The attack on Yahoo in 2014 was unprecedented in size, more than
triple other large attacks on sites such as eBay Inc EBAY.O, and it
comes to light at a difficult time for Yahoo.
- Adopt a cybersecurity-conscious culture. The
first, important step is to instill in the organization a security
culture. To do that, a number of initiatives can be implemented to
involve the entire staff (including management) in a collective
effort towards the safeguard of the systems and data. For example,
is an environment where everyone is aware of his or her own
importance for the protection of the business; is and feels
accountable; is encouraged to give contributions by sharing ideas
and concerns which is the best ground for the proper receiving of
security policies and awareness initiatives.
- Develop an effective security plan coordinated with
decision-makers.
A plan must be in place to clearly describe how the organization
stands and is progressing towards the safeguard of systems and
data. It is essential, however, to secure the buy-in of the company
decision-makers; C-suite and senior leaders and board members need
to be aware of the security plans and needs of the organization,
and they need to approve all strategies. Executives need to have
the possibility to have a say on which assets to consider the most
critical to protect and how much risk the organization is willing
to take when making information security decisions. This is
particularly important to ensure the adequate and timely funding of
any needs the business might have to secure its systems or respond
to incidents.
- Apply user training and awareness.
Investing in cyber awareness training, the most significant
activator of cybersecurity readiness is one of the best possible
moves. As many cyber threats exploit the human factor, it is
fitting that a company invest not only in technical safeguards but
also and especially in the workforce to improve its ability to
adapt and thrive in an evolving threat landscape. Educating users
on cyber risks while teaching best security practices helps reduce
the likelihood of staff becoming easy targets via computer
phishing, hacking or malware. A good awareness program is made of
different phases and approaches as mentioned in The Components of
Top Security Awareness Programs and is to be tailored to the
organization, its requirement, and workforce. The key is that
everyone is involved in training (management included) to convey
the importance awareness has for the organization, and so that
everyone feels a part of the company’s cyber resilience approach. A
good security awareness program not only gives info and tips on how
to spot and avoid common pitfalls but also puts in perspective for
employees all the restrictive measures enforced by the organization
and gives importance to all the often-cumbersome policies and
procedures that are released; it also requires devising and
implementing activities such as a self-assessment and program
evaluation for the purpose to identify cyber improvements as well
as gaps and deficiencies to be addressed.
-
Don’t be afraid to outsource your
cybersecurity.
Companies that lack trained staff or don’t have premise-based IT
software and tools might consider outsourcing their cybersecurity
functions to third-party experts that can work with the
organization to neutralize any threats or attacks in a way that
also ensures regulatory compliance. It is often possible that
smaller companies might not see the need to hire personnel
specifically for their cybersecurity needs or they might have a
small office unable to provide all the functions necessary to
secure systems and data 24/7. Thus, an outsourced security program
can give quick access to specialized, fully trained professionals
that can fill staff gaps and ensure the protective services needed
by the company. Cyber Security-as-a-Service, a cloud Managed
Security Service Provider (MSSP), or a Cloud Security Operations
Center (SOC) can be the best solution for defending against network
attacks around-the-clock and keep up with the constant threats in
cyberspace without adding personnel costs.
Some companies see outsourcing as a risky business and fear the
amount of exposure they will need to allow to the third-party
company, but contacting reputable companies with a proven track
record, signing explicit agreements and allowing the least possible
access to systems and data as necessary for an external contracted
third party to perform their function can help mitigate any risks.
The same precautions can be taken when employing knowledgeable
outside experts to test the systems. As well, vulnerability or
security assessments can often be provided by an outside
professional, such as a penetration tester, that can give a company
options that an on-site security team cannot provide; penetration
testing from within the premises or from outside the network
perimeters, performed with or without the knowledge of the
company’s own security team is capable of disclosing
vulnerabilities that can help gain a deeper understanding of threat
actors in order to provide the essential intelligence needed for
decision-makers to take the most efficient steps towards improving
cybersecurity with targeted investments.
