A call to arms for enterprises and consumers, by refocusing on the fundamentals.
By guest authors David Le Mesurier and Mat Charlton.
Every week we hear about yet another major cyber security breach. In fact, you’ve probably read or heard some variation on the following 'well-worn' quote:
“There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again”.
This paints a very bleak picture indeed - on the surface.
In attempting to make you care about cyber security, industry elements have quite likely made you throw your arms up in defeat, grow frustrated, or simply accept your fate. If large companies can’t protect themselves then what can 'we' possibly hope to do? It is often a fear based agenda that drives overspend on technology solutions. Technology is important, but there are other elements in play.
Well the answer might surprise you. There are simple things you can do today that are often much more difficult for larger companies. Before we get to that, let’s outline three key questions in order to help you understand the problem more clearly.
1. What do we need to protect?
This involves considering those assets you need to protect. In simple terms, what do you care about?
This could be systems, data, and may not be exclusive to digital systems only. For complex organisations it could be the protection of specific types of assets that allow you to deliver your services - examples are call center staff computers, storefront terminals that coordinate scheduling, perform front end Client data management, and of critical important process payments. Backend processing systems are not visible to the consumer but critical to stable business operations.
2. What threats are we facing?
This one might be a bit trickier, but if you’ve read this far you probably already know about some of the widely publicized cyber events (ransomware attacks, denial of service attacks, and data theft oriented events) and likely have an opinion on which ones are relevant to you or your business.
3. How well protected are my assets and operations against those threats?
This step is where the heavy lifting begins. The real point of the exercise is that you are now focused clearly on what you’re protecting. This is not a cookie cutter thought process and may include different levels of focus between systems, data, operations, people - contingent on what is unique and specific to you.
Some security vendors and consulting firms will advocate specific solutions as though the security solutions are a 'set it and forget it' reality. The reality is that best practices revolve around understanding the Client's business first. What is the business objective? What is the business strategy? How does technology drive my in line business performance? Finally, what are my cyber risks in driving that performance. The advice is a matter of integrity - it must be independent, valid, and be an honest assessment in the context of your specific requirements.
The good news is that by thinking about the problem on your own terms you are already better equipped to face this challenge, and since you understand your business best, are likely better positioned than you are aware of. Diffusion of the fear around cyber, distilling hard facts, and creating meaningful actions will always do more to reduce risks than buying into fear. The elephant in the room is that it is not possible to reduce all risks, even with an infinite budget, thus they key is to become resistant, resilient, and be positioned to reduce impacts, in an economical and balanced approach.
As a note of motivation - sticking to fundamentals consistently - and building from there, will generate your best outcomes for managing risk. Most major cyber events and famous 'headlines', arose from deviating from the fundamentals, or failing to adhere to them. Human negligence also plays a large role.
Key takeaway - there are some basic things you can start doing today to get started.
Make a list of the important assets and information you wish to protect. Apply a taxonomy that makes sense to you
Do some research on the types of threats that are out there. Separate fear from fact - remove emotion.
Speak with peers, who is more mature than others, what lessons learned can you plug into?
Consult with trusted business partners / colleagues on how well you are protected. Potentially validate that information - get a second opinion.
Consider applying some basic controls as outlined in the ASD Essential 8 (Australia -) or per guidance in NIST or ISO frameworks.
Get an action plan together - and don't induce paralysis through perfection, just get moving.
For more information contact us on LinkedIn or the Enstarla team.
David Le Mesurier (Cyber Security Architect)
Mat Charlton (Cyber Security Project and Program Manager)
Comentarios