. The Enterprise Strategy Group found in 2017 that 45 percent of organizations were chronically short of cybersecurity professionals. This will be an ongoing issue that is affecting every sector and wired country for the foreseeable future.
One of the most intriguing findings from IBM’s “2014 Cyber Security Intelligence Index” is that 95 percent of all security incidents involve human error. The report also cited that 59 percent of respondents agree that most IT security threats that directly result from insiders are the result of innocent mistakes, not the malicious abuse of privileges.
A “2013 Data Breach Investigations Report” by Verizon saw 95 percent of advanced and targeted attacks involving spear-phishing scams. Users clicked on links in emails that contained malicious attachments that downloaded malware onto computing devices.
Organizations can control this channel of exploitation through employee education. Staff needs to be made aware of the threats the enterprise faces and the part they are expected to play in guarding against them. Companies need to frequently educate employees about identifying suspicious communications and new possible risks.
Verizon’s 2014 report found that successful security attacks using phish bait fell to 78 percent year-on-year after organizations integrated staff training into education offerings.
Information security process documents define an organization’s attitude to information. It makes it clear throughout the enterprise that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction.
The audience for the internal document is all company employees. Keep in mind while crafting the document, however, that sub-groups within the audience will have different requirements the manual will need to address
Many organizations have turned to some kind of standardized security controls framework as a model for their own. Some of the more popular guidelines include the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Center For Internet Security’s Controls, and the Department of Homeland Security’s Continuous Diagnostics and Mitigation. These standards can help enterprises leverage best practices for cybersecurity and keep them from “reinventing the wheel.”
Developing a set of process documents requires a high level of commitment throughout the enterprise. The CISO has to be intimately involved with the development of the documents, especially as he or she will “own” the product from the vantage point of the Board.
The information security controls manual should be closely aligned with HR and other company policies. It’s important that the departments coordinate guidelines that address security-related issues like email use or computer etiquette.
Cybersecurity professionals organize technology solutions into three parts: data sources, the Security Intelligence Platform, and case management. Common data sources are network activity/security events, threat intelligence, Endpoint activity (desktop machines, laptops, POS, and mobile devices), and authorization management tools.
Critical aspects of a Security Intelligence Platform include Security Information and Event Management (SIEM) software and services that bring in the data from all the data sources. The Platform correlates, identifies and alerts a SOC (System and Organization Controls) engineer when an attacker is intruding on a network.
Finally, a case management or ticketing system maintains a log of network attacks. The software serves as a conduit between enterprise IT management and the SOC.
Cybersecurity technology, though, is only as effective as the CISO’s communications with fellow executives and the Board. The CISO has to “translate” the tech-speak in which his IT staff is immersed into business language that a layman can understand and act upon. The Security Officer also has to work with the Legal Department to interpret the implications of an increasingly complex regulatory framework for cybersecurity to shape IT strategy. After clarifying and prioritizing regulatory and technology obligations, the CISO can work with leadership across the enterprise to develop cybersecurity processes and habits that people throughout the organization internalize.
No Silver Bullets in Cybersecurity
Enterprises and especially IT departments need to realize that Technology Alone Is Not a Panacea against cyber attacks. Unfortunately, the marketing buzz around the latest Tech product releases tends to drown out the importance of Policy, People, and Processes in creating a foundation for the success of cybersecurity measures. Only when organizations integrate all four dimensions of enterprise readiness do they create a near-seamless defense that even the most sophisticated criminals find difficult to overcome.
Coranet is a certified Woman-Owned Information Technology Organization that has been meeting the requirements of Enterprise and Government entities for over 30 years. Network Engineering and Technical Support is part of our foundation and we continue this proud tradition with a 360-degree approach to technology solutions and services in the areas of Audio Visual, Network & Physical Security, Wireless/Copper Infrastructure, and Consulting/Project Management. Coranet is ISO 9001 registered, Lean Six Sigma and WBENC certified.
Please contact us at Sales@coranet.com for more information