Adapt or die is definitely the mantra of the moment. Multiple global events in play today are certainly pushing organizations to adapt faster. Whether adding barriers and sign in desks to limit the spread of the Coronavirus or migrating to a partial or full remote workforce, these changes impact physical and logical security measures. Companies with no security functions are struggling to even start improving their security posture. Even those organizations with defined security programs are feeling the heat. What every company needs, regardless of current cybersecurity maturity, is a cyber attack prevention plan. This isn’t something that can be put off. Cybercriminals are taking advantage of the gaps in every company’s protocols.
Here are three steps you can take now to create your cyber attack prevention plan.
- Identify what needs to be protected. To build a prevention attack plan, first an organization needs to know what is at risk. Managing risk starts with managing assets. Routinely IT managers will request services from MSSPs like Abacode; but are unable to provide even the most basic information about their own environment. Whether the networks and systems were homegrown, acquired and bolted on, redesigned and scrapped, IT stakeholders can barely keep track of how their enterprise is performing, much less what’s inside it. Security mechanisms are much more likely to fail if all critical assets and data aren’t covered. Here’s what you need to know:
- What type of IP is stored, processed, or transmitted?
- What type of customer data is stored, processed, or transmitted?
- How many networks do you manage?
- How many external IPs are configured on each network?
- How many internal IPs are configured on each network?
- How many external cloud networks / platforms are in use?
- Is the organization currently required to undergo third party audits and if so, under which compliance standards?
- How many US citizen PII / PHI / credit card records are stored on organizational assets?
- How many EU citizen PII records are stored on organizational assets?
- If the organization’s IT enterprise was disabled via ransomware or other malware attack for 72 hours, what would the expected revenue loss be, if any?
Security managers and heads of IT should always start their security program establishment with the last three bolded questions.
- Assess risk and degree of vulnerability. With the answers to these questions, especially the last three, management and key stakeholders can begin to calculate what is at stake during a security breach or incident. A company with $50 million in annual revenue would lose ~$250,000 in revenue alone to a ransomware attack if contingency plans and backup measures aren’t in place – in addition to the ransom fee, unfortunately. The Ponemon Institute estimated 2019 data breaches costed ~$150 per record, so an organization that suffers a breach 25,000 records can expect to spend up to $3.75 million in recovery fees. Understanding the financial risk is required to help executives set a budget. The data and asset composition will steer the decision made regarding security program components and technology procurement. Therefore, the next critical step is to conduct an assessment.
A risk assessment prioritizes mitigation by ranking technical and non-technical risks. Non-technical risks are discovered via:
- Key process walkthroughs – how are new systems purchased and installed? How are new users granted access to IT systems? How are systems backed up?
- Key stakeholder interviews
- Documentation review
Technical risks are detected via scanning solutions. The following should be considered as a component of risk management:
- External and internal network vulnerability assessment
- External and internal network penetration test
- Web application penetration test
- Static code analysis
- Create a plan and establish security program. Upon completion of the assessment, an organization can then develop a remediation and prevention plan. Ensure this plan includes policy and procedure drafting to guide personnel in ongoing security practices. These 14 elements are included, or rationale for exclusion explained, the plan.
- Assigns security oversight to executives – An executive team should meet routinely to discuss risk and remediation efforts
- Assigns security responsibility to employees via job descriptions and policy acknowledgments
- Adopts controls according to accepted frameworks such as NIST 800-53, ISO 27001, etc.
- Communicates responsibility to employees via policies, diagrams, written job descriptions. etc.
- Trains employees at least quarterly regarding security awareness and privacy
- Executes phishing campaign simulations and task the organization to maintain an under >2% click-through rate
- Defines asset management and control framework – smaller organizations may be able to manage their assets and controls with spreadsheets, however large multi-network / vertical organizations will need asset and compliance management solutions
- Assesses for technical vulnerabilities via monthly scanning, code review, static code analysis scanning, control assessment
- Establishes logical security perimeters with network firewalls, web application firewalls, and cloud environment network security groups
- Monitors the enterprise with a security information and event management system and security operations function
- Protects endpoints with host-based IDS and secure e-mail gateways
- Establishes plans for change management, incident response, business continuity and disaster recovery
- Ensures backup and restoration processes are in place
- Enforce security controls during Human Resource processes such as onboarding, offboarding, credential granting
There are countless ways for bad actors and operational issues to impact organizational operations and security posture. Security personnel will be in constant “fire-fighting” mode – resolving issues as they are detected unless you have a cyber attack prevention plan and a security program is in place to prioritize and manage mitigation efforts.