Cybersecurity Planning – Part 2 – Needs, Compliance and Threat Analysis

Posted by Ford Winslow on Nov 26, 2018 4:57:12 PM

In the first part of cybersecurity planning, we discussed the top-level alignment of your security strategy with “The 3 R’s”:

-          What gets you Rich?

-          What can Ruin your business?

-          What is Required by regulators or customers?

The 3 R’s are largely business drivers, not technology or security drivers. In part 2 of this series, we go into more depth and bring cybersecurity experience and expertise into the planning exercise to understand detailed requirements for cybersecurity.

Building on the 3 R’s defined in part 1, some activities you’ll perform next are:

1. A needs analysis of your revenue-facing systems and processes

Assuming your systems are performing well for the business, you will be focused on needs related to: Confidentiality, Integrity and Availability of data and systems.

When choosing what systems to investigate, look for systems that support the primary mission of the business. Likely candidates are: Point-of-Sale, e-commerce, sales, finance and communication systems. When understanding the needs of these systems and processes, ask the business owners and users “what happens if you can’t use the system?” You’ll be amazed at what you discover.

 

2. A compliance analysis to understand what regulations apply to your business

Think you’re not regulated? While you may not be directly regulated, your customers today and tomorrow may be. Many of your customers’ requirements flow through to you as a vendor.

Understanding compliance requirements includes both what prospective controls must be in place as well as the processes and procedures for incident response and business continuity. As you go through this analysis, understanding the complex, overlapping requirements for regulations generally requires regulatory experience and skills. If you don’t have the necessary skills and experience in-house, find a reputable vendor or consultant to help.

 

3. A threat analysis to understand what factors can do harm to your business

Threats can be human or non-human, malicious or non-malicious. Threats can originate from natural disasters, software, political activism, external vulnerabilities or internal mistakes.

Hackers get the press, but most incidents are self-inflicted. Understanding how your systems can be taken down and how data can be breached is an important step in creating a real strategy. Without a threat model and some investigation to test the model, you don’t know what you don’t know. I can’t stress enough how important it is to understand what threats you face BEFORE you begin your risk assessment and strategic plan.

Third-Party Analysis Leads to a Roadmap for Security

Step one can and should be performed by in-house employees. Defining the 3 R’s should be normal business practice for everyone. When it comes time to perform the objective analysis of your business, an external 3rd party can be very useful. Uncovering areas where employees may be afraid to look or unwilling to report bad news is the job of 3rd party consultants. Giving objective information back to the business allows companies to fix what’s wrong and focus on building team processes for the future.

Once an organization has documented the 3 R’s and quantified the needs, compliance requirements and threats to the business, you can move towards the risk assessment that will lead to a strategic plan and roadmap for security.

Read More

Topics: threat analysis, compliance, cybersecurity plan, Latest Publications

Planning for your Cyber-Safe 2019 – Part 1: Where do I begin?

Posted by Ford Winslow on Nov 25, 2018 4:51:55 PM

As the turkey is wearing off and the end-of-year shopping season is upon us, I think about all the businesses that will suffer breaches on Cyber Monday. In 2017, 75% of workers admitted they will shop online from work today according to Robert Half Technology. With the average single-product security solution (think Anti-virus) being only 22% effective in stopping network intrusion, a higher than average number of companies will be breached on cyber Monday given the soaring numbers of fictitious and infected sites in cyberspace.

Read More

Topics: cybersafe, cybersecurity plan, Latest Publications

Op-Ed: The Orangeworm Attacks — Why You Should be Worried

Posted by Ford Winslow on May 9, 2018 5:45:49 PM

In yet another cyberattack aimed at the healthcare industry, a hacker group named Orangeworm recently targeted healthcare orgs in the U.S., Asia, and Europe. The attacks were aimed at computers that control X-rays and MRI machines, in addition to other medical devices. Yikes.

Read More

Topics: cyberattack, Cybersecurity + Healthcare, healthcare, Latest Publications, Op-Ed

AEONIAN Endpoint is a Comprehensive SaaS Security Tool for Your Business

Posted by Ford Winslow on May 8, 2018 5:43:15 PM

Introducing a Simple, Integrated, SaaS Security Tool Focused on the Social Good

At a time when ransomware attacks occur every 40 seconds, and annual damages are forecasted to hit $11.5 billion, cybercrime poses a greater threat to businesses than ever before. Addressing this issue, San Diego-based ICE Cybersecurity developed Aeonian — a new type of endpoint security protecting people and devices all on one platform.

Read More

Topics: AEONIAN, Saas Security Tool, In the press, Latest Publications

2018 Winter Olympic Games Cyber Attack is No Laughing Matter

Posted by flashpoint on Feb 21, 2018 4:33:53 PM

It didn’t take long for the 2018 Winter Olympics to be hacked.

Read More

Topics: criminal hackers, cyber attack, Cybersecurity news, Latest Publications, 2018 Winter Olympics

How Bad was the Equifax Data Breach?

