Organisations have various security controls in place. EDR or MDR, Network protection, SIEM, SOC, Email security, and many more. But still, we see data breaches, we see successful attacks, and we hear news after news.
There are couple of key take aways from what we saw in the past couple of months in Australia and around the world, from Optus and Medibank to Uber.
If you are decision maker in your company in cyber security, go through these 12 items and evaluate them in your organisation:
1- If you are only relying on tools, that’s where problem will continue to exist. Its about processes in place, dynamic and continuous risk assessments, and people’s skills too.
2- You purchased a tool, and its top of the range with all gadgets, but couple of considerations:
– Is this tool configured to its maximum capacity of detection, protection and response, or its on default settings?
-Do you have the skills in place (inhouse or outsourced) to manage this new tool to its maximum capacity, and I mean maximum capacity, not just on and the light is green!
3- Threats are not just internal, they are external too, don’t forget that. If you have an EDR, and many other toys, that doesn’t mean you also have a visibility on your certificate authority trust chain, or current compromised credentials or any vulnerable 4th party provider with an established trust relation to your assets. External threat visibility is as crucial as internal.
4- Deploy proactive measures in combination to reactive ones. I mean if you wait for an attack to take place, and then see if your EDR or Email security or other fancy tools will stop it, its reactive. It means you taking your chances and hoping those tools are going to detect and protect against attacks no matter what. But proactive measures means, actively having a threat hunting processes in place. Proactively checking the internet and dark web through threat intelligence capabilities, and proactively running threat simulations and red teaming exercises. Proactive, not reactive!
5- You only act upon what you see or know. If there are blind spots, then you wouldn’t know, so you wouldn’t have any plans for them. Simple, right. What are those blind spots in your threat management? This is where the threat modelling exercises coming handy. Try to incorporate them in your overall risk management process. What are the attack surfaces and what vectors and continuously monitor them and assess controls’ effectiveness in minimising them.
6- 3rd party and 4th party risks are not going away or being detected by sending questionnaires. It’s a good starting point, but its not going to give you a 100% result that you want. Vendor risk management should be an interrelated process along with threat intelligence gathering. It also has to be included in your contract management. If the risks’ remediation from 3rd/4th party is not enforceable, what’s the point of such assessments? Make sure they are enforceable through contracts where your vendors has to comply with your policies and security framework’s requirements.
7- Keep assessing your cyber security technology’s effectiveness. It means, anyone can claim they are the best. Fine, test them with threat simulation tools, such as Cymulate, and deliver real life malwares and ransomwares and trojans and see what is their penetration ratio. This makes sure to eliminate any false sense of security and identify the gaps in your technology, the real gaps, not marketing stuff.
8- Annual penetration testing is a waste of time, efforts and money. Sorry, but it’s the reality. It ticks your compliance box, but doesn’t mean it makes you secure. Continuous assessment is the way to go. It means a continuous review of security controls, apps, servers, active directory, websites, identities, awareness level, processes, response capabilities, detection level and many more. Continuous, not annual snapshot of specific areas!
9- Skills management and update. Once I came across someone who was an expert in a technology which is almost obsolete and belongs to almost a decade ago!. He was asking for $1200/day. And there are many of these experts out there. So when you hire, hire based on attitude, not skills, and not certificates, and not ancient technologies. Hunger for learning, hunger for improvement, and hunger for innovations. Remember you are hiring an engineer (someone who either finds a way, or makes a way), not a philosopher of life. Right skills can make a massive difference in risk reduction, and wrong ones can give you a huge sense of security where the reality may be different during incident response times!
10- Board of director or CEO of any company are the ultimate risk owners. Make sure they know what the risks are, and actually own them. They get paid big time, and part of it is risk (business risk’s management). So make sure they understand the risks and translate those technical risks to business risks for them to own.
11- During one of the recent data breach scenarios, the victim company refused to negotiate with the ransomware operators. We refuse to negotiate with criminals, they said. Fine. So those people releases millions of people records in dark web. Results: big time fines, lost customer trust, brand damage, and many more. So, incident response plan is not just about creating playbooks for Phishing or ransomware. Its incident response. Including negotiation of everything, with everyone. I am not saying to obey what criminals saying, but should at least negotiate. Negotiate to find ways in minimising our impacts, and maximising their exposure. If we don’t negotiate, what leverage do we have? Think about it! So, back to the whiteboard and create your incident response plan with the worst case scenarios in mind
12- Risk management should reflect in every decision being made in the organisation. Risk based budgeting, risk based hiring, risk based purchasing, risk based partnering, etc. Proactive measure in this space are super important. HR, finance, contracts and legal and the technology teams should discuss these and come up with an orchestrated action plan, where any decision considers all aspects of business and risks.