This month’s blog post
is an excerpt from our WIT Cyber & Tech SIG friend Beth Musumeci, Vice
President of Cybersecurity at ICF International.
“Don’t Let the Cybersecurity Blues Get You Down …Some
Practical Tips That Can Really Add Up”
By Beth Musumeci
Day by day, and almost seemingly hour by hour, cybersecurity
breaches are surfacing in the news, in the papers, in notices from our banks,
retailers, manufacturers, and our government; no industry and no enterprise is
being spared.
The fact is, the cybersecurity challenge is not
insurmountable. Yes, there exists highly
sophisticated malware and threats that are difficult to detect, and cause
undesirable outcomes. However, in most
cases, the breaches about which we are hearing weren’t caused by those types of
sophisticated attacks. More times than
not, basic network defense methods could have prevented these breaches, or at
least could have greatly minimized their impact.
Here are a few tips to help you defend your organization
against some of the most common threats:
First, be sure you understand that just being compliant with
regulation isn’t enough. You must know
what vulnerabilities exist in your environment and manage those vulnerabilities,
regularly and diligently. Perform
vulnerability assessments continuously, or have a provider perform them for
you. Check and correct for default passwords in your network and hardware
configurations. Ensure you are correcting vulnerabilities timely, and don’t
just assume the corrections were completed, verify they were. (It’s the device
that you thought was off the network, but was never decommissioned; or the
server that was patched, but never recycled so the patch could become
effective; that make common threat-vectors, and sometimes the news).
Next, understand that cybercriminals will take the trouble
to know your network as well as they can. So, you must know your network, and
that includes to whom you allow it to connect. A common oversight, is actually
a short-sighted definition of ‘your network’.
Expand your definition beyond your enterprise and employees; include
third parties too. If you have suppliers, vendors, accountants, ‘you name it,’
connecting to your environment, make sure they are following your security
policy and that should include ‘their’ suppliers, too. Don’t just assume they are, assess and verify
they are. Ensure your agreements with third
parties require proof, as well as your right to verify.
Make cybersecurity a company topic, not just the Chief
Information Security Officer’s campaign.
Educate staff through awareness training, and even testing. Ensure your
most senior leaders take part in creating the necessary awareness, as well as
in supporting the solutions to minimize the risk. Be the catalyst to kick the blues. The more security aware your business, the
more empowering technology will be to your business.
All these measures lead us to the need to, embrace new
technologies, because saying “no” will not stop them from being introduced into
your environment, it just means you will be ill-prepared for the threats
introduced when they find their way in – because they will. That doesn’t mean adopt new technologies
immediately, perform an assessment, and then develop a plan and policy to
minimize the risks to your enterprise.
Keep your security strategy current and make sure it includes practical
defense mechanisms for the technologies of today, as well as those of tomorrow.
Most important, don’t give up. The problem isn’t as
overwhelming as it may seem. Make sure
you have a basic defense program in place, as well as an incident response plan
should the unfortunate occur. Use experts
when needed to augment or test your program; it doesn’t have to be elaborate or
expensive to prevent most problems.
Remember – cybercriminals aren't “super-human.” They reuse old malware because they know many
enterprises don't take the trouble to put in place basic cybersecurity
programs. Implementing those programs isn't
always hard. Identifying a trusted
cybersecurity partner to help you put in place a basic program – and doing so
pro-actively, can save valuable time when you might need it the most, because
the best defense is prevention, preparedness and effective response.
Beth Musumeci is Senior Vice President, Cybersecurity at ICF
International