Beginning of The COVID-19 Epoch

Posted by Eric Nichter on May 7, 2020 3:25:59 PM

Ford Winslow, ICE’s CEO, was a guest speaker on Seamless Podcast with Mike Caroll and Darin Andersen, San Diego technologists, to discuss the current state of cybersecurity.  The podcast took place on March 18th when COVID-19 was beginning to dominate social consciousness as major trade shows and events were shutting down.  As everyone transitions to work from home (WFH), securing data as workloads shift from corporate networks to home networks is a major challenge.  Ford gave us a glimpse into how ICE is addressing four challenges through integration and automation.

Read More

Topics: cybersecurity plan, remote desktop, COVID-19, phising, malware, Cybersecurity Training

Worried About 3rd Party Cyber-Risk? You're not Alone....

Posted by Ford Winslow on May 1, 2019 4:44:19 PM

After an inspiring discussion of how interoperability is the future for community health at last week's CIE Summit, the sobering reality is that 3rd party cyber risk is a huge and complex problem.

Read More

Topics: cybersafe, technology, threat analysis, compliance, corporate cybersecurity, cyber risk, cyberattack, Cybersecurity news, cybersecurity plan, healthcare

Cybersecurity Planning – Part 2 – Needs, Compliance and Threat Analysis

Posted by Ford Winslow on Nov 26, 2018 4:57:12 PM

In the first part of cybersecurity planning, we discussed the top-level alignment of your security strategy with “The 3 R’s”:

-          What gets you Rich?

-          What can Ruin your business?

-          What is Required by regulators or customers?

The 3 R’s are largely business drivers, not technology or security drivers. In part 2 of this series, we go into more depth and bring cybersecurity experience and expertise into the planning exercise to understand detailed requirements for cybersecurity.

Building on the 3 R’s defined in part 1, some activities you’ll perform next are:

1. A needs analysis of your revenue-facing systems and processes

Assuming your systems are performing well for the business, you will be focused on needs related to: Confidentiality, Integrity and Availability of data and systems.

When choosing what systems to investigate, look for systems that support the primary mission of the business. Likely candidates are: Point-of-Sale, e-commerce, sales, finance and communication systems. When understanding the needs of these systems and processes, ask the business owners and users “what happens if you can’t use the system?” You’ll be amazed at what you discover.

 

2. A compliance analysis to understand what regulations apply to your business

Think you’re not regulated? While you may not be directly regulated, your customers today and tomorrow may be. Many of your customers’ requirements flow through to you as a vendor.

Understanding compliance requirements includes both what prospective controls must be in place as well as the processes and procedures for incident response and business continuity. As you go through this analysis, understanding the complex, overlapping requirements for regulations generally requires regulatory experience and skills. If you don’t have the necessary skills and experience in-house, find a reputable vendor or consultant to help.

 

3. A threat analysis to understand what factors can do harm to your business

Threats can be human or non-human, malicious or non-malicious. Threats can originate from natural disasters, software, political activism, external vulnerabilities or internal mistakes.

Hackers get the press, but most incidents are self-inflicted. Understanding how your systems can be taken down and how data can be breached is an important step in creating a real strategy. Without a threat model and some investigation to test the model, you don’t know what you don’t know. I can’t stress enough how important it is to understand what threats you face BEFORE you begin your risk assessment and strategic plan.

Third-Party Analysis Leads to a Roadmap for Security

Step one can and should be performed by in-house employees. Defining the 3 R’s should be normal business practice for everyone. When it comes time to perform the objective analysis of your business, an external 3rd party can be very useful. Uncovering areas where employees may be afraid to look or unwilling to report bad news is the job of 3rd party consultants. Giving objective information back to the business allows companies to fix what’s wrong and focus on building team processes for the future.

Once an organization has documented the 3 R’s and quantified the needs, compliance requirements and threats to the business, you can move towards the risk assessment that will lead to a strategic plan and roadmap for security.

Read More

Topics: threat analysis, compliance, cybersecurity plan, Latest Publications

Planning for your Cyber-Safe 2019 – Part 1: Where do I begin?

Posted by Ford Winslow on Nov 25, 2018 4:51:55 PM

As the turkey is wearing off and the end-of-year shopping season is upon us, I think about all the businesses that will suffer breaches on Cyber Monday. In 2017, 75% of workers admitted they will shop online from work today according to Robert Half Technology. With the average single-product security solution (think Anti-virus) being only 22% effective in stopping network intrusion, a higher than average number of companies will be breached on cyber Monday given the soaring numbers of fictitious and infected sites in cyberspace.

Read More

Topics: cybersafe, cybersecurity plan, Latest Publications