A serious security incident is a question of “when,” not “if.”
In 2016 and 2017 we have seen number of spectacular news about cybersecurity incidents. We have seen a very serious issue related to American presidential election, which resulted in sanctions imposed on Russia as alleged perpetrator. Czech police have detained a Russian man Yevgeniy N. wanted in connection with criminal hacking attacks on targets in the United States in an arrest carried out in cooperation with the U.S. Federal Bureau of Investigation.
However, very often we have a situation when incident do happen but companies either are unable to detect it on time or cannot produce sufficient evidence to either identify or prosecute a culprit. Very often, hackers go unpunished or even unidentified.
Preparation, before incident happen is a key. I am not talking here about prevention. I assume that company did everything which was possible to defend itself. I am talking about how to prepare business for the day after, when all of the preventive measures failed and we are in a situation of data breach./span>
Staff training, security awareness, knowledge of response process
Preparation needs to start before. Information security needs to become part of organisational culture. Ask yourself – do your management and staff know what to do and what not to do? Is everyone aware how to avoid risky behaviour like phishing? Are they aware about policies and procedures for response? Documents which are only on paper or just occupying space on corporate intranet are useless unless they are part of day to day operation. So one element is to train staff how to avoid incident – there is plenty of internet resources about, the second one is to have a good response plan – you can use Computer Security Incident Handling Guide published by National Institute of Standard and Technology. However, once all plans are done, they need to be tested and obviously everyone needs to know them.
Establish legal framework and understand organisational context
Each organisation may have its own objectives formulated by the steak holders, those objectives needs to be well defined and understood. Those objectives needs to be taken in to acount by someone who prepare Information Security Management System. They are a corner stone and ISO27001 place requirements formulated by the interested parties, at the very top of its structure. However, equally important is to have an up to date legal register which clearly list all of the statutory, regulatory and contractual obligations related to information security, data privacy and so on. It is not enough to produce list of acts, you need to list a specific requirements and review compliance periodically. Why is it important? Some times certain crimes have mandatory reporting obligation associated with it, e.g. GDPR regulation.
On one hand cyber security landscape evolves – there are slightly different ways of exploiting the same vulnerabilities. In the same time there are new techniques for companies to defend themselves. On the other hands, hackers always have been exploiting the following:
- systems which are misconfigured
- systems which are behind with standard security patches
- people – the weakest part of the chain
Vectors of attacks haven’t change for years. What do you need to be informed about so? There are new systems which are been developed to detect and alert about incidents once they unfold, they provide threat intelligence collected by the best researchers in the world. You should equip your organisation with one.
It is a good idea to stay in touch with a special interest groups, to be up to date with new law and regulations, and new best practices which are developed. The issue is that every CIO or head of IT is constantly busy keeping lights on, fighting with operational demands.
Information Security should not be ‘dumped’ on IT, Information Security should be placed outside and perform two functions:
- Advice steak holders/executives about Information Security
- Perform audit function on the organisation including IT – thats why it should never become part of IT in the first place
Hire a consultant who have experience in working with various environments, may be a good option also.