Cyber Attacks or Cyber Crime news is not hot anymore.Not only small-scale organizations but attacks are common now on even the large corporations, retail chains, national defense entities, law enforcement agencies, oil companies, and nuclear agencies; and the list goes on.
The number and spectrum of victims of Cyber Crimes are alarmingly on the rise.Most advanced and mature business and educated, vigilant individuals are also falling apart with targeted attacks.
Entities that are supposed to be with the best security teams and cutting-edge security controls are getting compromised.
The million dollar question is, what is the ultimate and foolproof solution to protect your institution?
What do we lack in our cyber security programs, though we spend millions for purchasing the latest solutions and implemented a wide variety of security software across the organization?
As a known fact, 100% security is not a reality, which we should accept and move forward. However, the concerns are that organizational cyber security program always falls short even on the basic controls expected from any entities.
The focus we shall work on is to ensure that we are making the best possible efforts by having the right due diligence, and manage the risks more effectively. Ensuring certain key actions throughout the development and management of Information Security program can give better control on the security posture of organizations.
The challenge faced by Cyber security professionals is that they are required to make sure that every security gap is closed (as soon as possible) to protect their organization from Cyber Attacks. On the other hand, an attacker just needs to find a single vulnerability to break into the organization’s network with much time on their hand.
What goes wrong?
Let us look into some of the critical errors which most teams make in their approach while managing their information security program.
- Security professional’s focus gets diverted to latest security tools and solutions, and they keep forgetting and neglecting the security basics.
- The over dependency on procuring and implement the most advanced technology to prevent latest threats is always a cat and mouse game with hackers -Thinking that cyber security can be achieved just by IT and technologies and fail to know about the importance of right processes and awareness among the stakeholders including employees.
- Lack of a holistic approach leads to addressing cyber security issues superficially. Instead of understanding the root causes for defining corrective action plans, the focus here is, just to clear of the symptoms for the time being. When one security gap is closed, 100s of other vulnerabilities opening up on the same system or somewhere else. In certain cases, identical issue re-appears on different systems/areas, or even on the same system.
- The inconsistent approach towards cyber security, by not following the controls and processes on every business activities and operations of the company.
- Lack of complete visibility of organizational processes and assets, hence become blindfolded with the security risks associated with it.
- Too many software and tools implemented over and over again. Most of the companies miss configuring this software with maximum efficiency.
- After designing and deploying the best security for the company, if the IT team carries out uncontrolled changes, then it could open up new security holes that bypass all the controls implemented till then.
- Controls assessments focused on IT Systems, and those systems which are available online ( in production), but the sensitive or valuable information copies may be available in test/development systems (online or offline), or in the external storages. Unreliable security test results and certifications which may depict that the organization is secure, but in fact, the critical business data may be available without having the right security and are easily prone for unauthorized access
- Absence of efficient classification and monitoring of information, and dearth of enough importance given to data-centric security
- Shadow IT, and the subscription to cloud-based and other external services, without adequate risk assessment and control implementations.
- Over dependence on employee security awareness, where the possibility of negligence or human psychology always poses a threat.
- Uncontrolled and unmanaged outgoing traffic (no visibility too). Lack of monitoring and controlling of this could end up in major security incidents.
- Policies and procedures become just static documents, and not adequately implemented or effective.
- CISO who does not have the authority, budget, resources, and reach to ensure end-to-end security
- Putting security as an afterthought, and adding it as a separate layer, instead of building it in the application and also on the organizational processes and culture.
- Lack of adequate incident management process to contain the impact of a security incident/breach.
You may be interested in reading: How to Achieve Effective Information Security with a Holistic Approach?
What is the right approach?
An Information security professional must explore at least the below steps and actions.
- Have an inventory of all services, processes, and assets and also define the relationship between each other.
- Identify and portray all external interfaces (Internet) of the organization, where significant security risks are inevitable compared to the internal network.
- Non-Internet external interfaces (partner/client/vendor) also shall be assessed and evaluated for risks.
- Ensure clear visibility of all incoming and outgoing traffic related to the organization for identifying and acting upon any suspicious activities or potential security incidents/breaches.
- Identify, classify and provide full visibility of all information that is valuable to the business, with a defined protection measure to prevent data leakage by internal or external actors.
- Automation of policy enforcement, and security controls, wherever possible, to avoid human errors and associated security risks.
- Enforce a data-centric security process, so that physical and geographical boundaries do not limit the visibility and control effectiveness. Even if the data is in the cloud, organizations ensure its protection with the right level of controls.
You may be interested in: How to develop a comprehensive security awareness program?