Directors Report January 2017. Cyber Security Checklist For Management (£)

Hacks and Cyber Attacks are increasing and they are becoming more focused, more damaging, targeting the most sensitive private financial & commercial data. 

Organisations often focus on protecting their data and IT systems from external threats by investing in boundary security. However useful, these security protection IT walls devices are they often are very unsuccessful in detecting internal threats and improving the security from insider employee risks.

Comprehending Internal Risks

Insiders have become one of the major issues allowing cybercrime to take place. Employees are often targeted by phishing hackers or they lose their mobiles and a hacker uses it to get into their organisation’s business systems. 

Attacks focusing on employees increased by eleven percent in 2016, and attacks on current and former service providers rose by 16 percent. 

Hacks from within have become a critical issue for most organisations and our research suggests that current and recent employees are responsible for sixty-three percent of security issues.

These attacks should be made a priority by the Board and Senior Directors and even they are prone to attacks, although hackers often prefer to attack their assistants and senior management as well as employees with credible systems access.

Spotting Unsafe and Careless Behavior

Monitoring and identifying irregular data activities needs to be a  continuous process to detect signs of unintentional internal  threats. Unsafe behaviors must be noted and analysed and the relevant staff assessed, and retrained. Monitoring as on an ongoing basis is vital for security. 

Corrective action must be taken to address the threats

Security teams today are often hampered with too many tools from too many suppliers, as well as excessively complex processes that slows down checking, removes creativity and lowers the attention span of those doinf the checks. 

This makes for a daunting challenge for the analyst, who must pull the data together and get the right visibility into the users’ activities, behaviors and the data and systems they employ. 

Much of this work is not done automatically but manually. This creates delays, potentially allowing hackers more time and opportunity to infiltrate the systems before analysts are able to detect the deceptive and criminal activity.

The creation of a sophisticated threat intelligence capability requires trained and engaging IT specialists as well as regularly trained employees and some regular monetary investment. 

Companies must be aware that competing in the commercial market to recruit and retain high-quality cyber security talent spanning a wide range of expertise that can provide ample threat coverage, is expensive but very necessary for your security and cyber protection.

However, much of this can be achieved by ongoing technical training for IT staff and broader training programs for all employees, including both Senior Management and Directors. 

Cyber awareness training and engagement by Senior management and Directors is vital not just for security but also for commercial understanding and market analysis – we will review this in our next Special Report.  

Moreover, the organisation must research and analyse the relevant data threat from multiple sources to identify actionable commercial intelligence. 

At a minimum, the operation’s threat intelligence capability should be invested in broader internal employee work practices and this should be achieved both internally and by using third parties to give a broader balance up-date assessment and then training employees with relevant security issues and their positive resolution.

By keeping the restraints and realities of today’s security operations in mind, IT and an internal security team should look for the broad current user behavior analytics and use these to design and simplify more outdated complex security operations. 

For example, you should be able to review and influence the commercial projects and flow of data that often occur within the traditional methods of work flow. By doing this in an engaging and analytical way you will deliver sometimes surprising and rapid insights and potential actions. 

Constant monitoring of current markets, security concerns and commercial opportunities that are being developed in or related to your market-place will boost the commercial development of the business. 

Behavioral Analysis

When it comes to identifying and analysing why people seem fall victim to such methods as phishing emails it often comes down to the hackers intentionally exploiting a certain level of trust that users have about the systems of work that an organisation uses in its operations, the software and authentication methods that it broadly uses.

Nineteen percent of staff not only clicked on the links, but even entered their username and password when prompted to do so by apparently an authorised employee, manager or consultant. 

This of course is something that gives an attacker the keys to corporate data especially if they are using unsecured Internet browsers, plug-ins 

Whenever an attacker decides to go after an organisation, they often take into account two things: 

First: Considering what makes a convincing, believable email or landing page that looks as though it belongs to a service the target would be used to. 

Second: Ensuring the actual content within the email is worded convincingly so that the employee clicks through without being suspicious.

