Cybersecurity, defined as “measures taken to protect a computer or electronic system against unauthorised access or attack”, is no longer the exclusive domain of the CIO and the IT department.
These days, with all of us connected online not just by our computers but also by our wireless devices, smartphones and even toasters, fridges and cars, the threat has become so pervasive with the points of illegal entry so numerous. The implications of a breach can now be so serious that every member of the organisation has a stake and a role in protecting it from cyber threats.
The steps outlined below range from the basic to the advanced. Some forward-thinking organisations will already have tackled some or even many, but, in our experience, very few have adequately addressed them all.
Focus on what matters: Identify and document the business-critical functions and information assets that must be safeguarded against cyber attack. If you don’t know what your jewels are, you cannot best protect them.
Get real about risk: No matter how strong your current security measures, cyber criminals likely know how to circumvent them. That’s why you need a risk-based approach to cyber security, one that prioritises risks based on their likelihood and impact, so you can effectively manage your cyber risk exposure. Getting to a zero level of risk is not possible. So knowing what they are and being practical and prioritised about the uncertainties you have to manage helps you take effective action.
Know your friends:In a recent Deloitte global survey of technology, media, and telecomm companies, 92 percent of participants felt an average or high level of threat from third parties. To help combat this, inventory your extended relationships—supply chain, outsourcing, partnerships, clients, vendors, contractors, etc. Include anyone who has access to your IT infrastructure, and seek assurances from these parties that they are vigilant in addressing cyber security. Trust but verify.
Related: Global Information Security Survey 2014: On the defence Are New Zealand organisations prepared for the constantly evolving information security threat landscape? How do they compare with their global counterparts?
Become a detective: Develop capabilities for detecting threats to your business-critical functions, information assets, and operational continuity. By centrally monitoring your systems, you can detect cyber threats in real time, enabling you to respond quickly enough to mitigate negative impacts. You don’t want to not know if you’re being attacked or worse, when you’ve been compromised.
Draw up emergency plans: When it comes to cyber attacks, prevention is only half the battle. Even the best systems and most vigilant organisations can be compromised. That’s why you need to establish procedures to react to cyber attacks, from financial, legal, technical, business, organisational, and branding standpoints. Bad things sometimes happen. But how you respond makes a big difference in managing the longer term impacts on your customers, brand and the viability of your business.
Cyber simulations can help you test the effectiveness of your emergency responses and the ability of your systems to detect intrusions and withstand attack.
Crash your own gates: Cyber simulations can help you test the effectiveness of your emergency responses and the ability of your systems to detect intrusions and withstand attacks. This enables you to hone both your resiliency plans and your defensive strategies so you can recover quickly and get back to business. Exercise creatively, diversely and challenge yourselves. The insights and learning from these are invaluable.
Protect what’s vulnerable: Cybercriminals increasingly evade current security controls to target vulnerable applications. It can be like child’s play to compromise many of the applications and systems that tend to get implemented because of the extent of simple holes that exist to be exploited. To protect your business-critical systems, make sure to apply timely patches and software updates to your most exposed assets.
Get smart: Enhance your organisation’s ability to proactively detect and mitigate imminent and emerging cyber threats by taking advantage of the knowledge of industry associations, as well as commercial and open source intelligence sources. Whether you build the skills in-house or outsource, the key is to establish proactive cyber threat intelligence capabilities. Seek specialist advice and build collaborative communities. Learning together improves the methods, tools and knowledge you can apply.
Related:Fighting smart Laura Mather on the war against "extremely creative and extremely tenacious" cybercriminals.
Jealously guard your reputation: Organisations that suffer a cyber attack face more than financial loss. They also risk brand damage and the loss of public confidence. To protect your reputation, you need to know who’s talking about your brand and what they’re saying. By consistently monitoring your brand on the Internet, you can often prevent trademark, copyright, and other intellectual property infringement. More significantly, by improving your cyber security stance, you can even protect your corporate assets and sensitive customer and employee data from the outset. Know your online footprint as a business, and of the individuals who lead the business. Seemingly harmless information that may be out in the online world can be used to build up a profile of you and your business to help develop more targeted attacks against you. Limit the information shared.
Foster cyber awareness:The weakest link in your cybersecurity isn’t your technology; it’s your people. Social engineering attacks that use targeted phishing emails or other techniques often hoodwink users into revealing confidential information or trick them into downloading malware. This makes it easier for cybercriminals to penetrate your network, without even resorting to more traditional hacking methods. Educate your employees to make sure they’re aware of these risks and threats.
Make cyber security one of your top resolutions for 2014, and stick to it. The more of these steps your organisation can address, the less likely it will be to find itself in an embarrassing or costly situation and the tremendous loss of trust in the wake of a cyber security attack.
Anu Nayar is head of security, privacy and resilience at Deloitte NZ.
Follow CIO New Zealand on Twitter:@cio_nz