Cybersecurity CEO: Top 5 Questions C-Suite Executives are Asking About Cybersecurity
March 15, 2018
Cyber intrusions and damages can be reduced by cyber resilient organizations
I spend a lot of my time meeting with boards and our C-level customers. Many ask me the same questions so I’ve decided to share the answers to the 5 most popular questions I’m asked about Cybersecurity in the latest edition of the Cyber CEO.
What’s the likelihood that my organization will be the victim of a cybercrime?
To be clear - this doesn’t mean an epic hack making its way into the news. It could mean a cyber intruder with access to your systems, dwelling in your network right now - but they haven’t stolen anything (yet). Or it can be one of your employees, in their home office, clicking on a spear phishing email and exposing your data to a ransomware attack.
It could even be you, on your own corporate laptop, using public wifi and processing an online payment, without considering the risk of others monitoring or using that same connection.
When I’m asked this question I transition quickly from the 100% answer to a conversation about how prepared the organization is to deal with a breach or attack. That’s the most important conversation we can have. I like to ask about the organization’s security technology stack, their approach to insourcing vs outsourcing, and the sophistication of their security policies and controls. This helps me understand the firm’s maturity and degree of preparedness to deal with an incident.
I’ve improved my visibility, now how can I improve prevention of a cyber intrusion before it occurs?
Prevention requires a strong balance of process and multiple layers technology. You’ve got to have the right combination of services and tools in place to prevent attacks including intrusion prevention solutions, web security solutions, application controls and threat hunting – to name a few. I strongly advocate for implementing or upgrading your Identity and Access Management (IAM) system as well. Realistically people are the weakest link so the more we can do to educate our teams about security risks, and control the privileges associated with their “corporate identities” and access points across our corporate environment, the better.
Historically, IT security-focused largely on verifying the identities of users seeking access to corporate networks. A modern IAM system should do this and additionally should detect and authorize access to systems, devices, and data based on much more than a username. Permissions should be based on a person’s title, job function, division or department, physical location, date and time of day they seek access, which network(s) they’re using, and for how long. You can’t depend on a corporate firewall to protect all of your data -- because so much of your data is not stored behind the firewall. Today we’re addicted to our devices – mobile phones, tablets, laptops etc. The lines between personal and corporate devices are blurring. So how do we control these expanded endpoints? We focus on the IAM program.
With a strong IAM system, we gain visibility and control about the very things we’re worried about the most – our network and our people.
Our organization is struggling to hire experienced cybersecurity professionals – and when we do, it’s hard to keep them. What can we do?
This is an industry-wide problem. You’re not alone.
I’ve often said that there’s 0% unemployment in our space and an area of opportunity is to break down the walls between IT and cybersecurity.
“Every IT position is also a cybersecurity position now,” says Steve Morgan, founder and Editor-In-Chief at Cybersecurity Ventures. “Every IT worker, every technology worker, needs to be involved with protecting and defending apps, data, devices, infrastructure, and people” adds Steve.
His point is simple and I certainly agree. Historically, there’s been a line drawn in the sand between an IT organization, and its security team. In fact, aside from a CIO, the only other IT “Chief” title is CISO (Chief Information Security Officer). But it’s the larger group of IT workers that can be your future cybersecurity pros -- perhaps more so than new security hires, one of the most daunting challenges now.
Half the staffing battle is the process of hiring an employee into your company. There’s the recruiting and pre-screening process, multiple interviews, salary negotiations, and more. And then onboarding follows. Some percentage of these people will resign or be terminated in less than two years. Better to tap into your current IT workers, where possible, and cross-train them. At Herjavec Group we pride ourselves on our team’s ability to promote from within. We advocate for progression from Corp IT to our SOC to our other services areas including consulting, professional services and even customer facing roles within our Technical Account Manager group. We focus on security fundamentals and security-specific certifications so our team advances to learn new disciplines within our environment. We’ve started an HG Knights of the Roundtable program so team members with an interest in different service areas – firewall, endpoint, SIEM, IAM etc – can meet, discuss latest initiatives and be mentored by the designated “knight”. Retaining our talent is a top goal so it’s important that we offer a breadth of security experiences and find creative ways to keep our experts engaged.