The best organisational response lies within building a positive, collaborative security environment that focuses on rewarding staff who actively pickup and report phishing emails. Add this to regular training and this can potentially save the business significant amounts of money.

Information security can sometimes be an overwhelming concept to grasp, but it's a necessary part of protecting your business' sensitive data. 

Traditionally, information security within an organisation has been viewed as a function owned by a few individuals or just one, frequently as an IT department’s responsibility. But, as the volume of electronic data information collection throughout an organisation increases, it’s time to shift perception on to all departments responsible for this important undertaking.

When data protection is prioritised and done well, it provides more disciplined operations, increased customer and stakeholder trust, and minimised risk. And one of the best ways to protect company information is to create a new corporate culture that views information security as a shared responsibility among all employees and is not just part of security or the IT department. 

This can be done by implementing regular and comprehensive training programs for all employees on the right way to manage, store and delete physical and digital data.

While regular training mitigates the risk of data breaches caused by human error or lack of knowledge of security practices, it also serves as an important reminder to employees to follow company policies. 

When organisations only provide infrequent training for employees, it often gives the impression that the Board and management is not committed to a culture of information security and often the staff then do not take information security policies and procedures seriously.

Senior management must help their team become more aware of the risks associated with mishandling confidential information. The following measures can help ensure employees have a solid understanding of company information security policies, procedures and best practices.

A Culture of Data Security

When management demonstrates a commitment to data security, employees are more likely to follow suit. If managers behave in a way that undermines security policies and procedures, employees won't take them seriously either. 

Consider drawing up an agreement that asks employees to take a financially beneficial pledge to make their workplace a more secure environment. 

Display the pledge in various locations throughout the office. To encourage participation from all areas of the business, consider appointing employees from a range of departments to participate on a committee focused on improving information security practices. Add bonuses for improved security practices.

Creative Repetition and Frequent Training Are Key

Creative repetition and frequency training are the keys to successful training programs. These must build on current knowledge and capacity in the right ways to safely manage, store, and destroy physical and digital data. 

Training should occur throughout the year and include various modules on organisational information security policies. Consider a "multichannel" approach utilising a mix of in-person and digitally-delivered video training content to ensure employees are aware of how to handle and dispose of confidential information

Out of Sight, Out of Mind

Place visual cues throughout the office to remind employees of their responsibilities in protecting confidential information. Reminder posters, such as this series of office security posters from Shred-it that targets common workplace errors and areas that increase the risk of a data breach. These should be regularly up-dated and made engaging with news references and occasional jokes and catch-phrases.

Follow Your Employees 

A growing number of employees are occasionally working from home or working outside of the traditional office environment. Ensure training addresses the safe destruction of confidential information for both office and remote workers. 

Leverage internal newsletters, Internet news feeds, employee and corporate social media accounts to provide constant reminders about different aspects of information security that employees can access regardless of their location. Keep information short to make it digestible.

Implant It

Make security a best practice and a seamless part of daily activity. Implement a Shred-it all Policy, which requires all documents to be destroyed once no longer needed and a Clean Desk policy which encourages employees to clear their desks and lock documents and small digital storage devices in a filing cabinet or storage unit when they leave their desks and terminal at the end of the working day.

When these policies become common practice, there is little decision left to employees on what should and shouldn't be destroyed. In addition, all shredded paper is recycled, adding an environmental benefit to a security solution for businesses.

All businesses should increase the priority of employee training to protect workplace information security. When all employees understand how to manage and identify privacy risks, business leaders are in a better position to protect their customers, their reputation and their people.

Rehearse And Prepare For Hack & Breach

One simple way to prepare for that day is to rehearse hypothetical worst-case scenarios doing so can potentially lower the cost of a data breaches

Do tabletop exercises recommending that members of company departments ranging from accounts, sales and IT to communications gather in a room and act out make believe situations in advance of major hacks. 

Going through the motions of an imaginary attack can help prevent executives from making common mistakes and mishaps during times of crisis, one of the best ways to test one’s incident response team and plan ahead.

