5 Ways to Develop Your Cybersecurity Risk Management Framework
Posted by Walid Abou-Halloun Date: Jul 12, 2018 5:42:12 AM
Cybersecurity experts from both the government and the private sector are ever warning us about potential threats of hacking and impending cyber attacks.
It is because the threat is very real, and the resulting damage goes beyond the realm of our personal devices. An incursion on confidential data has immediate financial, social, and personal implications.
Moreover, recent trends have shown vulnerability to systems caused by cybersecurity breaches.
That is why for businesses, it is all the more important to have a cybersecurity risk management framework. Here are some ways to develop an effective one.
1. Ask: Is Your Company’s Network Growing?
Growth is always a good sign, but a larger pool of customers often means you need a larger infrastructure. An increase in the number of employees, equipment updates, and maintaining a larger network are all expenses commonly associated with a growing business.
Usually, the changes happen organically and sporadically. There can be a new employee every month which means bumping your third-party service subscriptions from one level to the next, or expanding your office.
Change is inevitable; you just need to make sure you have the right systems in place to monitor your growing network. Why? Simply because:
Custom Code Doesn’t Scale
If your company uses projections, models, and other computing tasks that use a lot of processing power, you probably have an HPC cluster.
But as you add more nodes and processing power to keep up with demand, the custom tweaks an employee may have made years ago will start to crumble.
Any databases created internally, custom scripts, or older IT-monitoring programs that have lingered in your systems for years can crash if your cluster grows too big.
Unless your oldest employees remember the old codes, it can be impossible to find the underlying cause without a software keeping an eye on the whole system.
Managed IT support can find those vulnerabilities and switch your business with a standardised software.
A Patchwork of Different Hardware is Vulnerable to Attack
The last time you updated your virus protection on your personal computer or it had an automated update, your computer got stronger. But there are still limitations.
Operating system companies and program providers are always building patches and new layers of security. The aim is to fix previous problems or holes that new hacking techniques can take advantage of.
The more variegated your technology is, the harder it is to make sure everything is operating at the same level. Managed IT support services can monitor the network as a whole for problems before any development.
2. Make Computer Security More Convenient
The first rule of cybersecurity is that you get either convenience or security; any increase in one will decrease the other.
Tightly enforce security. Otherwise, convenience will gradually creep in until your business devices and network are left relatively unsecured.
While you can never achieve a perfectly happy medium, here are a few ways to make crucial security more convenient:
Get More Intuitive Two-Factor Authentication
Two-factor authentication has been around for quite a while in one form or another. In the earlier days of network security and the Internet, people carried around physical tokens.
They would input their personal password and the time-sensitive password generated by the token. If both passcodes passed the test, then the user would be allowed access.
But tokens are easy to lose, plus those long, randomised passcodes aren’t anyone’s first choice. Instead, apps like Duo or even using your employees’ mobiles as passcode-generating tokens can do the trick.
Look for programs that require two independent factors to give people off-site access. But also look for programs in which the two factors require the least amount of work and the fewest physical items.
Move to Single Sign-On
A lot of employees use several online portals throughout the day. They might even be using them simultaneously.
They can log in to Oracle, Salesforce, the company intranet, and their email. And guess what? They’re not going to be using complex, randomised passcodes for each program. Chances are, they’ll use identical passwords for each portal.
The best way to counteract that is to implement single sign-on. Hook all of your company’s assorted portals and databases to your company’s intranet so employees only have to log in once.
Once you cut down on the number of passwords, you’re far more likely to get cooperation about more complex passwords and more frequent password changes.
3. Train Your Employees on Phishing Schemes
Phishing might sound old, but it still works. All it takes is one person responding to the scam and they’re in business.
But more modern phishing schemes don’t try to target people’s goodwill or sympathy anymore. They rarely even try to target greed. Instead, they aim for fear.
While bots and anti-malware programs are getting better, they can’t catch everything, and that means your employees have to be watchful.
Here is one of the most common fear-based triggers in phishing schemes that your company needs to have a policy on:
The Urgent Third-Party Alert
Everyone’s gotten an email like this: a notification saying that there’s been some sort of activity (usually linked to a bank account) and that you need to resolve it immediately.
They may even throw in a helpful confirmation link that only lasts for 24 hours.
Well, it can really happen and might look legitimate, that is why some people are easily tricked into it.
On legitimate emails, the short timeframe is to protect your account from any other breaches. But on phishing schemes, the deadline is to fill you with urgency and make the recipient act more quickly than reasonably.
And that helpful link goes to a mirror site where you’ll be asked for your login credentials before they can even begin to explain the real problem.
Whenever this type of phishing emails makes it into a corporate inbox, the recipients need to focus on two things:
- Urgent problems aren’t processed through email. Unless there’s a phone call, it can wait to be vetted and investigated.
- Never use the link. Don’t even click it. It’s much safer that the recipient opens a new tab and types in the domain, as they will have a chance to verify first if it’s legitimate and secured, or not.
Phishing schemes use emotion to drive careless action and responses.
In an office setting, the easiest way to do that is with urgency and fear.
Layer your defenses and add more security to your servers. Ransomware slows down business wherever they pop up, regardless of your company’s response to the ransom threat.
But more and more ransomware attacks are trying to strike at the center of corporations for bigger payouts. Instead of holding individuals or devices hostage, malicious actors are trying to reach your servers.
So make sure your servers and encryption tools have their own defense systems. Keep the security completely separate from the more user-facing defenses. In that way, phishing schemes can’t reach as deeply.
3. Back Up Your Data and Hold It Separately
Most companies don’t have adequate anti-ransomware defenses. Even being ahead of the curve doesn’t promise that you won’t get caught in a trap. So make sure some of your defenses are designed to mitigate the damage.
Frequently back up your files and your databases to make a successful ransomware attack less of an emergency.
When you can afford to respond calmly and keep the business going as usual, you are better able to find the source of the threat.
4. Be Careful When Using Sensitive Information
One of the most important things you can do to keep your information secure online is to be careful when you do sensitive browsing, such as banking or shopping online.
You should never do this type of browsing from a public computer or a computer that anyone else has access to. Only do this type of browsing from a network you trust.
Never access sensitive accounts while connected to a public WiFi as this can leave you vulnerable to having your data copied or stolen.
Developing a Sound Cybersecurity Risk Management Framework
With every passing day, cybersecurity is becoming a greater concern for governments, businesses, and individuals.
This is in part due to the chronic shortage of experts, as well as the proliferating Internet of Things.
Senior cybersecurity experts are even warning against anti-virus software. They have reason to believe that attackers are now using the software to access valuable private information.
To learn more about the latest news on cybersecurity, follow our blog.
