State of Technology: No Matter Your Industry, It’s Time to Take Cybersecurity Seriously
In this series, professionals debate the state – and future – of their industry. Read more here, then write your own #MyIndustry post).
I have been fascinated by cybersecurity and its ever changing state for over 30 years — it’s about time the rest of the world caught up!
We’re seeing more breaches, more endpoints, more technology, more connectivity. The key word is MORE. Given this level of interactivity, cybersecurity has experienced a surge over the past five years and shows no signs of slowing down.
At Herjavec Group, information security is what we do. We manage the security postures for enterprises globally, offering services including consulting, delivery, managed security services and incident response. We act as a trusted advisor to our customers and help them decipher what’s going on in the market in order to stay on the cusp of emerging technologies and risks. I spend a lot of my time speaking with CEOs and boards about the cybersecurity risks they have to be aware of.
Here are the top cybersecurity topics you should be speaking with your executive and IT teams about to support your emergency preparedness planning.
1. Ransomware: Holding your information hostage
Ransomware is a malicious software that allows hackers to access a company’s computers, encrypt information, and then demand payment in order to decrypt it. Vulnerabilities are often exploited in third-party software including Microsoft Office, Adobe and various graphic files. McAfee Labs reported 58% growth year over year in ransomware in Q2 2015 (~ 4 million samples). Herjavec Group does not advocate for paying out or negotiating during a ransomware attack. It is recommended that all organizations have an asset back-up strategy in the event they need to recover critical information.
Ask yourself: what is our asset back-up strategy? When was the last time we classified our assets or did an inventory of our critical information? Do our employees know what to do in the event their system is compromised?
2. Mobile Malware: Take control of your mobile devices.
Multiple best of breed vendors have reported an uptick in mobile malware as part of their 2016 predictions reports. Herjavec Group is focusing on the prevalence of these issues across Android devices in particular. The attack surface is growing as more individuals and corporate customers are adopting Android technology. Unfortunately in many instances, this operating system requires carrier updates in order to issue a new release. The lengthy lifecycle of each release provides ample opportunity for hackers to exploit existing vulnerabilities before the update occurs. To mitigate the risk, it is recommended that individuals ensure their mobile devices are up to date with the latest available operating systems information and files.
Ask yourself: do we understand the scope of the endpoints connected to our network? What is our BYOD policy and how do we ensure updates are pushed across our team?
3. Cloud: Is it time to move?
Moving assets and technologies to the cloud presents a scalable, cost-effective solution offering improved visibility, and the opportunity for proactive analysis. Unfortunately many organizations are challenged to advance cloud-based projects due to concerns over control, regulatory compliance, and overall security. To manage risk, we recommend developing a benchmark to measure cloud application usage on a regular basis (ex: track progress against risk targets, report cloud trust ratings quarterly, report new cloud services in use monthly). Herjavec Group offers various cloud consulting services including vulnerability assessments, web application testing, and penetration tests.
Ask yourself: Do you know what cloud technologies are being used in your environment? Do you know what good looks like? What metrics do you use to measure security and efficiency in the cloud? How frequently are you circulating these metrics?
4. Employee Awareness: Your employees are your biggest threat.
Spending on security technology is not sufficient as many reports indicate that employees and not firewalls are the No. 1 threat vector today. Organizations must consider how they are protecting their employees’ endpoints when they leave the corporate environment for business travel or to return home. It is anticipated that home networks will become targeted as hackers attempt to infiltrate corporate data being worked on remotely. You must also evaluate what training and awareness programs you offer to ensure your employees are invested in the protection of your organization’s vital assets. Herjavec Group can provide an outline of appropriate educational materials for your team or help administer a cybersecurity awareness seminar for your organization.
Ask yourself: when was the last time your team underwent security training? What access do your employees have to the internet within the workplace or from their connected mobile devices? What restrictions are in place?
In light of the dynamic and ever evolving cybersecurity landscape, it’s highly recommended that organizations have a security framework in place. When things go wrong, there is a tendency to panic and act irrationally. Developing a security framework and ensuring it’s communicated to all of the appropriate stakeholders within your organization can help maintain the sense of calm required to get your business back to standard operations as efficiently as possible. Here are the questions that need to be addressed by your Security Framework:
What happens when you hit the panic button (ie: will it work, who do you escalate to? What’s the disaster recovery plan?)
How many risks are being taken to run tech operations (ie: layers of security control, are all systems protected equally?)
Where and what is your sensitive data (ie: can you identify what has been lost in the event of a breach? Back up and recovery plans?)