Tips that everyone should look and learn from
Recently we at ESET had the opportunity – quite a fun and interesting opportunity – to visit a number of information security and cybersecurity conferences. These conferences were flooded with relatively ‘new’ developments such as NextGen, the Internet of Things (IoT), IoT DDoS attacks, security intelligence platform, etc. The fact that some of these terms have become ‘hype’ is not in itself a problem, but we did begin to wonder whether the security world may be looking at things in the wrong way and thereby missing the demands that need to be addressed.
LESSON 1: START WITH THE BUSINESS (AND ITS RISKS)
Security in practice can be exceptionally complex, but its essence is quite simple. It is nothing more than reducing or taking away risks, and making them visible so that the business can accept them and continue doing its work – nothing more, nothing less. To do this as effectively and efficiently as possible, we, as security people, have to understand the business and not see it solely from an IT perspective but from the broader perspective of the business itself.
When starting from the business, we first should identify, map, and categorize the risks of the specific business. Second, we have to determine, together with the business itself, which risks need to be dealt with and in which order.
When that’s done, the person responsible for the security within the company must set up a security plan that describes how these changes are to be executed. In doing so, there must be clear goals and deadlines. Ideally, this should be done in a ‘smart’ way, one step at a time, so as not to engage in too many projects at once.
LESSON 2: DETERMINE A SECURITY ROADMAP WITH A CLEAR GOAL, STEP BY STEP
Defining your security approach (or security roadmap) is essential and should be discussed with your business on an ongoing basis to make adjustments where and when necessary. During the creation and execution of the roadmap, the projects that are defined will all contribute to the reduction of risks and the achievement of the end goal.
It’s important to not lose sight of the business goals, because the people responsible for security shouldn’t ‘restrict or obstruct’ the business with security measures. It’s not rocket science, and shouldn’t be treated like it is. The creation of a plan should be something that everyone, even without IT skills, can understand. Of course, IT plays a role, but only at the last moment when IT solutions are needed for the execution of the security projects.
LESSON 3: COVER THE BASICS BEFORE IMPLEMENTING MORE ADVANCED SECURITY SOLUTIONS
Looking back at the conferences we attended, we noticed that most organizations don’t even have basic security measures in place, let alone advanced security solutions. Security company presentations on these technologies often look stunning and offer interesting content, but they are simply too advanced for most companies. Furthermore, experience shows that the most hacks (about 90%) are still using the simplest methods and weaknesses: phishing emails, malware attachments, etc. And, of course, there is the weakest link of all: the human being.
Companies need to create basic security solutions for these simple risks first before they turn their attention to more advanced technologies. Of course, these are important as well and they should be implemented in the future, but only after the basics are fortified. Often during security conferences there is a focus on sophisticated threats and APTs (advanced persistent threats), but companies such as TalkTalk and Ashley Madison might have been protected from attack if even basic security was in place.
LESSON 4: BUILD THE RIGHT PARTNERSHIPS – COOPERATION BETWEEN IT SECURITY PROFESSIONALS IS ESSENTIAL
New developments arise quickly and malicious groups and individuals are using more varied and advanced attacks and tactics. Eventually, more advanced security solutions will become inseparable from our organizations’ broader security roadmaps. However, the foundation has to be in place before the ‘house’ can be built. And to build this house, cooperation is needed between the architect, the realtor, the mason, the plasterer and of course the homeowner.
This sense of building something together is exactly what needs to happen in the security world. We have to cooperate intensively because, much like building a house, there is no single owner or architect who is also the best in masonry, painting, or construction.
No single security company has the best solution for each and every security risk, so working together is a must. Those who would cause your company harm are already doing this, so it’s time security professionals do the same. We need to start with the owner (the business) and the foundation (the roadmap), and then forge relationships with the right contractors (security vendors). Only then can a strong, reliable, and safe house be built.
LESSON 5: GET EVERYONE INVOLVED – ITS THE ONLY ROAD TO SUCCESS
To make progress between security and the business, there has to be understanding and support from the business – and vice versa. The one(s) responsible for security has to be able to provide short and clear explanations in order to get all of the different stakeholders in the company to participate. If he or she can’t, then the business (and the board) will never understand, and there won’t be the necessary buy-in and support to implement your plans (no matter how good they may be). As Einstein once said: “If you can’t explain it simply, you don’t understand it well enough.
ABOUT ESET TECHNOLOGY:
NETWORK ATTACK PROTECTION
Network Attack Protection is an extension of firewall technology and improves detection of known vulnerabilities on the network level. It constitutes another important layer of protection against spreading malware, network-conducted attacks and exploitation of vulnerabilities for which a patch has not yet been released or deployed.
UK GOVERNMENT TO ROLL OUT CYBERSECURITY CLUBS FOR TEENS TO ADDRESS SKILLS SHORTAGE
Thousands of teenagers across the UK are set to be given intensive training at cybersecurity clubs in a bid to minimize the skills shortage predicted for the near future.
The Cyber Schools Programme aims to offer support and encouragement to youngsters aged between 14 and 18 who demonstrate an early talent for the skills needed to help safeguard businesses against online threats in an increasingly digital economy.
OVER HALF OF US CITIZENS HAVE EXPERIENCED A DATA BREACH’
The Pew Research Center has found that over half of American citizens have been victims of data breaches in recent years.
The online security survey, released on 26 January this year, revealed that 64% of adults in the US have either reported or were notified of a data breach that had impacted their personal data.
Respondents’ answers highlighted that credit card fraud was the most common form for a data breach to take, with 41 % of Americans having fallen victim to it. 35% had experienced their personal data (such as account numbers) being compromised, while 6% found someone else to have impersonated them to file a tax return.
As of February 13th, 2017, Gmail has started deploying their new restrictive policy on .js file attachments, extending their list of file types blocked for security reasons. After the full release, Gmail users won’t be able to send or receive mail containing .js attachments, even if they’re in a compressed and archived form.