How To Develop A Cyber Security Practice

The potential business revenue opportunity from rising compliance requirements and security threats is hard to ignore. 

The increasing press coverage of ransomware attacks and fines for non-compliance is driving awareness and urgency. Even the slow adopter business owners and managers know something needs to be done to limit their corporate risks and individual exposure, and time isn’t on their side.

What tools are necessary, how to integrate it into the IT services offering, how to market it? What are the best ways to go about developing sound cybersecurity policies and practices in 2020 that could be used for commercial gain as well as internal commercial security? 

Here are some recommendations:

1.Update Software and Systems
After Spectre struck in Jan 2018, Apple issued security fixes for its iOS 11 operating system This is no different from what other IT vendors do when they discover a security vulnerability. 
However, the rub for IT is making sure that the diversity of devices that are in the hands of users are all updated with the latest versions of a bevy of OSs.

This requires centralised policy making in IT that likely adopts a 'push' methodology, forcing new security updates onto a user's device when they connect to the network, instead of a 'pull' methodology, which notifies the user that a new security patch is available and gives them the option to load this new software when it's convenient.

2.Conduct Top-To-Bottom Security Audits
If your company hasn't already done so, it should conduct a thorough security audit of its IT assets and practices. 
This audit should review the security practices and policies of your central IT systems, as well as your end user departments and at the 'edges' of your enterprise, like the automated machines and IoT you might be employing at remote manufacturing plants. 

The audit should look not only at the software and hardware techniques you have in place to protect security but also at remote site personnel habits and compliance with security policies.
These audits should be carried out by an independent cyber-audit business that brings a clear understanding of cyber security to the business being audited, this would be similar to a Financial Audit and so it should also bring a certification of completion and security each year.

3.Don't Forget Social Engineering
As part of your end-to-end IT audit, you should include social engineering, which reviews whether your employees are demonstrating vulnerability when it comes to offering up confidential information
This social engineering can be as simple as someone shouting a password to a co-worker over an office partition, or it could be a user who pulls up a website at work and surrenders passwords or other vital information that ultimately gets into the wrong hands.

4.Demand Audits from Vendors and Business Partners
According to a report by Commvault and CITO Research more than 80 percent of companies see the cloud as integral to their technology. 

But with the move away from internal data centers, it's also become more important to demand regular IT audit reports from your vendors and business partners. Companies should have policies in place that require regular security audit reports from vendors they are considering before contracts are signed. Thereafter, vendors, as part of their SLAs, should be expected to deliver security audit reports on an annual basis.

5.Provide New and Continuing Security Education 
Cyber-security education should be a staple of every new employee orientation, with new employees signing off that they have read and understood the training.
On an annual basis, a refresher course in cyber-security practices should also be given to employee’s companywide. This ensures that security policies and practices stay fresh in employees' minds, and that they understand any policy additions or changes.

6.Watch the Edge
Manufacturing 4.0 and other remote computing strategies are moving computing away from data centers and out to the edges of companies. This means that a manufacturer with a remote plant in Ireland is likely to have manufacturing personnel operate automated robots and production analytics with local servers in the plant.

Software and hardware security must be maintained on these devices, but the devices must also be locally administered under accepted cybersecurity policies and procedures by personnel who are asked to do these jobs without an IT background. This is a security exposure point for the company and for IT that requires training of non-IT personnel in IT security policies and practices, as well as oversight by IT and auditors.

7.Perform Regular Data Backups that Work 
If your data is compromised or held hostage in a ransomware attack, a nightly data backup will at least enable you to roll back to the previous day's data with minimal loss. It’s a simple enough policy and practice to enact.
Unfortunately, a bigger problem for companies is not so much that they don't perform data backups, it's that the backups don't always work.

One of the most important cyber-security policies that corporate IT can put in place is a requirement that data backups and disaster recovery minimally be full-tested on an annual basis to ensure that everything is working properly. 

