Cybersecurity: A Tale of Protecting Your Castle

cybersecurity

Cybersecurity:
A tale of Protecting your Castle

 

cybersecurity

Every week, we bump into new threats in our loved and indispensable digital world. Digitalization has taken over the world, which has many advantages, but also a lot of challenges. Sometimes it’s a big cyber-incident that causes a whole industry to be attacked and shut down. Other times, the target is a country’s infrastructure. In many cases, individuals are the target, when their personal data gets leaked, stolen, and abused.

 

Because of COVID-19, online shopping and banking are skyrocketing, as is our way of connecting with each other online. All these actions need to happen in a safe, digital space. For this, you need a healthy cybersecurity maturity.

 

But first things first…
What is cybersecurity and why do we need it?

According to Wikipedia, cybersecurity is:

Computer security, cybersecurity, or information technology security (IT security) is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

Because of the increasing dependency on these so-called computer systems, cybersecurity is gaining importance. The challenge lies in its complexity in terms of political use, but also its technological aspects. The primary goal of cybersecurity is first and foremost protecting the data within your systems, but also gaining trust and integrity.

The Analogy of the Castle

Often, we use the analogy of protecting a castle. If your castle is under attack, then you need to know your weak points so you can put up a defense. For many cases, this analogy holds true. For our more digital and hybrid society, however, it’s not always that easy to simply point out all weak spots. They can originate from external factors (think of vendors, cloud services, external employees,) as well as internal weak links (unaware employees for instance). We never have complete control over our ‘castle’.

 

Our world is already very digitalized, but in the next few years, a lot of new domains surely will be added to that list. Domains we’re currently unaware of and because of that, might not consider. A few standards exist today, such as NIST, ISO27001/02, CIS top 18… These standards can help you gain cyber maturity. But, before you can reach cyber security maturity, you need to know where to focus on first. To make this easier, cybersecurity has been separated into specific domains (which also evolve through time).

Different domains, an overview:

Security of your critical infrastructures: 

Security of Critical Infrastructures deals with the protection of systems, networks, and assets whose continued operation is deemed necessary to ensure the security of an organization or an entire nation, its economy, health, and/or safety of the public.

Application security

Application security encompasses all tasks that introduce a secure software development lifecycle to a development team. Its ultimate goal is to improve security practices and with that, find, fix, and preferably prevent security problems within applications. It encompasses the entire application lifecycle, from requirements analysis, design, implementation, verification to maintenance.

Network security

Network security consists of the policies, processes, and practices established to prevent, detect, and monitor unauthorized access to, misuse of, modification of, or denial of access to a computer network and resources accessible to the network. Network security includes the authorization of access to data on a network, which is controlled by the network administrator.

Cloud security

Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls used to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. (Free tip: you can keep track of all your policies and their different versions with RESPONSUM’s Governance module)

Internet of Things (IoT) security

Internet of Things (IoT) security is the security and protection of devices connected to the cloud, such as home automation, SCADA machines, security cameras and any other technology that connects directly to the cloud. IoT technology is distinguished from technology for mobile devices (e.g. smartphones and tablets) by the automatic cloud connectivity in gadgets. IoT security involves securing traditionally poorly designed devices for data protection and cyber security purposes.

Information security

Information security, sometimes abbreviated to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It is usually concerned with preventing or reducing the likelihood of unauthorized/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, falsification, modification, inspection, recording, or devaluation of information. The primary focus of information security is the balanced protection of the confidentiality, integrity and availability of data (also known as the CIA triad), while maintaining an emphasis on efficient policy implementation, all without hindering organizational productivity.

Operations security

Operations security (OPSEC) is the process of identifying critical information to determine whether actions by unauthorized persons/companies can be observed. Through operations security, you can determine whether information obtained by adversaries can be interpreted to be useful to them, and then implement selected measures that eliminate or reduce adversary exploitation of friendly critical information.

Business continuity and disaster recovery

Business continuity and disaster recovery (BCDR or BC/DR) is a set of processes and techniques used to help an organization recover from a disaster or cyber incident and continue or resume routine business operations. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster.

End-user awareness

End-user training is raising awareness by equipping employees with the necessary tools and skills to protect themselves and company data from loss or attack.

 

 

Being able to cover and implement all the domains mentioned above, demands a huge effort. Because of this, it’s of utmost importance that your organization develops an extensive plan for your cyber security. This plan consists of three important components that play an active role.

A Security Plan

People

Let’s be honest, you can take as many precautions as you wish, but if your employees don’t follow the rules, you’re still at risk. The quote “You’re only as strong as your weakest link” comes to mind. In most cases, a human error is just that… an error. Check out our Awareness module to see how we help our customers with this challenge. Most commonly, we find:

  • Suspicious URLs and Emails: Explain to your employees that if something looks strange – it probably is! Encourage them to pay attention to it.
  • Password laziness: We know it’s not a good idea to use and reuse the same password for a long time.
  • Personal information: Employees need to understand that if they surf the internet for personal business (shopping and online banking for instance), they need to use their own devices. Websites will place cookies, which can cause cross-contamination. If, for instance, your personal Facebook is hacked and you’ve used this account on your professional device, this can have severe consequences for the company.
  • Back-ups and updates: It’s rather easy for an inexperienced user to carry out daily business without backing-up data or updating the antivirus program. This is a task for IT. The biggest challenge here is making employees understand they need help with these actions.
  • Physical security of devices: Think how many times you leave your laptop behind for meetings, lunch, a toilet break etc. How many people lock their computer when they leave their desk? Emphasize the need to protect information every time a device is left unattended.

Processes

When employees are trained outside the IT department, IT professionals can focus on the process. The processes by which cybersecurity professionals protect confidential data are multifaceted. In a nutshell, these IT professionals are charged with detecting and identifying threats, protecting information and responding to incidents, as well as recovering from them.

 

Putting these processes in place not only ensures that each of these areas is constantly monitored, but if a cyber incident or attack occurs, referencing a well-documented process can save your company time and money.

Technology

Once you have frameworks and processes in place, it’s time to think about the tools at your disposal to begin implementation.

Security Management

Creating an extensive and updated cybersecurity policy is extremely important to protect yourself and your organization from digital dangers. Keeping a clear overview of all appropriate security controls that you have implemented, data, processes etc. is vital to the existence and reputation of your company.  However, storing all this (sometimes sensitive) information in an excel file on a SharePoint is not only a hassle, but it also poses a high risk that can lead to a data breach. Imagine one of these files accidentally leaking. Detrimental.

 

One way to prevent this is by working with a central management system, that offers you a clear overview of all appropriate security controls.  Definitely check out RESPONSUM’s Security Management modules, for an easy management of all your security flows.