With the New Year upon us, we are likely to face new cyber challenges that put the security of our organizations at risk. Despite these new concerns, there are steps you can take to become – or remain – cyber secure in an environment that continues to evolve. We asked TSC Advantage experts what New Year’s resolutions they suggest organizations make and keep to face 2017 cybersecurity threats. Their recommendations? Arm your People and your Business for success:
Ward Off Fraud Scams through Information Security Training
Cory Faust, Threat Analyst
Buried under the mountain of information regarding data breaches lately (a billion Yahoo accounts!) is a developing threat vector which we can expect to greatly increase in 2017: invoice fraud through phishing scams involving accounts payable and extortion via ransomware. Companies should increase flexibility and tighten requirements in their training programs, especially those for employees dealing with third parties, in order to combat this threat.
Too often we see individuals fall victim to a cyber-attack due to complacency, and those involving employees opening malware-laden invoices are no different. Whether it’s getting duped into a $3.2 million scam like the City of El Paso, or a company’s systems and data being locked down (see Locky), the ability of an organization to mitigate these threats starts and ends with employee training and awareness. Some of the ways to tackle this growing trend include:
Mandatory employee training and awareness completion
Information Security training metrics capture for process improvement and identification of gaps
Invoice and accounts payable training for employees on the front line
Security champions in groups working with third parties
Increased approval controls regarding payments to third parties
Tighter scrutiny on account discrepancies
It’s too risky for organizations to allow single employees who routinely fail information security training to continue handling invoices, especially when the next one to be paid could be for something you never wanted.
Help Me Help You! Focus on Your People
Gabriel Whalen, Insider Threat Senior Official, Behavioral Analyst
The industry tends to over-emphasize and prepare for the spectacular attack, but the majority of harmful events tend to be the result of poor planning or safeguarding of assets. It’s more likely that a malicious insider will leak details of a planned merger than of your organization being hit by a sophisticated cyber attack.
Human Resources is your first line of defense – they let people in, or keep people out. Empower your first line of defense to both detect and mitigate employee issues, which will help reduce insider threat risk, whether the threat is intentional or not.
Training – even with training, people who consider themselves security conscious will violate their own security rules. Less training isn’t the fix here, it’s more effective training, separation of duties and least privilege. In order for the training to be effective, it is necessary to address immediate employee needs (e.g. if the company loses this contract, you won’t get a paycheck), instead of focusing on things that do not affect them directly (e.g. protecting company intellectual property to keep America “safe”).
Public relations – Now more than ever, company actions and relationships are open to public discovery. Companies need to be sensitive to public whim, otherwise they may reveal vulnerabilities that can lead to cyber vigilantism or ideology-driven attacks.
Speaking of People, I think we’ll likely see sophisticated cyber tools become readily available and usable by the general population at some point in the next few years, if it isn’t happening already. This development will only add confusion to an already complex picture – was event X the result of a disgruntled insider, a cyber vigilante, a criminal network, a nation state, or someone just goofing around? Who knows? Does it matter?
Scrutinize the Security of Acquisitions
Will Durkee, Director of Security Solutions
A troubling theme I have seen in companies that rapidly grow through acquisition is a lack of uniformity and formality in their information security program. Often, each division or business unit operates its own ad hoc security program with little communication to the corporate offices. Similarly, new acquisitions are not given the security due diligence needed to fully estimate the protections around valuable assets. In security environments, we understand that the weakest link often breaks the chain. It is with this observation that I recommend some 2017 resolutions:
Create a uniform corporate information security policy. If your culture demands a more decentralized structure, then at least establish minimum security requirements. This allows your corporate officers to mandate minimum security levels across all business units and locations in a clear manner. Consider incentivizing best practices.
Establish a reporting and monitoring process so that isolated security issues in smaller departments flow through to the corporate risk management decision makers. Lack of risk visibility is unfortunately a large cause of unintentional accepted risk, or as I like to say, risk by default. Whether a risk is unknown, ignored, or hidden, it remains an accepted risk and it should go through a formal risk acceptance process.
Create a security diligence checklist for additional acquisitions. This should inform management on the current state of security, which can impact valuation especially if this target company relies on intellectual property as a competitive advantage. Further, it brings to light any security improvement costs which could have financial influence on the acquisition.
Face the Unthinkable with a Proactive Plan
Brendan Fitzpatrick, Enterprise Security Assessment Program Manager
In addition to setting up appropriate defensive measures to keep intruders out, having an incident response plan established in case a breach does happen is essential. Each member of your team should know exactly what they have to do in response to an attack so that immediate steps can be taken to remedy the situation. The more time that passes without action means the more damaging the breach will be. Here is what every incident response plan should include, at a minimum:
Create an organizational structure of the incident response (IR) team. You need to know the members and what each of their roles are within the team. You should designate ‘responsible parties’ who will own the IR processes. Then list all parties that might need to be alerted, and under what circumstances they would be contacted.
Define what constitutes an incident. i.e., what thresholds must be passed to move something from an event (which can be handled in a routine way), to an incident. Every organization with a developed plan defines this differently, so figure out what works for your organization.
Use an incident response framework. Clarify what organizational things need to happen along each stage of the incident response. For example, events are first recorded in a ticketing system, then are evaluated by a certain member of the team. If the threshold is passed, the IR team is activated and specified business officers are alerted, etc.
Establish a documentation methodology and repository for all incidents. This includes after-action reports and root cause analyses that occur after closing an incident.
Don’t wait until a real crisis to test your team. Establish a regular schedule to fully test and update your plans, and to give your team a chance to practice without real consequences. Specific playbooks for incident response can be developed during these tests, as well as when dealing with real events and incidents.
We saw some historic breaches in 2016, and 2017 is sure to hold cyber threats that present continued security challenges. Let’s face it – most individuals don’t maintain their New Year’s resolutions beyond a few months. But research shows that setting realistic, measured and achievable goals leads to success. Our experts’ enterprise cyber resolutions are a helpful shortlist for increased cyber resilience.