The complexity of today’s cyber environment has grown exponentially in recent years, making it extremely difficult for a nonprofessional to handle. Businesses must not adopt a casual approach towards cybersecurity; rather, they should deal with it through a planned, methodical strategy.    

What should be the correct approach?      

Cybersecurity is not just about knowing the prevalent threats and the best available safeguards. Neither is it an area to be left solely to the IT department. The complexity of cybersecurity must be understood by C-suite executives and other upper management, many of whom have no substantial experience with IT. So, what is the correct approach to handle this nuisance?

The answer is, that for executives and top management, cybersecurity should always be dealt like any other conventional threat to their business goals; the technical details are unnecessary. This stance towards cyber-security allows executives to feel at ease regarding the complexity and technicality of cybersecurity while keeping the organisation well-prepared to deal with cyber threats.

Recommended Approach

What are your business goals?

Before tackling any business problem, executives focus on the business goals. By contrast, IT and other departments, are focused on their specific areas, rather than on the overall goals of the business. Because of this limited scope, when individual departments are given complete initiative for tackling organization-level problems, they can sometimes solve the problem for their department, but wind up causing more damage to the business as a whole. Therefore, executives and top management must work together to ensure that individual departments, including the IT security department, have a proper understanding of the big picture and their place in it. This should help reduce and clarify the threat environment for everyone.

What is the value of the assets to be protected?

Customer credit card data, business transactions, trade secrets, or even information gathered from a customer through a website are all examples of IT assets that must be identified by the top management, with the help of the IT security department. They should either be assigned a dollar value or be graded from 1 to 10, based on their criticality. The value assigned to each asset is not its exact cost; rather, the value includes factors like development and maintenance costs, value to rivals, potential legal problems from the asset’s loss or compromise, etc. Valuation provides executives with a clear view of each asset’s priority and allows a cost-benefit analysis to be performed later, after the costs and values of safeguards have been calculated.

What are the relevant threats and vulnerabilities?

Threats are circumstances that can impact assets in such a way that the business experiences some loss. On the other hand, vulnerabilities are defence weaknesses that an attacker can exploit. For example, if virus infection is the threat, then a related vulnerability would be lack of antivirus software on the system.

View full article

It was only a decade ago that the Internet was primarily used and accessed by desktop and laptop computers. Today, mobile devices (phones, tablets, etc.) are quickly becoming the bulk of devices connected to Internet. Additionally, many types of sensors, instruments and devices are also seeking Internet connectivity.

However, some of the most significant Internet-related growth in the coming years will be from what is called the Internet of Things (IoT)—a number of objects hooking to Internet, some of which are hard to imagine even now: refrigerators, microwave ovens, bridges, traffic signals & lights, gates, etc. IoT allows users to sense and control objects through existing network infrastructure, such as Internet, with expected results including increased efficiency, better accuracy and added economic paybacks. 

What could be the ‘things’ in IoT?

A wide variety of objects are included in IoT. These objects are “things” such as sensors, automobiles, environment monitoring devices, household utility devices, or medical instruments like cardiac monitors, etc. These “things” can be a mix of hardware, software and services. Any object with a sensory component and some associated data can be part of IoT. For example, a refrigerator may need to sense conditions such as the change in temperature or the present position of food in the refrigerator, and it can have associated data about its internal temperature, the amount of food in it, and other relevant information. A refrigerator with those capabilities would be a viable candidate for IoT.

How does IoT work?

IoT is the connectivity of candidate objects over a common network, such as Internet. For those objects to be able to communicate on the network in easily understandable language, special, concise interfaces must be prepared. Currently, connectivity to IoT consists of hooking up a candidate to the network, wired or wirelessly, assigning an IP address to the candidate, and providing the candidate with the necessary bandwidth to communicate. But there must also be agreement between the candidate and the rest of IoT regarding what data is to be communicated and how it will be understood by others on the network. For this agreement to work, IoT candidates must be prepared with the necessary languages, protocols, or other skills needed to communicate over the IoT. With the huge number of objects predicted to be on IoT in near future, allowing so many objects to communicate with each other promises to be gigantic task.

A reliable IoT requires the following components:

Network infrastructure

Today’s Internet, with its typical expansion rate, is the best-suited network for hosting IoT objects. However, it still leaves room for improvement. As and when more objects form part of the network, the backbone bandwidth must also be enhanced. Fortunately, the Internet has proven that network expansion can such enhancements with little trouble. 

View full article

Leaving cybersecurity solely to the IT department is irrational in today’s competitive world. While it may be difficult for an executive with a non-IT background to have a firm understanding of IT security, the solution for the executives is to leave the technicality to the technical guys, but know the technical management themselves. Understanding the threat environment, including potential risks, is an important aspect of information security management. Careful study of tools like the Verizon Data Breach Investigations Report (DBIR) provides insight into the most predominant threats. This year’s report, DBIR 2016, discusses several major types of data breaches.

Phishing

Phishing is masquerading as a trusted entity to steal valuable information from the entity’s users or customers. The information can be usernames, passwords, credit card data, or other personal data. Normally, phishing is done through social engineering, techniques that persuade or trick a user to take some action the user would not otherwise take, such as following some malicious link or opening an attachment containing malware.

The 2016 DBIR reports that phishing has been mainly used for installing persistent malware. Persistent malware is malicious software that keeps coming back regardless of efforts to remove it. These malware are often able to modify the system registry; that is how they remain on the system for long. Executives should know the prevalence of phishing and understand how malicious parties use phishing to place persistent malware on the organization’s systems and steal sensitive data from the system. DBIR 2016 also recommends measures to curtail the phishing threat: isolate the infected system or systems and then disinfect them selectively.

Web Application Attacks

Web applications are a good way to reach customers and promote businesses. Today’s websites are dynamic and interactive; many require login credentials to view member areas with additional accesses and privileges. The downside of these additional accesses are the lucrative playground they create for malicious parties. Hacked user credentials may compromise the backend web servers and enable enemies to gain a strong foothold within an organization’s system.

View full article

Why Information Security matters

In the last 20–25 years, information technology has flourished, as offices, businesses, industries and even households, have become significantly automated. In addition, online connectivity has converted the world into a global village. Now, as the world moves into the era of the Internet of Things, it has become nearly impossible to operate in society without online connectivity. Even the sensitive government and military organizations are having trouble staying isolated.

While the increased reliance on IT and connectivity often makes life convenient, with increased connectivity has come issues of increased threats to confidentiality, integrity, and availability of information. Automated systems with security loopholes can now cause greater disasters than were possible from the insecure, isolated, manual systems of the past. For example losing an office laptop while traveling is significantly more problematic than losing a briefcase containing office documents. With lost documents, the loss stops with the documents; with a lost laptop, the potential impact affects every system to which that laptop could connect.

The gap between bigger threats and limited staff

While many organizations, particularly government and military agencies, now recognize the need for information security, there are not enough information security professionals around the globe to meet current and anticipated requirements. As a result, some organizations must rely on inexperienced and unqualified information security staff, or they may have to outsource their information security matters.

View full article