What steps should you take to keep your business safe from hackers? With new threats emerging and longstanding ones still an issue, it pays to know. The average cost of cyber-attacks to many small businesses was between £16,000 and £24,000 over 16 months. 

A common example of a new threat is phishing, in which hackers send emails to an employee pretending to be from a trustworthy source, such as a customer, colleague or senior manager, with the aim of receiving private data. 

Staff should always look out for the urgent and the unexpected. If an email, a social media post or a phone call ticks either of these boxes then it could be suspicious.

Creating an environment where staff are confident in challenging requests that don’t look right is key. 

Training from the point when a new employee joins a company is very important and it’s something many small businesses don’t do properly. 

Of course, staff themselves can pose an unexpected threat. Sophisticated hackers could look to find a way into a business’s team in order to get information. Also using contractors or temporary staff, who might not be put through such a rigorous recruitment process, is always a risk.

It’s important to remember that vetting itself needs to be managed in a way that doesn’t infringe data protection laws. It needs to be necessary and proportionate to the role that the individual will have.

Another area for concern in small businesses is online payments. The panel were asked how businesses that make or take payments online could better protect themselves from attacks and ensure their accounts are secure.

Small Businesses are now particularly Vulnerable

In many ways, small businesses have even more to lose than large ones simply because an event, whether a hacking, natural disaster, or business resource loss, can be incredibly costly. 

Cybersecurity improvements by some corporate businesses have rendered them more difficult attack targets, this has led hackers and cyber criminals to focus more of their attention on less secure businesses. 

One reason for this is that small businesses, including startups, often lack the resources to invest in information security as larger businesses can. Many fall victims to cyber-crime. 

Information Security is Good for Business

Protecting customers’ information as well as personal employee information is a critical component of good customer service. Furthermore, a robust information security program can help small businesses grow and retain customers as well as employees and business partners. 

These days, customers not only appreciate but have also come to expect that their sensitive information will be protected from theft, disclosure, or misuse. Therefore, it is necessary that your business protect customers’ information to establish their trust as well as increase your business. 

Additionally, business partners and vendors want to know that their information, systems, and networks are safe when doing business with you; therefore, it is important to be able to demonstrate that you have a method to protect their information.

Get to Know Your Unique Risks

First, identify the information your business stores and uses. This may involve listing all the types of information your business stores or uses, including customer names and email addresses, receipts for raw material, banking information, and other proprietary information. 

Second, determine the value of your information and rank it in comparison to other risks. Then, develop an inventory of technology, both hardware and software. 

Third, understand your threats and vulnerabilities in the areas of confidentiality, integrity and availability. 

Secure Your Information

This report recommends a five-step process.

Monitor. Begin by monitoring and controlling who can access your business information. Consider physically locking laptops and mobile devices when not in use, conducting background checks, requiring individual user accounts for employees, and creating policies and procedures for information security. Take out cyber security insurance and monitor this cover every three months.

Limited Access. This can include limiting employee access to data and information, installing uninterruptible power supplies and surge protectors in case of an electricity interruption, updating and patching your software, installing firewalls, securing wireless access points and networks, setting up web and email filters, encrypting sensitive business information, properly and quickly disposing of old devices, and training employees regarding security policies and procedures.

Breach Detection. When a security or attack emergency happens, time is of the essence and a fast discovery of breaches is essential. To assist, consider installing updates to anti-virus and allowing for automatic updates as well as maintaining logs of firewall and anti-virus activity.

Implementation. In a security event, the impact and ultimate cost of a breach may be contained or even reduced by implementing a disaster plan. Employees should be trained according to a developed plan that set out employee roles and responsibilities, protocol for shutting down or locking computers, whom to contact, and triggering events for when the plan should go into effect.

Recuperation. After a security attack, the goal of your organisation is to continue normal working as soon as possible. Therefore, you should discuss copying and securing separately important information and legal documents and copyright detail. This should be done on a separate aspect of the cloud or an external hard drive and this process should be monitored and checked regularly.

