Originally published in the ISACA newsletter
There seems to be no break in the cybercrime landscape these days. Organizations and the public have put security and privacy in the forefront due to the increasing number of high-profile breaches and hacks across all industries, ranging from health care to financial services to politics.
Cybercrime vectors such as phishing—the weapon of choice for most cybercriminals—are continuing to show growth across the globe, with RSA noting a 308% increase in phishing attacks in the second quarter of 2016 compared to the same quarter of the previous year. The United States currently ranks as the most phished country, but, regardless of country or industry, it is clear that cyber security threats are a real and present danger.
While every organization faces the threat of cybercrime, best practices for mitigating the risk can vary depending on local circumstance. The following 5 tips can help create a security program that works in your organization to help stem the tide of cybercrime:
1. Identify the weakest link
Each industry sector has specific areas that are targeted by cybercriminals. For example, if your organization works in the retail sector, you are likely to have vulnerabilities at the point of sale (POS). In health care, one of the most prevalent threats is ransomware, with up to 75% of US hospitals affected by the Locky ransomware variant.
The best starting place for a robust and effective cyber security program is to identify your weakest links. These are your cybercrime target points and can give you the understanding needed to create your personalized threat profile.
2. Understand your assets
Knowing what data or systems are being targeted can help you focus your protection efforts. An inventory of the most attractive parts of your data and systems allows you to set up specific security measures around those valuable assets.
People are also assets and should be included in this exercise. Know who your people are and how they interact with your data. This is especially important for those employees and third parties who have access to the assets identified as being potential targets of value. Insider threats, including those from across the vendor ecosystem, are a serious cyber security issue. Health care, for example, has seen insider-based risk (such as improper disposal) become the most prevalent problem in the first half of 2016.
3. Promote security awareness
Employees can be one of your biggest threats, but they can also be your biggest asset. Being security savvy is one of the best ways to mitigate cyber security and privacy risk. Security awareness is about making people understand the risk of a business, where that risk originates and how to prevent it. Foster security awareness through discussion of topics such as password sharing, or consider offering a seminar explaining how employees can spot a phishing email.
Security awareness training for all staff members should be a fundamental part of your security and privacy program. But training should not end with internal employees. External vendors and contractors should also be made aware of the expectations of your organization's security and privacy program. Many noteworthy high-profile breaches have occurred because of lax security at a third-party vendor, including the infamous 2014 Target data breach. As a result, businesses today must comply with regulations such as the US Health Insurance Portability and Accountability Act (HIPAA) for securing health information and the Payment Card Industry Data Security Standard (PCI DSS) for providers supporting companies involved with cardholder data.
4. Use the right tool for the job
Now that you have a holistic view of the cyber security and privacy vulnerabilities within your organization and beyond, you can look at how best to mitigate those risk factors. Security awareness training among staff is a starting point, but technology also plays a key role in controlling cyberthreats. Keep abreast of changes in the cyber security and privacy technology landscape. For example, machine learning can help in the fight against cybercrime. Having a good working knowledge of what is available, especially considering your organization or sector-specific requirements, will give you a head start in combating issues. Keep in mind that advanced tools require employees who are well trained to run or administer them; consequently, it is critical to provide sufficient training to those employees.
5. Create a robust cyber security and privacy framework
Knowledge is the foundation of effective cyber security and privacy risk management. The US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a critical resource for informing all cyber security and privacy professionals. The CSF is based on 5 principles. Those principles are:Describe the organization’s current cyber security posture
- Describe the enterprise’s target state for cyber security
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
- Assess progress toward the target state
- Communicate among internal and external stakeholders about cyber security risk
Following these principles can help achieve excellence in cyber security and privacy management.
Although the approach to cyber security and privacy can be customized by organization or sector, one thing is clear: Good and robust attitudes regarding cyber security and the prevention of privacy breaches are universally essential, and they come from the top down. A recent Ponemon Institute report demonstrated that good communication from the top down is key to risk management across the company. Good communication must include third-party vendors as well. While there may be many aspects to creating a good security and privacy program for your organization, communication between staff and sharing of knowledge are the keys to making it work and keeping your information safe.