Most Australian businesses are acutely aware of the security risks they face today. However, while many focus on utilising a bundle of security solutions in hope of finding a ‘silver bullet’ to fix its security woes, many forget the basics.
As we look forward in 2015, it’s also important to remember the many examples of organisations that fell victim to cyber security breaches in the year gone by.
Australian businesses can minimise their chances of experiencing such a security breach in 2015 by observing some basic yet timeless fundamentals when it comes to securing business operations in an online environment. Here are seven essentials below:
1. Focus – on knowing what’s important, what is the value of your data to yourself, your competitor and the cyber adversary? Where is this data located? Who has access to it? How is it protected, and who is protecting it?
2. Simplify – this may seem like an oxymoron given technological trends and pressures such as Bring Your Own Device (BOYD), Cloud, Social Media increasing the complexity of our environments. Yet, if we can answer the questions in the first point, then we can quickly see misalignments, where we have over invested, and many cases under invested.
The important point here is to understand what is important, where it is, and how it is protected. Aim to simplify this as much as possible so as to reduce the routes in which an attacker can take to access your sensitive data.
Additionally, we can identify areas where the same sensitive data that is protected with strict access controls suffers the ‘copy manage’ syndrome. That is, a business unit needing a copy of the data for their own ‘unique’ needs, copying the authoritative data into their own platform without inheriting the data classification and subsequent controls.
3. Control – access to important information. Monitor access to this data. This involves network segmentation, access management, data encryption, and monitoring.
An important point to understand is that network controls don’t follow the data, so the data is the perimeter, especially in our expanded and hyper-connected world. Data encryption is the most effective means of insuring that irrespective of location, data has a degree of protection and can only be accessed by authorised entities (or those that have the keys).
4. Incident response – when things go wrong (and they will), how do you respond? Who do you call and do you turn off access? Do you engage with the media? How do you recover quickly so you can move forward? Have a plan, and adopt the old military doctrine, “Plan for the worst, hope for the best”.
5. Educate the user – user awareness should be a significant part of your efforts in cyber security. Often it is the user or ‘wetware’ as it is called in security that is hacked. Security awareness is not a once off, but a continual program of positive reinforcement, to encourage the right behavior. Don’t punish, but encourage and help your management and users understand what social engineering attacks look like.
6. Patch, Catch and Match – the Australian Signals Directorate has provided some simple but highly effective advice to everyone. Their ‘Patch, Catch, Match’ campaign is the poster child for their 35 mitigation strategies, for which the top four strategies have been found to mitigate 85 percent of the targeted attacks they investigated.
7. Measure yourself over time – everyone loves metrics, and cyber security is no different. It’s important to understand if your investment is aligned and protecting your business. Ask yourself this simple question ‘did the money you spend in 2014 make your more secure? If so, how?’ This can be a tough question to answer, so starting with the a handful of key performance metrics such as percentage of end-user systems patched, percentage of sensitive or controlled data encrypted, time to respond to incident, number of incidents discovered will allow you to quickly learn about your business and where your investment is going.
In today’s dynamic threat landscape there is no silver bullet to security, but by implementing these basic yet fundamental security principles organizations can significantly reduce its risks.
About the Author:
Written John Ellis, Chief Strategist, Cyber Security (APJ), Akamai Technologies.