Information security was once seen as a problem for the IT department. It was generally assumed that the people who administered the network and the systems on it were keeping everything secure and, in that simpler era, breaches were often not much more than an inconvenience. This has changed dramatically as attackers have grown more sophisticated and networks carry vital information that can be impacted during a breach.
While the IT department may carry part of the burden, securing an organization today requires participation from everyone, from the executives to each individual employee regardless of their job role so that the organization can be preparing to address future threats while still performing the fundamentals of information security. Various essential security tasks can be divided up into strategic, operational, and tactical levels, each focused on a different time horizon and level of detail.
The top level is strategic planning. This level needs to include both IT security management and senior level organizational leadership. The team determines the overall magnitude and priorities of a defensive program’s immediate and long-term objectives. The key questions for the team to address include:
- How much budget and what resources do we allocate to cybersecurity?
- What are the systems, data and operations that we must protect?
- How do we prioritize those protections?
- How much inconvenience or disruption in operations is acceptable to ensure protection?
Note that an increasing number of industries are subject to regulation regarding the protection of financial, medical, and personal data. Firms must not only comply with regulations, but must also assess their own competitive position and assets. It is essential that the strategic team provides clear, consistent direction so that program decisions and tactics support the most important identified objectives.
The second level is operational. The planning window for this level is shorter than the strategic level, perhaps weekly at the shortest extreme and up to several months at the longest interval. The primary purpose at this level is to recognize current and emerging threats and understand their motivations, methods, and campaigns, so that resources, processes and systems can be implemented for protection. Key questions for this level should include:
- Are we now a desirable attack target, and why?
- Are factors pending that could raise our threat level?
- Do we have the right staff and tools in place to address these challenges?
- Have third party vendors with access to our data been properly vetted for cybersecurity protections?
- Have we adequately trained our staff on current methods of phishing and similar matters?
- Are we collecting the right data to recognize and understand threats?
- Is our software and patch management process effective?
- What new information or training would help strengthen our defenses?
- Are our Incident Response procedures up-to-date with best practices?
Together, these questions will help the team implement a well conceived cybersecurity plan so they can deploy the required resources to support the identified strategic objectives on an ongoing basis.
The third level is tactical. This level is where the day-to-day monitoring and investigative tasks align with the cybersecurity plan/ roadmap so that detected incidents trigger the most appropriate responses. At this level, the deployed staff and systems implement the cybersecurity strategies set by the strategic and operational teams, and make decisions within that framework based on real-time inputs. The questions to be addressed are specific and time-sensitive:
- Are our security and data collection systems working as intended?
- Are we following specified backup, patch management, and vulnerability scan processes rigorously?
- Is anything unusual happening on our network?
- When something unusual happens, is it an attack?
- How do we respond when attacked?
This tactical level is critically important. It’s the actual implementation of the cybersecurity strategy that collects data and information for analysis, response, and reporting to c-suite management on the program’s effectiveness and protection against emerging threats.
Unfortunately, not all threats are from outside the organization. Every cybersecurity program must also include the possibility of insider threats and incorporate appropriate detection, response and mitigation processes. This is required because the cost of addressing cyber attacks can be considerable – in the millions of dollars for organizations between 1,000 and 5,000 employees, and even higher on average for larger organizations.
It’s important to note that the majority of insider breaches are unintentional – we find that approximately 75% of such breaches are accidental, due to negligence, or actions contrary to established policy. The fraction of breaches that are intentionally hostile to the organization, while small, are normally undertaken with the aim of hiding or misdirecting their actions, so specific, active monitoring must be used to detect such events.
Here are some recommendations that can help mitigate insider threats:
- Objectively evaluate insider threat risks by identifying where are they most likely to occur, either intentionally or unintentionally
- Ensure information access privileges are established for assigned functions, and limit access to areas outside of each individual’s assigned responsibility.
- Review privileges periodically.
- Automate network monitoring for unusual behaviors.
- Use separation of duties, mandatory leave, and other techniques to provide oversight for critical job functions
In general, it is always worth considering the use of trained third-party cybersecurity professionals to provide an objective view of information architectures, processes and threat risks. The use of a managed security services partner can help provide a range of risk mitigation services, including:
- Continuous network monitoring and attack detection.
- Offline and off-site backups and business recovery processes.
- Actionable intelligence on emerging cyber threats.
- Regular vulnerability scans and penetration tests.
- Incident response and forensics.
- Automated software monitoring and upgrade/patch management.
Online commerce, collaboration and communications have revolutionized productivity while also providing new opportunities for cyber criminals and increasing organizational risks. Implementing an appropriate cybersecurity defense plan allows teams to focus on their objectives while addressing the risk factors that can present a significant financial or even existential threat to the organization.
Adapted from byline originally published on CSO Online here.