Managing surprises before they happen is key to effective cybersecurity

Good governance, risk management work better than spending more money on resources to limit exposure

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The Wan­naCry attack, the biggest ran­somware attack in his­to­ry, is not over. Com­pa­nies in at least 150 coun­tries have been impact­ed, leav­ing orga­ni­za­tions around the world won­der­ing if they might be affect­ed by sub­se­quent waves.

It’s crit­i­cal to keep in mind that effec­tive mit­i­ga­tion of ran­somware (and sim­i­lar) attacks is accom­plished with good gov­er­nance and risk man­age­ment, not with the acqui­si­tion of expen­sive secu­ri­ty solu­tions.

Detect­ing and mit­i­gat­ing risks effec­tive­ly requires an inte­grat­ed approach. It requires under­stand­ing the depen­den­cies and over­lap­ping activ­i­ties between enti­ties or depart­ments.

Relat­ed sto­ry: Most com­pa­nies still lack a cyber risk man­age­ment strat­e­gy

Tech­nol­o­gy nec­es­sary for a robust cyber­se­cu­ri­ty pro­gram already exists at most orga­ni­za­tions. The miss­ing piece, strong gov­er­nance, is the key to putting inter­nal poli­cies into prac­tice and max­i­miz­ing the effec­tive­ness of exist­ing tech­nol­o­gy.

With that in mind, there are a few fun­da­men­tal steps orga­ni­za­tions should take. Enter­prise-wide risk man­age­ment pro­ce­dures must be used to auto­mate the assess­ment and mon­i­tor­ing of these process­es. Time­li­ness and fre­quen­cy are key to sus­tain­ing pro­tec­tion. The cre­ation of cor­po­rate poli­cies does not assure that those poli­cies are fol­lowed equal­ly across busi­ness areas out to the front lines. In fact, with­out enter­prise risk man­age­ment, they rarely are.

Back up data; use patch­es

The first step is to make sure off-site back­ups are kept up to date. Auto­mat­ic noti­fi­ca­tions should alert the secu­ri­ty team at pre­set inter­vals, remind­ing them to ver­i­fy data is ful­ly backed up at an off-site loca­tion. It’s crit­i­cal to use a risk-based approach to pri­or­i­tize which data needs mon­i­tor­ing and test­ing.

Once data has been pro­tect­ed, com­pa­nies should ensure approved patch­es are imple­ment­ed. Although most orga­ni­za­tions have approval pro­ce­dures to force imple­men­ta­tion, incon­sis­ten­cy caus­es mas­sive, pre­ventable vul­ner­a­bil­i­ties. With­out risk-based mon­i­tor­ing, crit­i­cal assets are left unpro­tect­ed as pri­or­i­ties inter­fere with one anoth­er.

Virus detec­tion soft­ware is typ­i­cal­ly reviewed and updat­ed in a sim­i­lar man­ner. Secu­ri­ty teams need the guid­ance of cen­tral­ized gov­er­nance so they can mon­i­tor sys­tems effec­tive­ly.

Lim­it access

Man­ag­ing access rights—which can be achieved by first imple­ment­ing inter­nal pass­word poli­cies and asset management—is crit­i­cal when min­i­miz­ing cyber expo­sure. The “prin­ci­ple of least priv­i­lege,” by which the com­pa­ny grants employ­ees only the access rights they need to per­form their job respon­si­bil­i­ties, is par­tic­u­lar­ly impor­tant. This also should apply to ven­dors and oth­er third par­ties. Con­cep­tu­al­ly this is sim­ple, but in prac­tice, a risk-based approach is need­ed to con­nect process own­ers to the secu­ri­ty team. This is where most access rights pro­grams fail.

Auto­mat­ed mon­i­tor­ing also should be applied to com­pa­ny vir­tu­al pri­vate net­works. VPNs are impor­tant tools that sus­tain secu­ri­ty and access, but if they are not man­aged cor­rect­ly and don’t time out accord­ing to a pre­set time­frame, they cre­ate vul­ner­a­bil­i­ties that can be exploit­ed. Once again, ven­dors should be held to sim­i­lar stan­dards.

Busi­ness con­ti­nu­ity and dis­as­ter recov­ery (BC/DR) plans, much like data back­ups, must be test­ed (and opti­mized) at reg­u­lar inter­vals. If a com­pa­ny has a plan in place but does not reg­u­lar­ly test its abil­i­ty to imple­ment a “clean recov­ery,” it’s high­ly unlike­ly it will get back on its feet after an attack with­in the required time peri­od.

Keep recov­ery time short

Cen­tral­ized risk man­age­ment allows sub­ject-mat­ter experts to assess each device, appli­ca­tion and data store. Recov­ery time objec­tives, or RTOs, mea­sure how long busi­ness objec­tives can be met with­out a par­tic­u­lar asset. The secu­ri­ty team, after receiv­ing auto­mat­ic noti­fi­ca­tions, should test to ensure the clean recov­ery time­frame is small­er than the short­est RTO.

The steps above remove cyber­se­cu­ri­ty vul­ner­a­bil­i­ties by improv­ing gov­er­nance, not by man­dat­ing the acqui­si­tion of new IT resources. Good gov­er­nance enables the oper­a­tional­iza­tion of secu­ri­ty pro­ce­dures, clos­ing the gap between senior lead­er­ship and every­day activ­i­ties. A risk-based approach reduces both expo­sure and the cost of effec­tive secu­ri­ty oper­a­tions.

More risk-man­age­ment relat­ed sto­ries:
Under­writ­ers, InfoS­ec offi­cers must close gap on risk man­age­ment
Com­pa­nies should assess their risk pro­file and align it to a secu­ri­ty solu­tion
Orga­ni­za­tions must see cyber­se­cu­ri­ty as a busi­ness risk, not just a tech­nol­o­gy issue