Posted by Ford Winslow on Feb 15, 2018 4:24:50 PM

New Information Shows the Breach Worse than First Reported

How worried should you be about last year’s Equifax data breach?

Read More

Topics: Equifax data breach, Latest Publications

Chinese Tech Companies Were the First to Know About the Intel Chip Flaw

Posted by flashpoint on Feb 1, 2018 4:11:20 PM

A member of Google’s Project Zero Security Team discovered a flaw that affects computer processors built by Intel and other chipmakers. The initial discovery came a week before Intel planned to release information about the flaw, but not before Intel informed Chinese tech companies like Lenovo and Alibaba.

Read More

Topics: technology, breaches, Latest Publications

3 Ways Ransomware Affects Healthcare Cybersecurity

Posted by flashpoint on Oct 6, 2017 4:57:34 PM

Ransomware encrypts files and effectively locks users out of their computers and data. Those behind this type of cybersecurity attack then ask for money - ransom - in exchange for your data. It is estimated that 7.4 million new malware programs will be released in 2017. That’s about 850 per hour.

Read More

Topics: Cybersecurity + Healthcare, healthcare, Latest Publications, ransomware

6 Cybersecurity Action Steps for Corporate Directors

Posted by flashpoint on Oct 2, 2017 4:45:26 PM

Equifax Cybersecurity Incident Response Under Investigation

Equifax, one of the major credit reporting agencies in the U.S., reported a data breach Sept. 7 that affected 143 million consumers. The hack is one of the largest ever recorded and may have released personal details of an estimated 44% of the U.S. population.

According to The Apache Foundation, makers of an open-source software used by Equifax to create Java web applications, cybersecurity professionals offered Equifax security updatesthat would have resolved the vulnerability two months prior to the hack.

The U.S. Federal Trade Commission, the congressional House Oversight Committee, the Consumer Financial Protection Bureau, multiple state-level attorney generals and departments of financial services have all begun an investigation of the breach and Equifax’s cybersecurity incident response.

Board of Directors at Risk Over Cybersecurity

This week Equifax announced that their Chairman, Richard Smith, has stepped down as CEO following the cybersecurity breach. The week before, Equifax’s chief security officer and chief information officer stepped down as well. Despite the distance that exists between the senior executives of large organizations and their IT professionals, executives are largely held accountable for oversights, especially when they have a negative impact on consumers.

Corporate directors need to pay attention to the wide range of cybersecurity risks uncovered by this attack, and should implement measures to address any vulnerabilities their companies face. In times like this, any board will come under extreme scrutiny. They will be asked how they handled several executive issues, including board management, data privacy oversight, and executive compensation policies.

In particular, all boards should be concerned about cybersecurity policies and examine their capacity to defend against today’s rapidly expanding data theft. Henry Stoever, Chief Marketing Officer at National Association of Corporate Directors (NACD), says, “There are two kinds of companies: those that know they’ve been hacked, and those that don’t know they’ve been hacked.” Accordingly, Stoever states that there are six action steps for corporate directors to take to improve cyber security measures:

ARE YOU AT RISK? GET STARTED WITH A ROBUST CYBERSECURITY PLAN.

Six Cybersecurity Action Steps for Boards

  1. Approach cyber security as an enterprise-wide risk management issue, not an IT issue
  2. Understand the legal implications of cyber risk as they relate to their company’s specific circumstances
  3. Ensure boards have adequate access to cybersecurity expertise
  4. Facilitate discussions about cyber risk management on a regular basis and allow adequate time on board meeting agendas for robust discussions with the management team and external cyber experts
  5. Require the management team to establish an enterprise-wide cyber risk management framework with adequate staffing and budget
  6. Strategize discussions with management to include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance — as well as specific plans associated with each approach

Cybersecurity Incident Response and Accountability

In a statement released to the public, Equifax CEO Richard F. Smith stated “This is the most humbling moment in our 118-year history.”

Equifax has the opportunity now to refine their accountability practices. Public opinion and stock value for Equifax have suffered as a result of the incident, the late release of information to the public and the subsequent discovery of issues with the company’s phone system and website. Taking steps to ensure regular assessment of their compliance and performance would go a long way in earning back the public’s trust.

The lesson here for every board member is that cybersecurity is an increasingly importantenterprise issue that affects all levels of an organization’s operation. It requires comprehensive strategy and risk assessment. Cybersecurity is complex and must evolve quickly to combat cyber threats of increasing severity. These threats can cause significant financial, competitive and reputational damage.

If you’re not sure how to get started with a robust cybersecurity plan, ICE can help. For many companies, our Managed Security Services can cost-effectively solve these issues quickly and completely. Contact us today and let our experts help you improve your company's security and put your risk on ICE.

Read More

Topics: Cybersecurity and Board of Directors, Equifax data breach, Cybersecurity & board of directors, Latest Publications