Cybersecurity: The five main lessons for all
Recently we had an opportunity – quite fun and interesting – to attend a series of conferences devoted to information security and cyber security. These conferences were filled with relatively “new” developments, such as NextGen, Internet of things (IoT), DdoS attacks on IoT devices, security intelligence platform, etc. The fact that some of these terms caused “hype” is not in itself a problem, but we began to wonder whether the world of security is right about things. Otherwise, those or other needs may be missed.
This article introduces a new vision of cybersecurity, which is viewed as a goal in itself, not something that is directly related to the needs of the business. At the moment, it seems that too often security organizations go wrong.
Cybersecurity Lesson 1 . Start with the company ( and associated risks )
In practice, security can be an exceptionally difficult task, but its essence is quite simple. Security is nothing more than the reduction or elimination of risks, as well as ensuring their visibility, which allows companies to accept and continue their activities – no more, no less. To achieve maximum efficiency and effectiveness, we, security professionals, must understand the business and not treat it exclusively from the point of view of IT, and look at the problem more from the position of the business itself.
“Experience shows that in most cases (about 90%) of the attacker are still using simple methods and WEAKNESSES : phishing emails , malicious attachments.”
If we start from the business, we first need to identify, display and classify the risks associated with a specific company. Secondly, we must determine, together with the company itself, what risks must be dealt with and in what order.
After that, the person responsible for the security inside the company must draw up a security plan describing how these changes should be implemented. In this case, clear goals and deadlines should be indicated. Acting must be judicious, step by step, and not engage in multiple projects at once.
Cybersecurity Lesson 2 . Identify a road safety map, with a clear goal and step-by-step actions
Determining your approach to security (or road safety map) is important, it must be regularly agreed with your company to make adjustments as needed. In the process of developing and implementing the roadmap, all the projects will help reduce risks and achieve the ultimate goal.
It is important not to lose sight of the business purpose, and the persons responsible for security should not “restrict or discourage” the company from taking security measures. This is not rocket science, so the approach should be appropriate. The process of developing a plan must be clear to everyone, even those who do not have IT skills. Knowledge of IT certainly plays an important role, but only at the last moment, when IT solutions are needed to implement security projects.
Cybersecurity Lesson 3 . Master the baseline before embarking on more complex security solutions
Participating in the conferences mentioned above, we noticed that most organizations do not even provide basic security measures, let alone advanced security solutions. Presentations of these technologies by security companies often look staggering and offer interesting content, but for most organizations they are at a very high level. In addition, experience shows that in most cases (about 90%), attackers still use the simplest methods and weaknesses: phishing emails, malicious attachments, and so on. And, of course, there is the weakest link – a person.
Before moving to more advanced technologies, companies need to create basic security solutions that take into account these simple risks. Of course, the first ones are also important and should be implemented in the future, but only after strengthening the basic solutions. Often, security conferences focus on complex threats and advanced persistent threats, while companies like TalkTalk and Ashley Madison could be protected from attack even if basic security was implemented.
Cybersecurity Lesson 4. Establish the right partnership – cooperation between IT security experts is important
New developments appear quickly, and individual attackers and groups of intruders use more diverse and advanced attacks and tactics. Ultimately, more advanced security solutions will become inseparable from the broader road safety maps of our organizations. But, before building a “house”, you need to lay the foundation. And to build a house requires cooperation between the architect, realtor, bricklayer, plasterer and, of course, the owner of the house.
It is this feeling, when something is created together, that we must be present in the world of security. We must actively cooperate, because, like building a house, there are no owners or architects who would just as well perform the masonry, painting or construction work.
No security company has the best solution for every security risk, so you can not do without working together. Those who could harm your company are already operating, so it’s time for security specialists. We need to start with the owner (company) and the foundation (roadmap), and then establish relations with the right contractors (suppliers of security solutions). Only after this, a strong, reliable and safe house can be built.
“THIS IS THE SENSE, WHEN THE COMMUNICATION IS BROUGHT TO BE CREATED, MUST BE PRESENT IN THE WORLD OF SECURITY . WE SHOULD ACTIVELY COOPERATE. “
Cybersecurity Lesson 5 . Connect all – this is the only way to success
To achieve results from the company’s security and organization, requires understanding and support from the company, and vice versa. The person (s) responsible for safety must be able to give short and clear explanations so that various stakeholders of the organization participate in the process. Otherwise, the organization (and management) will not understand the situation, and there will not be the required personal interest and support for the implementation of your plans (no matter how good they are). As Einstein once said: “If you can not explain it in simple words, you do not fully understand this!”