In our now hyper interconnected world, critical lifeline services have been connected to the Internet. These lifeline services affect nearly every part of our lives and impact our economic livelihood, our public health and safety, and our national security. In the past two years, we’ve heard about significant losses in cyber space suffered by numerous organizations around the world affecting almost every industry. The potential losses and likelihood of damage are very real, and is the reason why cyber security has increasingly been in the news and top of mind for many organization’s CEOs and Boards.
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.
- President Obama, 2015”
Why is this Happening?
Our hyper interconnectivity has leveled the playing field by providing simple and inexpensive access for everyone from individuals to governments. But it has also provided an excellent platform for crime-sponsored organizations that have compromised organizations and have wreaked havoc across the globe from behind the safety of their keyboards. Cyber-criminals and nation-states have successfully attacked a wide variety of companies disrupting lifeline services and/or stealing private information for economic gain. Organized cyber-crime has become big business, with losses estimated as high as $445 Billion, annually. The new normal, the cyber-norm, is for escalating attacks and losses in cyberspace where everyone is a potential target and everyone stands to have significant losses if controls are not improved. Cyber-security is largely in the hands of the private sector. Companies generate revenue, and deliver products and services that we rely on and trust to be safe. Investing in cyber-security, adding security measures, and performing mundane cyber hygiene does not necessarily align with business objectives and priorities, and the discipline and investment required to maintain safe systems are difficult for many. Many organizations also do not think that they are a target. Unfortunately, the situation today is that getting hacked is not a matter of if, but a matter of when. With this new normal, organizations must focus on the impact of an incident and determine how they will detect, respond, and recover from it to minimize business impacts.
Time for Change
Individuals, companies, and governments are taking this seriously. In the United States, the President has placed a strong emphasis on American companies to act now to secure their portion of cyberspace. As a result of Presidential Executive Order 13636 in 2013, the National Institute of Standards and Technology (NIST) released the framework for improving critical infrastructure cybersecurity in 2014 as a means to establish reasonable baseline security practices. The framework is adaptive to provide a flexible and risk-based approach that can be used with a broad array of recognized information security risk management processes such as ISO 31000:2009, ISO/IEC 27005:2011, NIST SP 800-395, and the Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline. The framework is also based on a set of practices that begins to harmonize five venerated information security standards and controls frameworks—NIST SP 800-53, ISO/IEC 27001:2013, CCS CSC, COBIT 5, and ISA 62443. The intent is to help organizations identify, prioritize, implement, and improve cybersecurity practices, and create a common language for internal and external communication of cybersecurity issues. At the core of the framework, each business should determine what their priorities are based on their most critical assets. Assets can be systems, applications, and/or services. This effort ensures that priorities are set to address the confidentiality, integrity, and availability of critical assets. Organizations should also be mindful of what is happening to other companies in their industries. In critical infrastructure sectors, Information Sharing and Analysis Centers (ISACs) have begun to grow, and they share a wealth of information about sector-specific attacks and trends. A goal of the ISACs is to eliminate root causes of failure that have led to compromise, take corrective action, and verify control effectiveness to ensure that the issue does not reoccur. This concept has been around in the quality and computer security industries since the 1960s and has proven to work time and time again. Over the past few years, breaches and service disruptions have also appeared to point at several repeated cyber hygiene practices that require more organizational attention, discipline and industry action. There has been a tremendous industry call to action for information security teams to share cyber information so that organizations can be better informed and react faster to breaches that impact specific industries. Some of the discoveries of this sharing have resulted in the following focal points:
• A lack of patching systems and applications has been identified as the root cause for many compromises. Better managing and minimizing the number of vulnerabilities at each organization is an extremely important cyber hygiene practice.
• Maturing practices that identify, reduce, and better protect private information –such as credit card or personally identifiable customer data –in a business environment are critical to personal security and the reputation of organizations that manage customer information. Solutions that encrypt and tokenize data should be considered.
• Another vulnerability that has been raised is system and network access. Organizations must limit, better authenticate, and improve monitoring of administrative, privileged, and third-party access to systems and networks.
• The data from a wide variety of breach investigation reports also identifies that organizations must improve their ability to detect compromises and attacks, and respond quickly to minimize damage.
The goal of these basic cyber hygiene practices is to provide a focused and risk-based approach to better layer security and identify what others are doing. Historically defense in depth was focused on technology decisions, while the framework helps to identify and then better guide cybersecurity decisions based on people, process, and technology.
Where do we go From Here?
The U.S. government is also helping to set the tone for where we go next with the recently announced “BuySecure” initiative. Government agencies too are rapidly shifting to EMV-enabled payment cards for staff and consumer benefits programs to help drive the market towards more secure payment systems. With initiatives like BuySecure and work by the various ISACs, we have seen a significant increase in awareness and availability of tools and guidance to address the cybersecurity problem that critically affects every organization. Available research and security insights have provided relevant examples of focus areas and the framework to help implement basic cyber hygiene practices.
Where do we go from here? With greater awareness and tools, many companies have started assessing how they’re doing, determining their risk appetite, and what they need to do next to stay a step ahead of cybercrime. If your organization does not want to fall behind, your next step should be to follow suit.