A serious security incident is a question of “when”, not “if”.
In 2016 we have seen a number of remarkable news bulletins about cybersecurity incidents. For example, recently we saw a very serious issue relating to the American presidential election, which resulted in sanctions imposed on Russia as an alleged perpetrator. Czech police detained a Russian man Yevgeniy N. wanted in connection with criminal hacking attacks on targets in the United States, in an arrest carried out in cooperation with the U.S. Federal Bureau of Investigation.
Very often we have a situation where an incident does happen, but companies are either unable to detect it on time or cannot produce sufficient evidence to identify or prosecute a culprit. Very often, hackers go unpunished or even more worryingly, unidentified.
Staff training, security awareness, knowledge of response process
Preparation, before an incident happens is key.
In this instance, preparation is not prevention. We are assuming a company has done everything possible to protect itself in terms of a cyber security attack. By Preparation, we mean how to prepare for business for the day after, when all of the preventive measures failed and we have a data breach situation.
Preparation needs to start before a potential breach. Information security needs to become an integral part of the organisational structure and culture.
Can you answer the following questions? –
Do your management and staff know what to do and what not to do? Do all employees know how to avoid risky behaviour like phishing?
Are there Data Breach Response policies and procedures in place and have all staff been trained on these
Staff training is essential and having a good response plan is crucial you can use Computer Security Incident Handling Guide published by National Institute of Standard and Technology. There is little point in executing your response plan if this plan has not been tested and all relevant staff are familiar with the process-
Establish legal framework and understand organisational context
Each organisation may have its own objectives formulated by the stakeholders, those objectives need to be well defined and understood. They provide the backbone of any Information Security Management System. They are a corner stone of any business. ISO27001 places requirements formulated by the interested parties, at the very top of its structure. However, equally important is to have an up to date legal register which clearly lists all the statutory, regulatory and contractual obligations relating to information security, data privacy and so on. It is not enough to produce a list of acts, you need to detail specific requirements and review compliance periodically. Why is it important? Certain crimes have mandatory reporting obligation associated with them, such as, GDPR regulation.
Stay informed
Whilst the cyber security landscape continues to evolve – there are slightly different ways of exploiting the same vulnerabilities. There are new techniques for companies to defend themselves, however hackers always have been exploiting the following:
- Misconfigured systems
- Systems lacking standard security patches
- People – the weakest part of the chain
Vectors of attacks haven’t change for years. So, what do you need to be informed about? There are new systems which are been developed to detect and alert about incidents once they unfold, they provide threat intelligence collected by the best researchers in the world. Your organization should invest in such a system.
It is a good idea to stay in touch with special interest groups, so you are up to date with new laws, regulations, and new best practices which are constantly being developed and improved. Information Security should not be ‘dumped’ on IT, Information Security should be independent of the IT Department and perform two functions:
- Advise stakeholders/executives about Information Security
- Perform an audit on the organisation, including IT – (which is why Information Security should never be ‘owned’ by an IT Department) Hiring an experienced external consultant is possibly the best option.
Security Red Blue Team 