Most security incidents that occur in our time could have been prevented, or at least given limited impact, if the affected companies had had more organized processes for internal information security.
One crucial step in creating such an organized information security is that the company's Senior Management begin to treat cybersecurity as a business-critical issue and show engagement around this.
You´ve probably heard about how Maersk were hit by a major ransomware attack in the summer of 2017.
“Global cyber-attack Petya is affecting multiple businesses,” Maersk said on Twitter.
The breakdown affected all business units at Maersk, including container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers. Out of the company´s well worked through and practiced routines in combining the ability to prioritize correctly Maersk could manage the incident in an efficient manner.
During March this year, Norsk Hydro, a large multinational company with 35,000 employees, had the nightmare scenario of a worldwide spread ransom attempt, which brought their systems into malfunction. Hydro started to execute their incident response plan, and shortly after that, they had a temporary website up and even performed daily webcasts with the most senior staff talking through what was happening. Norsk Hydro had a well-prepared contingency plan and started to handle the business manually on several production sites.
As you can see – both these company´s knew their most valuable resources, was well prepared and managed to restore the core businesses rather quickly. This is crucial.
The cybersecurity estate
What are we really trying to protect? This is the fundamental questions every CEO or Management Board should ask. What are the valuable assets of the business? Secondly, you need to decide who or what you are trying to protect those assets from. And finally, you have to know how you can protect them - what resources and tools do you have (or should you have) at your disposal? So basically;
1. WHAT are you trying to protect? Know your most valuable assets.
2. WHO are you protecting the assets from?
3. HOW can you protect your most valuable asset?
When it comes to cybersecurity the answers to the above questions are not always clear. Can you, for example, define your network´s boundaries? This is important though, because you can´t establish proper protection if you don´t know what you got.
Maybe you don´t even know all of your IT users? It could be a client, just for efficient information exchange or a child using dad´s working PC for some off-time gaming. This is common and it happens every day. Do you by the way have control over what your users are doing? Shadow IT applications, links that should not be ´clicked on or files being sent away to some private mailbox. Do you have full control?
To be able to feel secure, these questions needs to be addressed on a strategic as well as on a tactical level. They also need to be balanced between daily security requirements and bigger projects that will ensure that the organization is well-prepared to handle upcoming cyber threats.
So, how can you know what threats you´re business is facing? The easiest ones usually come from “the outside”. Viruses, phishing attacks and other type of threats that can be predicted and defended against.
But did you know that the most common source of insecurity is your users? According to the Netwrix 2018 Cloud Security Report , almost 58 percent of organizations that had a security incident in 2017 blamed it on insiders.
This is mostly a problem of awareness though. A lot of users don’t understand or realize that what they are doing is a security risk, or maybe they are only on a tight deadline and trying to get the job done and forget to follow routines. In some cases, they are very well aware of the risks but ignore them for the sake of convenience. So, you surely understand the importance of awareness training in your organization.
I will not write specific about the malicious employee, though this insider character do exist. The human error, or human nature is problem enough I would say.
On the other end of the broad scale of threats you have those that are backed by nation states and others run by organized criminals. The threats contain every possibility from ransom-ware to industry espionage.
Cloud computing and IoT
The boundaries of your IT environment are getting blurred. Cloud computing, Digitalization and Internet of Things puts new requirement of knowledge around the new technologies needed. It looks good, but is it secure enough?
How can you really know where your data is stored and who is in control of it? Do you have the protection needed you your specific data? Are you sure that your data has not left the EU?
Even if the technic is new and fancy, the data is still the responsibility of the company that it belongs to, not the cloud provider. This puts pressure on organizations to consider every eventuality with regards to where their data is held and processed. Once you add shadow IT to the mix, the risks increase.
Where do I start?
Cybersecurity is important and complex. So, if you feel that you need to improve your business information security:
• Assess the risk: start by performing a risk assessment that will help you to identify and analyze potential threats that may have impact on your IT-environment and in the longer run, your business.
• Classify the assets: Classify the information assets within your business. This is a way to sort out what information is really important or necessary for the business and what information has minor value.
• Prioritize the landscape: When you now know the value of the information, you can easily prioritize which IT systems in your business that needs the best protection against the threats you have identified. The best way is to start with protecting the most valuable assets and then moving on to the next system.
• Just do it! Now you have the greater picture. It’s time to set up a plan and to execute. Your assets will not be protected by the plan – it’s all in getting things done!
Hans Sjöberg, Senior Information Security Advisor, Enfo Cybersecurity Services
+46 73 420 6296