Cyber security & compliance vs. the cloud and gig economy

Suddenly our world is more complicated. Cloud apps, cloud infrastructure, gig economy IT staff across multiple continents. Add cyber security and compliance requirements…. Arghh! We can help, read on.

At its most basic, if you use a cloud computing supplier then, depending on your contract, you may find that your data can be moved from one country to another at your supplier’s convenience or that the levels of IT security protecting their different data centres in different countries may vary. Plus your data and apps will be under different laws depending on location – for example allowing a government agency to inspect your data as it crosses their borders. This can complicate matters for your own IT security compliance strategy and may also impact customer relationships, especially if you have an international or public sector customers.

Different and more sophisticated security measures are needed for both IT infrastructure and applications if you use cloud computing resources. Are your existing staff and consultants using the right techniques? Pen test approaches, security architecture and compliance may all need to be reviewed if you incorporate SaaS (software as a service) or IaaS (infrastructure as a service) into your environment.

Similarly the gig economy (or outsourcing if you will) can create cyber security wrinkles. Consider using contract developers who bring their own laptops. How do you ensure that these laptops are clean and that any open source modules the contract developers use are from trusted sources? It can be hard to apply consistent endpoint security measures to devices owned by an employer or contractor for obvious reasons.

We’ll be exploring these topics in much greater detail in a series of blog posts. Topics will include governance and compliance, privacy, forensics and incident response, security event monitoring, pen testing, threat and risk assessment approaches and application security.

Cyber Security 101 for Small to Medium Business

So you’re a small to medium sized organization – let’s say up to 500 employees.   If you don’t have a cyber security program, where to start? 

 

You need to discuss, plan and then act to ensure an appropriate level of cyber security for your operation.  Repeat, act on your plan.   Don’t be like the many that wait until a crippling event like a breach or a ransomware attack that brings an operation to a grinding halt and rips customer and employee confidence to shreds.  And then they act after the fact.

 

So you need a cyber security program and it needs to be acted upon.   What are some of the key elements?

 

If you have no plan at all, a security threat and risk assessment (often called a “security assessment” for short) is a great place to start.  A security assessment looks at the business you are in, what sort of information you manage and your reliance on IT systems, and the relevant legal and regulatory requirements.  With that in mind, the assessment takes a look at how your IT is operated and managed to identify any major risks faced by the business and makes recommendations on how to address the worst risks.  A good assessment will give you a high level action plan.  Once you know the risks you can prioritize how to address them within the constraints of your business plan.

 

It’s a good idea to repeat an assessment periodically depending on how quickly your operation is growing and the field in which you operate is changing.

 

At least once a year you should have a pen test.  Short for a penetration test or sometimes called “ethical hacking”.  A pen test simulates the attempts of a hacker to get into your IT systems and disrupt their operation or steal information.   It can range from a fully automated process through to a more complex undertaking involving customized approaches depending on how attractive a target your business presents for possible cyber attackers.

None of this is new. But these basic measures will greatly help.

Positive Aspects of Cybersecurity

by Dominic Vogel, Chief Security Strategist, Cyber.Sc

Cyber Security is understandably thought of as a largely negative subject. We speak quite a bit about cyber attacks and data breaches, litigation, regulation and other post breach realities such as loss of customers and reputation. Cyber Security itself is widely perceived as a cost center or sunk cost which doesn’t produce an immediate return on investment. Today we would like to talk about the positive aspects of Cyber Security; how investing in proper cyber security is a business enabler which results in higher revenue for your organization. As we have said in a previous article (Cyber Security & The Value of Your Sensitive Data): “If you want to grow your market share, reach your business goals or just simply be able to maintain your everyday business operations and survive, then cyber security makes good business sense.”

Internet Connectivity

It seems like almost everything is, or can be, connected to the internet. The ‘Internet Of Things’ and the Cloud are two realities that are rapidly increasing the rate of change in the way we do business. Each new smart device we bring online — smart phones, tablets, TVs, cars, thermostats, HVAC systems, refrigerators, medical equipment, FitBits etc. — gives convenience which can be leveraged by the end-user and data that can be leveraged by business. There is so much data that business can harvest and harness to understand their target customers and market their products more effectively. As more commerce is transacted on the internet, the global economy is increasingly taking place online. Traditional ‘brick-and-mortar-only’ businesses are on the decline while the number of online businesses are increasing. Operational efficiencies for businesses are also expanding with the combination of massive online platforms and the IOT.

Cyber Security ROI

From a security standpoint, with the number of connected devices rapidly on the rise, the number of access points for cyber crime is rising in direct proportion. This means that the ‘attack surface’ for cyber criminals is expanding every day. This is an obvious defensive motivation to invest in a good Cyber Security program, but there are also multiple positive, or ‘offensive’ reasons to do so. Your customers appreciate the technology-enabled products and services you are able to offer them. The ability to launch these products and service and the continued availability of the enabling technology is made possible by effective cyber security.