- Implement a security assessment program to identify
risks, threats, and vulnerabilities. This is a crucial
step to assess the security posture of a company and measure
objectively any progress due to the implementation of new programs,
technical countermeasures, and training. Companies need to make a
full assessment of current risks, threats, and vulnerabilities
while addressing them through metrics against which to objectively
gauge efforts. Using pre-defined scales (e.g., Low-Medium-High), a
business can assess the consequences and impact of each activity or
the likelihood of particular kind of cyber threat activity
separately and devise how to mitigate the most significant problems
first. This insight will then help determine how to handle specific
circumstances using a methodology that is entirely appropriate for
the company and to determine the best approaches in protecting a
system against a specific threat or known weakness of an
asset/resource that can be exploited by one or more attackers. An
assessment, above all, helps organizations promote a risk-aware
culture.
- Employ a purpose-made cybersecurity policy.
This is another essential part of any company’s security program. A
good cybersecurity policy addresses several needs: it can raise
awareness of the potential risks and give insight on possible
vulnerabilities and how they can be corrected, so that employees
can be better equipped to prevent them; it gives clear guidelines
on the acceptable use of all digital assets and data in the
company; it describes the goals of the procedures and embodies all
the detailed actions that personnel are required to follow and that
are crucial to an organization’s success; it outlines where to look
for help and where to report cyber-related issues; and it, of
course, defines disciplinary consequences for out-of-policy
actions. A well-thought-out IT policy, then, must strike the right
balance between business requirements and security needs; this will
require continuously refreshing the document
to make sure it is in line with the demands of new technologies and
addresses issues that arise in the ever-changing cyber threat
landscape. If the organization, due to its size or scope, believes
a cyber-policy may be unnecessary, it should at least consider
providing a quick review of guidelines that might be readily
available for staff to follow.
- Acquire cyber insurance for potential costly
outcomes.
Adding cyber insurance can really help safeguard a business, as it
covers first-party losses and third-party claims. Such insurance
will not help protect digital assets but might mitigate some of the
economic effects of an incident and/or provide defense and
liability coverage for any data breach cases that might result in
litigation. Regulatory fines, lawsuits, damage to the reputation of
the organization’s brand, recovery of data as well as hardware
repairs and software protection due to cyber-related security
breaches or otherwise harmful events might be covered, so companies
should carefully evaluate what are the most cost-effective options
for their needs (an insurance policy checklist might help with this
effort). As always, a credible, reputable, industry-known cyber
insurance provider should be chosen.
- Work to achieve resilience, not to merely avoid
risk. Leaders need to concentrate on the resilience of
their entire organization, as risks can be mitigated but not
eliminated. The first step is obviously hardening the network
through monitoring tools and technical countermeasures. However,
managers should pay attention to the implementation of technical
and administrative controls and personally review the results of
any security assessments and testing to get an understanding of
where attention is needed. Working on strengthening the company’s
security posture, rather than concentrating mainly on incident
response, can go a long way in protecting the business and ensure
its quick recovery in case of trouble.ETHICAL HACKING TRAINING –
RESOURCES (INFOSEC)
- Don’t exist in a vacuum. Many companies are
used to guard themselves against their competitors but
collaborating with others in their own industry when it comes to IT
security could be a winning strategy. Sharing information with
similar companies nationwide or even abroad can facilitate the
sharing of lessons learned, the identification of trends and common
warning signs. It also aids the creation of new standards and, in
general, strengthen the resilience of the entire industry to
attacks.
- Always have a plan B. This entails a backup
plan. Proper disaster management and business continuity plan, as
well as an effective data recovery strategy, can make the
difference after an incident and allow for quick come back and less
financial impact. Leaders can have a role in identifying the needed
recovery tempo through the preparation of a business impact
analysis (BIA) created with the data gathered during assessments.
The recovery time for IT resources and operations need to align
with the recovery time objective identified for all business
functions and processes.
Marriott/Starwood
In November 2018, Marriott International announced that hackers
had stolen data about approximately 500 million Starwood hotel
customers. The attackers had gained unauthorized access to the
Starwood system back in 2014 and remained in the system after
Marriott acquired Starwood in 2016. However, the discovery was not
made until 2018.
The information that was exposed included names, contact
information, passport number, Starwood Preferred Guest numbers,
travel information, and other personal information. Marriott
believes that financial information such as credit and debit card
numbers, and expiration dates of more than 100 million customers
were stolen, although the company is uncertain whether the
attackers were able to decrypt the credit card numbers.