Working Safely and Securely

The importance of employee training is very significant because although cyber-criminals are becoming more sophisticated, many still use well-known and easily avoidable methods in their attacks. Therefore, employee awareness and training in the following areas will certainly improve security and protection.

Pay attention to the people you work with, the people you contract with, even the people who share your building. If a security event affects your neighbors, it is likely you are at risk as well.

Be extremely careful opening email attachments and web links. Do not click on a link or open an attachment that you were not expecting to receive. Perhaps the most common way malware is distributed is via email attachments or links embedded in email.

As much as you can, try to use separate personal and business computers, devices and accounts, because personal devices are often less secure and could expose you to increased risk. In addition, do not connect personal or untrusted storage devices to your business computer.

Download software only from reputable sources and after both a phone call and face to face meeting

Be aware of social engineering, which is an attempt by wrongdoers to obtain physical or electronic access to your business information by prying information from you via manipulation.

Never give out a username or password. Speaking of passwords, try incorporating random sequences of letters and special characters into them. Try also to use multiple forms of authentication and also use a secure browser connection whenever possible.

Conclusions

While it is impossible for any business to be completely secure, it is both possible to implement a company program that balancing security with the adaptability, needs and capabilities of your business. 

You need not be a cybersecurity expert to develop an effective plan, although engaging with the process in a serious way is recommended even if you decide to outsource some or all of your security needs. 

Consider all the commercial opportunities and options and network and ask for recommendations from trusted suppliers and business associates. 

Additionally, in some cases, large organisations may help their small business suppliers analyse their risks and develop an information security program. 

References

Much of this Report is unique to Cyber Security Intelligence, however for research purposes we have reviewed a number of articles and reports including:

Cartonfields

LaunchOfThrive:
 

 

« Hacker, Tailor, Soldier, Spy: Future Cyberwar
Ransomware- Practical Advice To Protect & Recover Using Free Tools »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Security Magazine

Security Magazine

Security, the business magazine for security executives, focuses on management issues facing top security professionals and effective solutions being employed, both physical and cyber.

Snort

Snort

Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

itWatch

itWatch

itWatch is focused on data loss prevention (DLP), endpoint security, mobile security, encryption, and cost reducing solutions for IT operations.

ID Agent

ID Agent

ID Agent provides a comprehensive set of threat intelligence and identity monitoring solutions.

Hitachi Systems Security

Hitachi Systems Security

Hitachi Systems Security provides customized services for monitoring and protecting the most critical and sensitive IT assets in our clients’ infrastructures 24/7.

Tessian

Tessian

Tessian (formerly CheckRecipient) is a next-generation email security platform that helps enterprises counteract human error and significantly reduce the risk of data loss.

Ellipsis Technologies

Ellipsis Technologies

Ellipsis Technologies is a diversified technology company that develops innovative security software for websites and online applications.

Herbert Smith Freehills

Herbert Smith Freehills

Herbert Smith Freehills is a leading professional services including data protection and privacy.

Aptible

Aptible

Security Management and Compliance for Developers. Aptible helps teams pass information security audits and deploy audit-ready apps and databases.

Mindsight

Mindsight

Mindsight is a technology consulting firm with expertise from cybersecurity to cloud, disaster recovery to infrastructure, and collaboration to contact center.

Havoc Shield

Havoc Shield

Havoc Shield is an all-in-one information security platform that includes everything a growing team needs to secure their remote workforce.

Crosspoint Capital Partners

Crosspoint Capital Partners

Crosspoint Capital Partners is a private equity investment firm focused on the cybersecurity and privacy sectors.

MVP Tech

MVP Tech

MVP Tech designs and deploys next generation infrastructures where Security and Technology converge.

Integrity

Integrity

Integrity is a PCI QSA and ISO 27001 certified company specialized in Information Security and IT Consulting.

CypherEye

CypherEye

CypherEye is a next generation trust platform that advances the current state of Multi-factor Authentication (MFA) to enable highly secure, private and auditable cyber-transactions.

Glasstrail

Glasstrail

Glasstrail are single-minded about helping organisations gather intelligence and manage vulnerabilities in their attack surface before adversaries exploit them.