If your information, networks and business partners are secure, then your critical business processes are protected. This protection gives you the bandwidth to be proactive and focus on business development. Proactive and effective Cyber Security becomes a business enabler which creates business opportunities for growth. When you demonstrate, and even advertise, your cyber resilience, you can deepen trust with your clients and customers. You can then create new opportunities out of this level of trust to bring more useful products and services that your customers appreciate. When you meet and exceed customer expectations, the customers win, your revenue increases and you win.

Having a mature cyber security posture is also a difference maker in RFP and M&A scenarios. If you are putting out your services for tender or if you are an acquisition target for a larger organization, being secure as well as compliant with regulatory requirements gives you an important edge. When prospective investors and clients are looking at a secure company to partner with versus an organization with questionable security, they will choose the company who has taken proper security measures (all other things being equal). Although situations like these are disappointing and potentially devastating for the companies that get passed over, this is a life-changing advantage for the organization with foresight to pay close attention to their own cyber security posture.

Rapid Risk Reduction

At Cyber SC, we understand the limitations and budget constraints organizations face. We focus on quick wins in the short term as well as the mid and long-term, big picture security program maturity. This Rapid Risk Reduction with minimal amount of investment translates to a higher ROI for our clients. Not only does cyber security keep you up and running and in business, it lets you GO ON THE OFFENSIVE to grow the business and gain market share.

This article was originally posted on the Cyber.Sc blog. If you need help with your security strategy, please contact us and we'll hook you up.

 

IOT Blog Series - Part One - Familiarity, Visibility, Responsibility

This is the start of a series of articles about the Internet of Things (IoT). There is a lot of hype around risks associated with compromised IoT devices and the purpose of this series is to help executives and technologists deal with these risks in a holistic manner.

First, we should agree what IoT devices are. For the purposes of these posts I am going to define IoT devices as any device other than a computer, server or networking hardware that is connected to a network. Generally I’m looking at this from a business perspective although much of this thinking can be applied to consumer devices in and around the modern home.

Why is IoT different than the rest of the devices on my network?

  1. Familiarity

  2. Visibility

  3. Responsibility

Familiarity: Your typical IT department has many years of experience securing Windows desktops, installing anti-virus software and configuring the Cisco firewall that sits at the edge of a network. There are well established configuration standards, processes and experts within organizations to deal with these devices. IoT devices are often new to IT, these devices are often managed by a third party vendor or the cafeteria staff (in the case of the wifi-enabled toaster) or the building security contractor. Not only are the devices new to IT but so are the underlying technologies that power the devices. They’re often running less common operating systems, using protocols IT is less familiar with (RabbitMQ, Zigbee) and often no access is provided to the devices to IT.

The bottom line is that there is an unfamiliarity with the devices and the underlying technologies the devices rely upon.  Time and training will gradually address this issue.

Visibility: How confident are you that you have a detailed inventory of all the IoT devices on your network or that your organization relies upon to some degree? How long would it take you to discover a new IoT device had been added to your network?

Even in organizations that have an awareness that IoT devices carry a set of risks these teams are often surprised at how many internet connected devices are actually in their facilities.  

Addressing the visibility gap is about automated detection tools residing in your network, policies about involving IT for any device with an IP address and keeping a detailed inventory of the devices. Second only to having an inventory, the most important next step is that the inventory identifies the responsibility hierarchy for these devices.

Responsibility: I think the biggest thing that is impacting the security of IoT devices, is a lack of a clear responsibility hierarchy.  If I asked you who in your organization is responsible for protecting your CEO’s Windows laptop from hackers you probably wouldn’t need to think too hard. Joe, our Chief Information Officer. Or Bill, our Network Administrator.

If I instead asked who is responsible for the security of the administration console for the IP Video surveillance camera in your front lobby, or who is the person who is confident they are in control of all the access credentials for your buildings intrusion alarm, the answer would probably take a bit more thinking.

IoT devices are often introduced by a variety of people across the organization. HR brings in a xBox and internet enabled fridge for the staff party. The facility AV tech brings in a “smart TV” for the boardroom (that just so happens to have a camera and microphone connected to an internal computer that got a firmware update --- never). The generator maintenance technician that connects the generator controller to the network for remote programming. The intrusion alarm company that supplies the workstation that you program new building access fobs with. All these are examples of devices that are connected to the network but not necessarily ordered and managed by IT.

For every device on the network it is critical to identify who is responsible for:

  • Approval of the device being connected to the network

  • Identifying the storage locations of and approval for the collection of any personal or corporate information collected by the device

  • Device updates

  • Security review of the device

If the answer is the vendor, what level of trust do we have that the vendor will be doing security updates, rotating credentials when their staff leave, etc, etc.


This brings us to our next topic in the IoT Blog Series….Supply Chain Risk

This article was written by Ryan Wilson, a member of the Sky Northern Security Alliance. If you'd like assistance looking at your IoT security, drop us a service request and we'll get in touch.