While tools and technology go a long way to protect businesses from cybersecurity risk, it is rigorous monitoring of the IT estate, along with analysis of the frequency and trends of attempted attacks, which have the power to take security to a new level.
Successful organisations harness that power by translating threat intelligence into clear business language so the C-suite has a complete and unambiguous picture of cybersecurity performance. Senior executives can then see if their security expectations are matched by day-to-day operations at the coalface – and, if not, they can do something about it.
The true picture of an organisation’s exposure to risk is revealed by capturing and understanding trends related to the frequency and nature of attacks. The controls that are in place might be effective at fending off potential security breaches, but are they also reducing their number? Is there a root cause of vulnerability that can be identified and remedied? By looking at frequency and trend data, a business can see exactly what is going on, understand the threat it poses, and work out how to reduce it.
If you can actually reduce the threat, rather than just relying on technology to fight it off, then you have a better chance of avoiding that one piece of catastrophic malware getting through.
The business case for investing in improved controls to reduce the threat is revealed by frequency and trend data. For example, if you can see that users are continually hitting websites that trigger your malware detection software, this may justify an investment in cloud-based defences which stop browsers reaching dangerous blacklisted websites, removing reliance on anti-virus scanning that can never be 100% effective.
There is a wealth of data to tap into for insight, provided by firewall logs, malware scanning and email authentication tools, cloud-based security reports, software on end-user devices, and more. Analysing the data enables a business to be proactive by implementing preventative measures targeted at the areas of greatest exposure to risk.
Successful businesses are on top of what is happening in the outside world as well as inside their organization: they read the industry press; they listen to advice from the National Cyber Security Centre. For example, knowing that ransomware attacks are currently on the increase enables a business to warn users about the threat and stress the importance of storing key data in corporate systems.
Get the balance right
It is a mistake to rely solely on tools and technology for protection when people and processes can do so much to enhance the security scenario. Ultimately almost all security issues boil down to the human element: people doing things they shouldn’t. Are employees downloading potentially dangerous software because going through the official IT route is too convoluted? Do users look for unauthorised workarounds because they can’t find the right solutions in-house? If people are downloading software to get the job done, can the business make changes to put a stop to it? Shadow IT – the use of non-corporate devices and file-sharing systems in the workplace – can have a massive impact on cybersecurity.
The key to improved safety is striking the right balance between user-friendliness, accessibility, and security. A heavy-handed lock-down approach can prove counterproductive because it forces users to fight security measures in the struggle to do their job. If your firewall prevents the exchange of encrypted data – via Zip file for instance – how do people communicate as they need to? Cybersecurity should be an enabler for the business, not a barrier.
New thinking about passwords is a good example of how simpler rules can improve security. A user-friendly password phrase that is not limited in length may offer much better protection than a tight mix of symbols, numbers and letters which users might end up writing on a Post-it note.
Is your information security strategy working hard enough for the business?
Frequency and trend reporting provides answers to three questions the CEO must ask to establish whether the business is getting the most from its information security strategy:
- What are the biggest threats my business faces today?
- What has changed in the outside world that my business needs to respond to in terms of the cybersecurity threat?
- How many attacks, in what form, have we successfully fought off?
The C-suite needs clear information about near misses, presented in an easily digested graphic form so the potential impact can be assessed in terms of cost to, and repercussions for, the business. After all, the C-suite, either collectively or in the role of a Chief Information Security Officer (CISO), owns the risk from such threats.
Top-level discussions about an organisation’s security objectives must be informed by analysis of attack frequency and trends. This solid insight underpins the three layers of cybersecurity: cloud-based defence systems, corporate defences, and defences on end-user devices.
Good trend data enables cost-benefit analysis of the entire security estate. A well-informed security team should be able to describe in business language what each piece of security architecture – from website filters to anti-virus software – has done for its keep over the last reporting period.
The C-suite is paying for all these security measures so it needs to understand their business value. That is why frequency and trend reporting belongs to the senior executives, not to the IT team, and why any lack of reports should raise a red flag.
Putting systems in place is not enough: only rigorous reporting that includes insights into frequency and trends will show if they are working properly and being effectively managed.
Author: Adrian Dain, Principal Consultant at Mason Advisory – published in Infosecurity Magazine.