How To Develop Good Cybersecurity Practice

Uploaded on 2019-01-10 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The potential business revenue from rising compliance requirements and security threats is hard to ignore. The increasing press coverage of ransomware attacks and fines for non-compliance is driving awareness and urgency.

Even the slow adopter business owners and managers know something needs to be done to limit their corporate risks and individual exposure, and time isn’t on their side.

What tools are necessary, how to integrate it into the IT services offering, how to market it? What are the best ways to go about developing sound cybersecurity policies and practices in 2018 that could be used for commercial gain as well as internal commercial security? Here are some recommendations.

1.Update Software and Systems

After Spectre struck in Jan 2018, Apple issued security fixes for its iOS 11 operating system This is no different from what other IT vendors do when they discover a security vulnerability. However, the rub for IT is making sure that the diversity of devices that are in the hands of users are all updated with the latest versions of a bevy of OSs.

This requires centralised policy making in IT that likely adopts a 'push' methodology, forcing new security updates onto a user's device when they connect to the network, instead of a 'pull' methodology, which notifies the user that a new security patch is available and gives them the option to load this new software when it's convenient.

2.Conduct Top-To-Bottom Security Audits

If your company hasn't already done so, it should conduct a thorough security audit of its IT assets and practices. This audit will review the security practices and policies of your central IT systems, as well as your end user departments and at the 'edges' of your enterprise, like the automated machines and IoT you might be employing at remote manufacturing plants.

The audit should look not only at the software and hardware techniques you have in place to protect security but also at remote site personnel habits and compliance with security policies.

These audits should be carried out by an independent cyber-audit business that brings a clear understanding of cyber security to the business being audited, this would be similar to a Financial Audit and so it should also bring a certification of completion and security each year.

3.Don't Forget Social Engineering

As part of your end-to-end IT audit, you should include social engineering, which reviews whether your employees are demonstrating vulnerability when it comes to offering up confidential information

This social engineering can be as simple as someone shouting a password to a co-worker over an office partition, or it could be a user who pulls up a website at work and surrenders passwords or other vital information that ultimately gets into the wrong hands.

4.Demand Audits from Vendors and Business Partners

According to a 2017 report by Commvault and CITO Research more than 80 percent of companies see the cloud as integral to their technology. But with the move away from internal data centers, it's also become more important to demand regular IT audit reports from your vendors and business partners. Companies should have policies in place that require regular security audit reports from vendors they are considering before contracts are signed.

Thereafter, vendors, as part of their SLAs, should be expected to deliver security audit reports on an annual basis.

5.Provide New and Continuing Security Education

Cyber-security education should be a staple of every new employee orientation, with new employees signing off that they have read and understood the training.

On an annual basis, a refresher course in cyber-security practices should also be given to employee’s companywide. This ensures that security policies and practices stay fresh in employees' minds, and that they understand any policy additions or changes.

6.Watch the Edge

Manufacturing 4.0 and other remote computing strategies are moving computing away from data centers and out to the edges of companies. This means that a manufacturer with a remote plant in Ireland is likely to have manufacturing personnel operate automated robots and production analytics with local servers in the plant.

Software and hardware security must be maintained on these devices, but the devices must also be locally administered under accepted cybersecurity policies and procedures by personnel who are asked to do these jobs without an IT background.

This is a security exposure point for the company and for IT that requires training of non-IT personnel in IT security policies and practices, as well as oversight by IT and auditors.

7.Perform Regular Data Backups that Work

If your data is compromised or held hostage in a ransomware attack, a nightly data backup will at least enable you to roll back to the previous day's data with minimal loss. It’s a simple enough policy and practice to enact.

Unfortunately, a bigger problem for companies is not so much that they don't perform data backups, it's that the backups don't always work.

One of the most important cyber-security policies that corporate IT can put in place is a requirement that data backups and disaster recovery minimally be full-tested on an annual basis to ensure that everything is working properly.

8.Physically Secure Your Information Assets

Even if software, hardware, and network security are in place, it doesn't help much if servers are left unsecured on manufacturing floors and in business units.

