Cyber-security: a team sport

René-Sylvain Bedard at Indominus Managed Security explains how to optimise the cyber-security strategy of your business

 

Over the past decade, cyber-security has become unavoidable. If you are serious about your business and want it to have a future, cyber-security must be top of mind.

 

Here is an overview of how you should optimise your company’s people, processes and technologies to become secure. 

 

 

Creating a cyber-defence strategy

Creating a cyber-security plan is a lot like building defences into your house. You will want: 

• a fence to keep unwanted people out
• a gate to let in only the people you want
• smoke detectors to avoid fire
• broken glass detectors so you know if someone tries to break in
• cameras to see if a threat is present
• an alarm centre to ensure that all this data is reviewed in real-time, and counteractions can be taken rapidly 

All these have a cyber-security equivalent: the fence and gate protecting your perimeter are firewalls, your smoke detectors are your antivirus and EDR (endpoint detection and response), your broken glass detector is the protection of your identity, and your cameras and alarm centre would be your information-gathering and correlation system, otherwise known as a SIEM.

 

 

Unifying your security

Deploying tools and reactive methods is a great start, but they will not take shape until they are implemented and integrated into the daily lives of your staff. Only then will you know if they work.

 

That is why I always say, “Architecture is a team sport”. You can create the most elegant design on your own, but it will never be any good until operations have accepted it. You might as well incorporate their input from the beginning. Get their opinions and feedback, and make sure you build it in.

 

 

People

You should never underestimate the threat of trust. People are trusting and want to be nice to other humans, which makes them vulnerable to “social engineering” where criminals exploit their trusting nature.

 

Here is a real-life example of social engineering: we were doing a cyber-security audit for a healthcare provider. Our white-hat intrusion tester walked into one of the regional clinics and was greeted by the receptionist, who assumed he worked for their IT support group. She set him up in an absent doctor’s office, offered him a tea, and then proceeded to close the door so he could work in peace. He was able to break into the clinic’s IT network and install all his required tools, without any hindrance. A few weeks later, he was writing files on the chief security officer’s desktop, from his home office, 300 miles away.

 

We are not talking about James Bond here. We are talking about regular technology, and someone with a knowledge of cyber-security. This is why you need to set up an operational method that ensures that trust must be earned. 

 

Social engineering is a tool that many criminals use; and it can get you in trouble.

 

 

Processes

So, you have deployed your plan and implemented all these great technologies. But there are still processes that were automated long ago and that no one dares to touch. 

 

What if there is a function that uses the usernames and passwords for your bank account? Would you want anyone to be able to capture these?

 

How would you feel if your entire payroll was redirected to a single bank account where the money disappeared 3 minutes after it had been deposited?

 

How would you feel if all your employees came screaming on Thursday morning because there was no money in their accounts? How many disruptions would that cause, on top of the fact that the money you set aside for their pay is now gone?

 

And this is just one automation, one process, one script. How many of these is your company running?

 

 

Technologies

Almost all companies I have come across have specialised systems. Most of those are bound by some exceptions, especially around cyber-security. Some of them even have a particular status that prevents them from being upgraded or patched.

 

This is a big problem, because without patching, a device can’t be secured. 60% of attacks are through known vulnerabilities. Most of them could be avoided with regular patching. 

 

So how do you make sure that you can make your technology secure? Questions must be asked. Sometimes, older systems need to be upgraded. Sometimes, this is a major investment. 

 

That is where risk management comes into play. Can you isolate those older machines so that, if the network is attacked, they can stay safe and operations can keep on rolling? Do they need special protection, so that only a very small part of the company has access to them? Do this and you reduce what is known as the attack surface, the parts of your IT network that criminals can use to gain entry.

 

Most importantly, as a leader you need visibility into those diverse platforms; you need to be monitoring them, so that if something happens, you are ready to react.

 

 

And ... ecosystem

At this point, your staff is well trained, you have reviewed your processes, your technology has been integrated into your cyber-defences monitoring system, and you have reduced your attack surface. You’re thinking, ’We’re good.’

 

In reality: almost.

 

What happened to Microsoft a few years back is a stark reminder that when you bring a partner into your backend systems, it is very much like giving your neighbour a key and alarm system access codes to your house.

 

If their environment gets compromised, yours might be too. No matter the security levels you have put in place.

 

This means that you must make sure that your partners, especially those accessing your backend systems, have equivalent or better cyber-security than your own. This must be confirmed through a survey and built into your partnership’s agreements. 

 

Partners have to look out for each other, especially against cyber-criminals.

 

 

The security buck stops with you

It is essential that owners and corporate executives get well-versed in cyber-security, especially in the SME space. As they say: the buck stops with you. 

 

This means that you need to start mastering the larger concepts, get interested in cyber-security, learn about the various types of attacks and how they could disrupt, steal or even paralyse your company.

 

Never forget that, as a company, you have the one resource that all cyber-criminals are looking for: money.

 

Help us #StoptheBully. 

 

---

 

René-Sylvain Bedard is CEO of Indominus Managed Security and the author of Secure By Design, a leader’s guide to keeping cyber-criminals out of your business

 

Main image courtesy of iStockPhoto.com and nd3000