Sunday, January 31, 2016

Don’t Let the Cybersecurity Blues Get You Down …Some Practical Tips That Can Really Add Up



This month’s blog post is an excerpt from our WIT Cyber & Tech SIG friend Beth Musumeci, Vice President of Cybersecurity at ICF International.


“Don’t Let the Cybersecurity Blues Get You Down …Some Practical Tips That Can Really Add Up”

By Beth Musumeci

Day by day, and almost seemingly hour by hour, cybersecurity breaches are surfacing in the news, in the papers, in notices from our banks, retailers, manufacturers, and our government; no industry and no enterprise is being spared.

The fact is, the cybersecurity challenge is not insurmountable.  Yes, there exists highly sophisticated malware and threats that are difficult to detect, and cause undesirable outcomes.  However, in most cases, the breaches about which we are hearing weren’t caused by those types of sophisticated attacks.  More times than not, basic network defense methods could have prevented these breaches, or at least could have greatly minimized their impact.

Here are a few tips to help you defend your organization against some of the most common threats:

First, be sure you understand that just being compliant with regulation isn’t enough.  You must know what vulnerabilities exist in your environment and manage those vulnerabilities, regularly and diligently.  Perform vulnerability assessments continuously, or have a provider perform them for you. Check and correct for default passwords in your network and hardware configurations. Ensure you are correcting vulnerabilities timely, and don’t just assume the corrections were completed, verify they were. (It’s the device that you thought was off the network, but was never decommissioned; or the server that was patched, but never recycled so the patch could become effective; that make common threat-vectors, and sometimes the news).

Next, understand that cybercriminals will take the trouble to know your network as well as they can. So, you must know your network, and that includes to whom you allow it to connect. A common oversight, is actually a short-sighted definition of ‘your network’.  Expand your definition beyond your enterprise and employees; include third parties too. If you have suppliers, vendors, accountants, ‘you name it,’ connecting to your environment, make sure they are following your security policy and that should include ‘their’ suppliers, too.  Don’t just assume they are, assess and verify they are.  Ensure your agreements with third parties require proof, as well as your right to verify.

Make cybersecurity a company topic, not just the Chief Information Security Officer’s campaign.  Educate staff through awareness training, and even testing. Ensure your most senior leaders take part in creating the necessary awareness, as well as in supporting the solutions to minimize the risk.  Be the catalyst to kick the blues.  The more security aware your business, the more empowering technology will be to your business.

All these measures lead us to the need to, embrace new technologies, because saying “no” will not stop them from being introduced into your environment, it just means you will be ill-prepared for the threats introduced when they find their way in – because they will.  That doesn’t mean adopt new technologies immediately, perform an assessment, and then develop a plan and policy to minimize the risks to your enterprise.  Keep your security strategy current and make sure it includes practical defense mechanisms for the technologies of today, as well as those of tomorrow.

Most important, don’t give up. The problem isn’t as overwhelming as it may seem.  Make sure you have a basic defense program in place, as well as an incident response plan should the unfortunate occur.  Use experts when needed to augment or test your program; it doesn’t have to be elaborate or expensive to prevent most problems.  Remember – cybercriminals aren't “super-human.”  They reuse old malware because they know many enterprises don't take the trouble to put in place basic cybersecurity programs.  Implementing those programs isn't always hard.  Identifying a trusted cybersecurity partner to help you put in place a basic program – and doing so pro-actively, can save valuable time when you might need it the most, because the best defense is prevention, preparedness and effective response.

Beth Musumeci is Senior Vice President, Cybersecurity at ICF International

No comments:

Post a Comment