Physical security, like a locked 'cage' for a server in a plant that is accessible only to personnel with security clearance, is vital. Security policies and practices should address the physical as well as the visual aspects of information.

9.Maintain Industry Compliance

Especially for companies in highly regulated industries like healthcare, insurance, and finance, regulatory compliance that concerns IT security should be closely adhered to.

Companies in these industries should annually review security compliance requirements and update their security policies and practices as needed.

10.Inform Your Board and CEO

A successful cybersecurity strategy is one where you never find yourself in front of the CEO or the board having to explain how a cyber breach happened and what you are doing to mitigate it. Unfortunately, great security systems are 'invisible', because they never give you problems.

This makes it important for CIOs, CSOs, and others with security responsibilities to clearly explain cybersecurity technologies, policies, and practices in plain language that the CEO, the board, and other nontechnical stakeholders can understand.

If the non-technical people in your organisation can't understand why you are enacting a certain policy or asking for a sizeable investment for a cybersecurity technology, you're going to have trouble making your case, unless you're all suffering through an embarrassing security breach that could end careers and put the entire company's survival on the line.

IOTSSA:    ZDNet:

To get more information and benefits go to:

Data Protection in the UK Public Sector - Conference
Securing the Benefits of GDPR Compliance
Central London
Thursday 7th February 2019 to book please go to: www.publicpolicyexchange.co.uk

« Major US Newspapers Under Malware Attack
Quantum Computing – Advantage Or Security Threat? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Assure Technical

Assure Technical

Assure Technical offers a holistic approach to Technical Security. Our expertise and services span across the Physical, Cyber and Counter Surveillance domains.

Digitus Biometrics

Digitus Biometrics

Digitus Biometrics is a market leader in biometric access control. We can secure access to any entry point, from the front door to the server rack cabinet.

Institute for Critical Infrastructure Technology (ICIT)

Institute for Critical Infrastructure Technology (ICIT)

ICIT is a leading cybersecurity think tank providing objective research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders.

Nozomi Networks

Nozomi Networks

Nozomi Networks is a leader in Industrial Control System (ICS) cybersecurity, with a comprehensive platform to deliver real-time cybersecurity and operational visibility.

Cyber Base

Cyber Base

Cyber Base is an Information Technology company based in Uganda providing software and hardware solutions to clients.

KOVRR

KOVRR

Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions.

Asset Guardian Solutions (AGSL)

Asset Guardian Solutions (AGSL)

Asset Guardian are dedicated to protecting the integrity of process control systems software that is used to control operations and production processes.

MPC Alliance

MPC Alliance

The mission of the MPC Alliance is to accelerate adoption of MPC (Multi-Party Computation) technology.

Diateam

Diateam

Diateam is an R&D company specializing in computer security. Diateam develops highly innovative cyber range platforms and Industry-leading systems for cybersecurity training and testing labs.

NuCrypt

NuCrypt

NuCrypt is developing technology that is applicable to ultrahigh security data encryption as well as key distribution.

Wolverhampton Cyber Research Institute (WCRI)

Wolverhampton Cyber Research Institute (WCRI)

Wolverhampton Cyber Research Institute builds on the strength of its members in the area of network and communication security, artificial intelligence, big data and cyber physical systems.

MazeBolt Technologies

MazeBolt Technologies

Israel-based MazeBolt is an innovation leader in cybersecurity, with over two decades of experience in pioneering DDoS protection solutions.

SecureDrives

SecureDrives

Passwordless Authentication & Encrypted Data Storage Solutions from SecureDrives. We are enabling organisations to work safely and securely, using technology driven solutions.

AVANT Communications

AVANT Communications

AVANT is a premier distributor of next generation technologies with the resources and relationships needed to successfully navigate the ever-changing world of communications and IT infrastructure.

Cyber Security Global

Cyber Security Global

Cyber Security Global is a leader in electronic security, consultancy, technology, cybersecurity solutions, training, and specialized products.

NeuroID

NeuroID

NeuroID combines the power of industry-leading behavioral analytics with advanced device and network intelligence to create your first line of defense against malicious bots, bad actors, and fraud.