Special feature from Ian Bancroft, Vice President & General Manager, EMEA, Secureworks, JLT’s Consortium Partner.
Each year, security experts observe thousands of breaches, and although this is not unusual, recently breaches such as WannaCry and NotPetya made headlines. There is now an urgent need for companies to focus on and invest in their cyber security defences. Online criminals are becoming more sophisticated and savvy with the methods they are using to attack organisations, such as banks and retailers, and there will only be an increase of attacks in the future.
Leadership teams must understand the cyber security issues they face and how best to guard against them. In this article, we concentrate on five areas that will ensure companies are in the best possible position to tackle the security threats of today’s cyber environment.
STEP 1: UNDERSTAND THE EXTENDED ENTERPRISE
Having a clear understanding of the threats an organisation is facing and what it needs to be protected is vital. It’s no longer enough to assume that anything outside the company’s perimeter is not secure and everything inside is secure. In today’s world, the cloud and the workers, who are either home based or mobile, make it crucial to take a data-centric approach to cyber security.
Companies need to map out their business and the place that cyber security has within it. Only by knowing what is important to the business can they define security’s role within it, including identifying third parties, as they are a genuine part of the extended enterprise. Organisations also must ensure security is applied in the suppliers’ agreements and that third parties are regularly assessed.
Leadership teams need to know where the critical information assets are, how they’re protected, who has access to them, and whether those with access rights are inside or outside the business perimeter.
STEP 2: INCREASE VISIBILITY
Companies need to understand where the security issues lie by making sure they have as much information as possible and look at the available information in the right way to prioritise investment and response efforts.
A high-level security maturity assessment against industry best practice, standards and peer groups can help management understand their strengths, weaknesses, gaps and areas for improvement. Furthermore, it is crucial input into any organisation’s security strategy. Applying threat intelligence, robust patching and configuration management processes is also vital.
STEP 3: BUILD A CULTURE OF SECURITY
One of the biggest challenges facing leadership teams is changing their employees’ attitudes to security. Many people believe that security has nothing to do with them, but everyone must understand the risks they face and how important their specific role is in taking ownership for secure practices.
To ensure that organisations have good security practices, everyone must be accountable for their own obligations in protecting information. Having a designated person responsible for security from each department should form a steering group that ensures important information about security is communicated to all parts of the company.
It is also very important for senior management to be fully committed to good security practices. Often, company directors feel they can disregard security rules, but the leadership team is typically the top target for attackers.
STEP 4: TRAIN YOUR USERS
One of the main risks that companies face in today’s cyber security environment is from reckless employees, who either don’t understand their security risks or the impact of their actions, or they simply don’t care. This makes training crucial. The majority of attacks targeting employees are done through spear phishing and social engineering. One of the most important ways to protect the company is by ensuring that employees are aware that they are targets.
Instead of using the standard compliance training modules, organisations should address their weakest link and build a layered security awareness program. This program would consist of security essentials, organisation-specific training and role-specific exercises. This includes training everyone within the organisation and emphasising that security is an important part of the business’ growth.
STEP 5: BE PREPARED
Regardless of how high security awareness is among employees or how well prepared the company is; the chances are that one day your data will still be compromised. Being agile and responsive in the wake of an IT security breach will help to minimise the damage. Unfortunately, for many companies responding to a cyber-security incident still remains low on the agenda and is one of the most overlooked areas. With cyber-attacks on the increase, companies need to build a proactive and continuing incident management program to counter any future security breach.
If the organisation accepts the premise that it’s already compromised, it makes sense to focus on limiting damage and disruption to business operations. Vital relationships with security suppliers and service providers should be prearranged, so that the company can call on them immediately. And in a climate where the majority of organisations are a genuine target for hackers, it’s worth regularly evaluating the incident response plan to ensure everyone is prepared.
Technology isn’t the core answer to pragmatic security, and sometimes it can even be the enemy. Far more important is knowledge and awareness. Technology can be an enabler, but it’s not the final destination. If business leaders are to follow just one thing, they should know what assets the company has, where they sit and whether they are vulnerable to exposure. Ask questions like; where is the data, what infrastructure does it sit on, which of the data assets are Internet-exposed, where is the data regulated and how necessary is the data the company is storing? That in itself will stand you in excellent stead.