Constant attack attempts, newly discovered vulnerabilities and growing methods for gaining unauthorized access: this is the world we live in. Massive breaches and compromised data have become common among news headlines as cybercriminals become more clever and brazen.
We’re clearly operating in a heavily risk-laden environment. Accurately evaluating security posture is intimidating for any organization given this ever-shifting threatscape, but the good news is that there are definitive ways to ensure your organization is prepared, starting with knowing how and why you may be a target.
Reasons Why You Could Be Compromised
Let’s start with the burning question of any business that has suffered a breach: “Why us?” There are many reasons behind attacks. Here are the types we see most commonly:
- Opportunistic attacks. Multitudes of unethical agencies out there are looking for holes in systems, gathering data or serving as the middleman in a larger scheme. Hacking can be akin to a kind of sport or achievement in the “because we can” bucket for some malicious actors. It earns them Internet street cred.
- Targeted attacks. Motivations vary, but sometimes an attack is the result of a deliberate effort to target a specific organization. Again, the lure might be simply to gain notoriety, or it could be to obtain valuable personal data. It sometimes aligns with an organization’s activism, or conversely, the cyber attacker’s leanings. But it’s not just large, well-known enterprises that are at risk—no organization is immune to targeted attacks. Have you ever had a disgruntled employee? Or do you think your competitors are above playing dirty? Targeted attacks occur more often than you think.
- Absent controls. Controls, or safeguards, are necessary to prevent and detect an attack, as well as to minimize damage. Security is built in layers; you can’t just have one single control. Organizations leave themselves open to a breach if one or more controls fail, or if they’re insufficient. Controls are why it’s important to have a strong team, either on the payroll or on retainer, working closely to maintain security practices across your organization and thereby protect the confidentiality, integrity and availability of your information.
- Bad luck. Sometimes an attack is the result of zero-day vulnerabilities: “bad luck,” for lack of a better term. Of course, no one can predict when these types of incidents will occur. You can, however, take steps to minimize the damage of these attacks and restore operations quickly.
Keeping Your Security Posture Healthy
Understanding the reasons why your organization might be at risk is important. But security isn’t about a tool, a person or a product. None of these things will solve the problem or reduce worry without an in-depth, internal conversation. Security is about educating and performing due diligence. Only then can you defend, protect, respond and investigate.
Maintaining a healthy security posture means being active from both a human and technology standpoint—it’s not one or the other. The technologies to protect critical IT assets are constantly evolving, but so are the threats. Achieving a healthy security posture requires a dual effort shared by both people and technology.
Six People Controls: What Your Organization Can Do
To provide greater assurance and protection against data loss, both from inside and outside sources, companies must invest in people as well as technologies and processes.
- Understand your risk profile. Knowing your risk profile is critical. You must understand the risks specific to your industry, business and assets. To start, you can begin a simple information-gathering process on the Internet. Look up your company name and see what kind of information is available. If possible, engage with a provider that performs penetration testing. Also, be aware of your unique exposure and visibility. For example, if it’s obvious on your website that you service credit-card companies, you have higher risk.
- Know your assets. You can’t protect what you don’t know you have. The cornerstone of a healthy security posture is knowing your assets and exactly what you’re trying to protect. This knowledge allows you to ensure all the right controls are in place, so you should have a complete inventory. Next comes protecting against the threats that accompany your specific assets. If you have old firewalls or a vulnerable application, select the right tools for proper protection.
- Have a solid risk-management program. Do you have a risk-management program? By default, you should be carrying out annual risk-management reviews, complete with scoring and a repeatable process. Doing so assists leadership in determining overall risk and potential costs to the business in the event of compromise or breach, thereby enabling appropriate allocation of funds to reduce or mitigate business-specific risks.
- Keep your information-security program up to date. As you make your way through the above steps, you will likely find that it’s time to update your information-security program once again, including your information-security policies. Maintaining one primary information-security program and updating it every six months to one year as a formal, recurring process is recommended. This way, you can match your procedures and standards with the program, allowing you to train your company through awareness.
- Make sure leadership is involved. Leadership must be involved in decision making. Without deliberate planning, security often happens in silos, which hurts your company’s culture. If you fail to promote awareness and bring leadership into the conversation, increasing the budget or communicating risk to users can be difficult.
- Put together a security board. Create a board of security ambassadors. Each department should have a security ambassador working as the liaison between the security team and other departments and business units, allowing for healthy two-way communication.
Five Technical and Logical Controls to Increase Your Defense
We’ve covered human controls, but what about controls that are technical and logical? These are the measures to configure in your systems, and to apply and rely on to collectively reduce risk. Ultimately, you want to ensure that you mitigate vulnerabilities quickly to lessen your organization’s threat profile.
It’s worth noting that although the risk landscape is much greater today than five years ago, we’re in a much better position with regard to automation tooling and capabilities, whether for deployment, maintenance or monitoring of controls. In the past, assessment of technical controls was a more stressful, time-based exercise.
Today, we have the ability to monitor and more easily observe how controls are performing, as well as where there may be room to improve.
- Patching. Patching is an essential security control. Patching your operating system is important, but don’t neglect other areas of your environment that run code. They include infrastructure devices and applications that run on top of your operating systems.
- Life-cycle management. Keep pace with life-cycle management related to all layers of your stacks: physical devices, infrastructure devices, operating systems, applications, database services and systems. They all require a strategy to manage their life cycle.
- Robust firewalls. Avoid using overly permissive firewall rules and consider using web-application firewalls. In addition, regular firewall-rule reviews are critical to ensuring your web applications are secure.
- Best practices for passwords. Make sure everyone in your organization uses strong, complex passwords as well as multifactor authentication.
- Network-access controls. Ensure your IT teams always monitor unusual network activity.
Businesses are highly concerned—and even panicking—given the threats they face. Thankfully, there are proven approaches for minimizing the fear and risk. In many cases, the universal struggle is cost versus security. Businesses often can’t foot the full cost of maintaining security in house. In other cases, knowing where to start is a challenge.
Only you know the type of data your company handles and the associated security risks. If you lack a robust, proven security team that covers every aspect of your security posture, consider a professional services team or even a partnership with a provider that offers robust security controls and expertise. Remember to ask comprehensive questions regarding the security controls they provide, and confirm that they support auditing and compliance, regardless of whether your intention is to self-manage or outsource. Either way, you should consider all of the human and technical controls mentioned above if you want to ensure your organization isn’t the next big headline.
About the Author
Annalea Ilg is chief information security officer (CISO) at Flexential.