Cyber security risk management is no longer confined to solid firewalls and state of the art Virtual Private Networks. A video that recently caught my attention may make you re-think cyber security programs that you have (or intend to have). Have a look …. Video credit: CNA Insider.
Here are factors that one should focus on and strategize before embarking on building/strengthening cyber security risk assessments. Break them down into segments based on users, data, location and devices. Security risk assessments must have a holistic approach to include human vulnerabilities as well – not just focus on machines and devices.
- What is the kind of data you want to protect – your business assets (physical, financial and information), employees’ data, client/customer information?
- Where is your data located? In the cloud or on premise? Think and evaluate your cloud security concerns, whether you are in a shared tenancy or private cloud. Even if your cloud service provides the basic risk management techniques, you are still responsible if your data in the cloud gets leaked.
- Do the applications your run (or intend to run) have basic security in-built? Do they provide a context-based sign-in before granting access? Do the applications provide the flexibility to set up multi-factor authentication on different devices like mobiles, tablets and laptops?
- Have you categorized your users? (like how many are temporary / contractual / permanent etc.) Who needs to have privileged access to critical data and transactions?
- What kind of devices do users use for performing their tasks – whether within the perimeter or firewall of the company or from the outside?
- Should you use a “zero-trust” security policy? When employees are allowed to “bring-your-own-device (BYOD)” (as some companies do), can you take the risk of an infected device that may share information with a hacker or subject your organization to a malicious attack?
When evaluating security solutions keep in mind
- Solutions that offer to protect the “perimeter” of the company (like firewalls, anti-virus / malware software, anti-phishing devices, network sniffers, etc.) – which is mainly the border around its physical locations and intranets – are not sufficient. Most of such security solutions are not capable of understanding application security breaches and proactively inform the CISO’s office of the risks in order to plug the breach immediately.
- Large companies having a geographical spread have a different set of requirements to deal with as compared to small or mid-size companies.
- Companies that still rely on old / legacy systems that are not amenable to the latest technology upgrades, that are proprietary in nature make the security scenario complex.
- Look for solutions that helps you centralize the various types of log information in real-time (or close to real-time) from multiple systems. They must be capable of tracking inventory of multiple devices (like networks, servers, terminals, mobile devices, laptops, access and audit logs, wireless access from extranets, etc.)
- They should be able to track users, their roles and the usage of the various actions / tasks within the system. They should ensure that context-based risk assessment is done periodically. Ensure you have up-to-date information about everyone (including employees, customers and suppliers) who has access to your systems and about the devices they use.
- Placing your single sign-on outside of your perimeter (on the internet) may require a lot of thought, not only due to the complexity of scenarios, but also due to legal compliance requirements (like data privacy laws).
- Migrating to the cloud environment requires you to evaluate and assess security risks carefully and whether your cloud service provider is experienced enough to look at the larger security aspects – not just employee access but also B2B or B2C scenarios used by your organization.
- Do not make security risk assessments a quarterly or annual affair, it should be an on-going exercise. It is best implemented as part of a daily operation, so that you are proactively alerted to react to breaches before severe damage is done.