Part 2: Five Areas for Complete Internet Security Coverage
Hello again cyber security-concerned business people…
Last post I wrote about the somewhat confusing landscape of cyber security. Let’s continue on that theme with an eye to removing some of the confusion. “One step at a time” is the required approach — this isn’t exactly rocket science, but close! Unfortunately, though, in today’s environment it is absolutely necessary for business to have a robust, complete coverage security posture in place, as the threats are all-too-real and they’re getting bigger and more brazen. The bad guys aren’t just script-kiddies or hacktavists anymore (although they are still out there), but now include organized crime and nation states.
When we wrote about identifying your assets last time, we felt this should be easy enough. Now, try and determine what would happen if those assets were taken away until your disaster recovery system kicks in (you do have a Disaster Recovery site, don’t you?). An important exercise is to figure out exactly how to measure your downtime financially. A quick Google Search will reveal many posts and tools out there to help you with this (here’s a good article to get you started on “quantifying business downtime“). Don’t forget to add the cost of the loss of goodwill, an important factor that’s easily underestimated as it is difficult to determine. This is an eye-opening exercise and worth doing, believe me.
Remember too that liabilities arising out of cyber breaches are a new and growing business and the legal and insurance industries see this as a huge growth area. This is receiving a ton of government scrutiny with an eye to regulation, so fines will become prevalent for sloppy businesses without sufficient security protocols.
So, what next? You have probably received most of your cyber-security education from vendors trying to convince you that their product will have you covered. But this is way more complex than trying to cover yourself with a single product. Here are five areas to consider for a complete security posture:
- Technology: The cyber-security industry has you covered for sure! Products include security for Infrastructure, Endpoint, Application, Web, Cloud, IoT, Transaction, Mobile and Data and show over 500 vendors out there. Add Risk, Compliance, Incidence Response and Threat Intelligence and you have close to 1,000 suppliers all saying they have the “secret sauce” solution to your problems. This is Gartner’s attempt to make sense of the top security technologies last year: it gives you a good overview of what these brilliant people suggest. Still confused?
- Governance: IBM and others say 95% of cyber problems are caused by your own staff. Education, policy and rules are essential!
- Standards: There are a lot of organizations that can assist you in finding the standards applicable to your industry such as NIST, HIPPA, OSI, SOX, NERC and others and many are free for you to use. For small businesses, I recommend starting with NIST (National Institute of Standards and Technology) as it’s probably most useful resource for businesses without major compliance requirements.
- Insurance: Cyber security is an evolving area for general insurance companies and yes, it is possible to cover liabilities and business interruption. However, the payment of fines is an ongoing grey area and existing conditions that ensure coverage requires comprehensive analysis.
- Consulting: Of course you’re not expected to do all this by yourself! Finding a good quality Managed Security Services Provider who is product-agnostic, experienced and won’t make a meal out of a sandwich is required. Connections with appropriate authorities is essential. The first question to ask: Can they do security assessments, vulnerability assessments, penetration testing and remediation?
This is the second in a series of internet security posts which are intended to assist security aware business people. My name is Bruce Thompson and I have been in the telecom and IT industry for over 30 years and have numerous security certifications from industry leading vendors and associations. This second entry suggests that there’s no magic bullet of a single security solution, and that a complete solution requires several areas of coverage.