Blog

Cyber security – getting the essentials in place

Cyber attacks are real. They’re complicated and they’re not going away.

Karina Aguilera /
Security

Cyber attacks are real. They’re complicated and they’re not going away. In part one of this blog series, we outlined the risks and consequences of cyber crime, and why cyber security is now a whole of business concern.

In this post, we’ll delve into how to ensure you’re in the strongest security position possible. To be frank, one blog post will not solve this issue for you. But it will point you in the right direction to understand the threats, mitigate the risks and guide you in setting up a security framework.

First, you need to understand what you’re protecting and why

There are three goal areas that can help you understand what you need to protect – your environment – and why. They’re the foundations of a robust security framework and they’re known as the CIA principles (Confidentiality, Integrity and Availability).

The goal areas are:

  • Confidentiality of data: think about what information and data needs to remain confidential to your business.
  • Integrity of data: think about how you can protect your data so it can’t be unintentionally changed – either as a result of malicious intent or human error.
  • Availability of data: think about who needs to access what data and whether access needs to be restricted for certain levels within the business.
Then you need to develop a strategy

This is where you dig a little deeper and start getting specific about ways to address key vulnerabilities within each area.

Confidentiality of data

Within this area, you need to consider how you’ll ensure your data is handled, stored and shared in such a way that it is not improperly divulged. This includes thinking about protecting personal privacy and proprietary information.

Recent regulatory requirement changes, including GDPR and NDB, impose additional requirements in the protection of individuals private information that you may hold, so these need to be taken into consideration as well.

To ensure data confidentiality, the two primary techniques to consider are encryption and access control.

  • Encryption – you need to think about encryption for both data at rest (stored either locally or in the cloud) and data in transit on a network (being sent or shared).
  • Access controls – only authorised users should be able to access data based on their role and security level. To best manage these levels of access, identification and authentication processes must be in place – including multi-factor authentication – depending on the security classification of the data.

Integrity of data

Part of ensuring that your data is reliable and accurate over its lifecycle is preventing unauthorised users from making changes.

To help ensure data integrity, conduct regular testing to identify vulnerabilities that may be exploited, allowing people with malicious intent gaining access to your systems and data.

Availability of data

A workable and tested disaster recovery plan will help ensure your business can continue to run in an event where you lose access to the primary systems that store and process data. The three most common threats to availability are:

  • DoS (denial of service) due to intentional attacks on a system either from the network or other means.
  • Natural disasters or other interruptions where users cannot access the physical business premises or data.
  • Equipment failure.

You can’t always control when or where these events happen but you can ensure you mitigate the risks and reduce the impact, including back up as part of your business continuity plan.

Now you can establish a unique security framework

Security frameworks can be complex. Once you’ve considered the foundational principles above, get started mapping out your security framework by thinking about the following areas:

Security governance and management

This includes the policies and standards you have in place, your operating model and awareness and training for all staff. Additionally, consider your risk management plan including third party security and business continuity, asset management and human resources security.

Threat and vulnerability

Use threat intelligence to gain an accurate and evidence-based understanding of the risks to your environment. What are the real and likely threats to your business? Include regular penetration and vulnerability testing to identify areas of improvement to manage risk.

Access and identity management

Think about user access control, using passwords and multi-factor authentication at certain levels, and monitoring and management of access permissions to ensure only authorised users can access and change data.

Infrastructure protection

Perimeter, endpoint and email protection from device to cloud are components required to minimise the impact of cyber threats.

Data security

Data security centres around the process of protecting data according to the CIA principles outlined above. This could include a privacy policy, data classification, data discovery and monitoring, mobile device management and a business continuity plan.

Before you implement your framework, it is essential you document your requirements and then identify the roles and responsibilities. Your documents should contain the necessary checklists and policies for each area discussed above.

Finally, implement your framework

Put all of this in place and you’ve made a good start

As you can see, there is a lot to consider when it comes to mitigating cyber threats, attacks and viruses.

It can be overwhelming and many organisations – understandably – don’t have the in-house resources to identify, fix and remediate issues. You need to continuously assess your security posture and mitigate risks. However, this is no reason not to at least make a start on your journey.

Want to know how secure your business is right now?

Let Nexon run a remote and passive vulnerability scan to show you where your weaknesses lie. From this, we’ll develop a checklist, based on best practice, to solidify your security framework.