8.Physically Secure Your Information Assets
Even if software, hardware, and network security are in place, it doesn't help much if servers are left unsecured on manufacturing floors and in business units.Physical security, like a locked 'cage' for a server in a plant that is accessible only to personnel with security clearance, is vital. Security policies and practices should address the physical as well as the visual aspects of information.

9.Maintain Industry Compliance
Especially for companies in highly regulated industries like healthcare, insurance, and finance, regulatory compliance that concerns IT security should be closely adhered to.
Companies in these industries should annually review security compliance requirements and update their security policies and practices as needed.

10.Inform Your Board and CEO
A successful cybersecurity strategy is one where you never find yourself in front of the CEO or the board having to explain how a cyber breach happened and what you are doing to mitigate it. 
Unfortunately, great security systems are 'invisible', because they never give you problems.

This makes it important for CIOs, CSOs, and others with security responsibilities to clearly explain cybersecurity technologies, policies, and practices in plain language that the CEO, the Board, and other non-technical stakeholders can understand.

For more information about Cyber Security Audits please contact Cyber Security Intelligence.

Retail Insights:      Health IT Outcomes:      Retail Supply Chain Insights:     ECMConnection

You Might Also Read:

Digital Shock: The 4th Industrial Revolution:

Why An Effective Security Culture Is Essential For Your Organisation:

 

 

 

« Cyber Stocks Soaring From Conflict With Iran
Publishers Spread Fake News »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Trusted Computing Group

Trusted Computing Group

TCG was formed to develop, define and promote open, vendor-neutral, global industry standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms.

Veridify Security

Veridify Security

Veridify Security (formerly SecureRF), develops and licenses quantum-resistant, public-key security tools for the low-resource processors powering the Internet of Things.

Secure Source

Secure Source

Secure Source specialise in search and recruitment for Cyber Security and Security Cleared markets.

Adroit Technologies

Adroit Technologies

Adroit Technologies has been developing award winning real-time software for the industrial automation markets for over 25 years.

Fidus Information Security

Fidus Information Security

Fidus is a team of security professionals providing Penetration Testing and Cyber Security Consulting services throughout the UK and worldwide.

PRODAFT

PRODAFT

PRODAFT, Proactive Defense Against Future Threats, is a cyber security and cyber intelligence company providing solutions to commercial customers and government institutions.

netfiles

netfiles

netfiles offers highly secure data rooms for sensitive business processes and secure data exchange.

Cynerio

Cynerio

Cynerio develops cybersecurity protections for medical devices, comparing network behavior with a database of medical workflows.

Tigera

Tigera

Tigera provides zero-trust network security and continuous compliance for Kubernetes platforms that enables enterprises to meet their security and compliance requirements.

Space ISAC

Space ISAC

Space ISAC is the only all-threats security information source for the public and private space sector.

Group Salus

Group Salus

Salus provides SMBs with cyber security-related communications consulting, crisis management, and brand reputation services.

Qasky

Qasky

Anhui Qasky Quantum Technology Co. Ltd. (Qasky) is a new high-tech enterprise engaged in quantum information technology industrialization in China.

State Service of Special Communications & Information Protection of Ukraine (SSSCIP)

State Service of Special Communications & Information Protection of Ukraine (SSSCIP)

State Service of Special Communications and Information Protection is the technical security and intelligence service of Ukraine, under the control of the President of Ukraine.

ISMAC

ISMAC

ISMAC was founded to create a security solution that would work for smaller to medium as well as bigger corporations at an affordable price.

Cyber Security Cooperative Research Centre (CSCRC)

Cyber Security Cooperative Research Centre (CSCRC)

The CSCRC provides frank and fearless research and in-depth analysis of cyber security systems, the cyber ecosystem and cyber threats.

A&O IT Group

A&O IT Group

A&O IT Group provide IT support and services including IT Managed Services, IT Project Services, IT Engineer Services and Cyber Security.