It’s been predicted that there will be 3.5 million unfilled cybersecurity positions by 2021, up from 1 million openings in 2014. We are in the midst of a severe shortage of cybersecurity workers. Now, more than ever is the time to take a hard look at your entire IT workforce and think about how they can become more involved in your cyber defense.
Should we train all our employees on cybersecurity?
Yes. Yes. And then if I wasn’t clear – YES!
It’s been widely reported that 91% of cyber-attacks, and in particular ransomware attacks, are initiated by spear phishing email scams that are launched on unsuspecting employees. Still need convincing?
In terms of moving the needle on an organization’s cybersecurity effectiveness, training employees will deliver big gains. Ransomware is one of the fastest growing cybercrimes. Cybersecurity Ventures predicts that ransomware will attack a business every 14 seconds by end of 2019.
Investing in a formal and ongoing security awareness training program for employees will directly reduce your organization’s risk of being infected by a ransomware attack -- and the associated costs. Ransomware damages cost the world $5 billion in 2017, and it’s been predicted that will rise to $11.5 billion by 2019.
I recommend organizing phishing tests internally and sharing the results with your teams. It’s important that all team members, from finance to sales to marketing, understand the risks presented by the partners they engage with, the downloads they share and the emails they receive – at a bare minimum. The more engaged your team is in cybersecurity awareness the more cyber resilient your organization will become.
You’ve said not to ever pay a ransom if you’re the victim of a ransomware attack. But you don’t really mean it right - We should pay and get it over with? Shouldn’t we…
No. I really mean it. It’s never a good idea to pay a ransom.
Paying a ransom does not guarantee that your encrypted data will ever be returned to you. It will only encourage the cybercriminals to continue their activity and look for new ways to exploit systems.
We know that our data is being used as a weapon – full stop. We can’t bend or break in this world of cyberwarfare – we need to be resilient with better defenses, better planning and better training for our employees. IN addition to the social engineering tests I mentioned above, I also recommend administrators mitigate the risks of ransomware by considering the following recommendations:
- Regularly back up all data on all computers to lower the risk of data loss.
- Unplug the network cable and turn any infected machine off to remove it from the internal network and stop the ransomware from spreading to other devices.
- If your business has a BYOD (bring-your-own-device) policy, ensure that your staff are aware of any risks associated with using their own devices at work.
- Regularly update and patch all applications to avoid being exploited by vulnerabilities used by cybercriminals to propagate the ransomware.
- When downloading any documents through email, always disable macro scripts and using Office Viewer software to view the downloaded documents.
- Restrict the ability to install software applications using the “Least Privilege” principle for all systems and services.
- Build a stronger security plan by whitelisting certain trusted applications that may be used by employees and requiring the use of a VPN for remote work.
As security professionals, we appreciate the risks associated with ransomware and other cyberattacks may never decrease but we can’t underestimate the power of good cyber hygiene. It’s our responsibility to take a proactive approach to mitigating the risks of being the next target.
Hopefully, this Q&A puts your mind at ease – at least momentarily! The questions you have are being asked by your executive peers. In many ways we share the same challenges, and the same opportunity to act proactively.
As we move forward with the understanding that a proactive, multi-layered defense requires technology, policy and the support of our employee base, please review the key conversations that should be had at an executive level to continue the conversation.
- Reviewing readiness for compliance requirements – especially GDPR
- Evaluating cyber insurance policies in advance of a cyber incident
- Using purple-teaming for greater incident response planning
- Establishing a strong cyber hygiene program
- Strengthening mobile and IoT security in your corporate environment
I’d love to hear any more questions you may have for the Cyber CEO. Feel free to email firstname.lastname@example.org and we will cover them in a future edition.
To Your Success,
Originally posted on cybersecurityventures.com