• (405)562-9945

  • Top Cyber Security Risks for Businesses

  • Cyber Security risks are something most organization are struggling to figure out. What I see happening in a lot of organizations is a lack of understanding of what bad things can happen and what the impact will be.

    The reasons for this differ across organizations, but the most common reasons I see are lack of training, staff, and budget. There is very much this old school approach to security being taken in a lot of organizations where “security” is the responsibility of IT and it doesn’t have a someone driving it forward.

    Inevitably this leads to a break down in the confidentiality, integrity, and availability of the systems, network and data in some capacity. More often than not, the end result is ransomware or a breach.

    In this post I’ll talk about the biggest issues I see in most organizations from a consulting perspective.

    Your Organization is a Target

    Traditionally smaller businesses weren’t an appealing target for threat actors. That changed when ransomware arrived on the scene. Smaller organizations are a more appealing target for ransomeware because they typically have less budget to spend on backing up their data, business continuity, and disaster recovery.

    When a small business experiences ransomware, more often than not , they are forced to pay the ransom to recover their data and return to normal operations. If it’s not ransomware, the second favorite cyber attack of threat actors is crypto mining malware that runs silently on the systems consuming resources and mining cryptocurrency for the attacker.

    Cyber Security Budget

    Many of the organizations I consult with aren’t aware if they are over invested or under invested in security. Over investments takes funds away from other strategic business objectives, while under investment incurs too much risk for the organization.

    Over investment isn’t a difficult problem to solve, but under investment can be challenging to rectify. The best approach to determining where you stand is to map out the maturity of your organization in relation what the industry is doing. I’ll use the NIST Cybersecurity Framework functions to measure the maturity of the security program:

    • Identify
    • Protect
    • Detect
    • Respond
    • Recover

    Next, I’ll map the maturity levels of 0-5 using the Capability Maturity Model. 0 is the least mature and 5 is the most mature. Most organizations should strive for a maturity level of 3 across the five functions of the NIST CSF. If you are not at level 3, you are under invested in that particular function. IF you are at a 4-5 maturity level for a particular function, you might be over invested in that function.

    Patching and Vulnerability Management

    An effective cyber security program includes patching and vulnerability management. Unpatched vulnerabilities provide opportunities for threat actors to compromise your systems and networks. Even in the best organizations I see about a 75% success rate. In an organization that lacks patching and vulnerability management the risk for a breach is considerable.

    A successful patching and vulnerability management program starts with asset inventory. You need to know what assets you have and then you need a way to identify and monitor your patching and vulnerability exposure and remediation progress.

    The bigger answer to this is to have an information security program that includes a patching and vulnerability policy, but that’s a larger conversation I’ll get to later in this post.

    Email Security

    Every breach I worked in 2020 included malware, phishing, or spam as the entry point into the organization. This indicates a lack of technical controls at the email server, as well as the administrative control of a security awareness program.

    If you are hosting email in house with no spam filtering, anti-malware, or other technical controls, now is a good time to consider outsourcing email to Office 365 or Google Apps. The benefits are less maintenance, more security, reduced costs and administration time.

    As for the security awareness issue, I’ll address that later in this post when I discuss the over arching security program organizations should have.

    Data Backup, Testing, and Recovery

    What I also witness during incident response in a lot of organizations is a lack of a backup plan, back up retention, and testing of backups. The problem is usually a lack of understanding of what their mission critical data is. This goes back to the lack of a mature security program.

    Organizations that are backing up their data usually fail to test their backups due to a lack of time and lack of staff. This is something that should also be addressed in the over all security program for the organization or perhaps outsourced to a third party for business continuity and disaster recovery purposes.

    BYOD Cyber Security Risks

    Mobile devices are growing in popularity as an entry point for threat actors and careful consideration should be given to BYOD programs.

    While there is a lot of benefit to BYOD (bring your own device) there are also a lot of risks. The main issues are co-mingling of data, eDiscovery, terminations, data security, and mobile device management.

    Mobile device manage is critical if you allow employees to utilize their own mobile devices for work purposes. You should also include and mobile device threat prevention solution that detects and prevents malware, phishing over text message (smishing), and rooting or jail breaking of mobile devices.

    Also consider a VPN for secure connections from the mobile device back to the corporate network.

    No Cyber Security Program

    This by far is one of the most common problems I encounter when consulting with small, medium, and even large enterprise level businesses.

    There should be an overarching policy from the executive level that the organization understands the importance of cyber security and will have a cyber security program.

    A typical cyber security program should include:

    • Security Awareness
    • Business Continuity and Disaster Recovery
    • Physical Security
    • Acceptable use policies for email, Internet, and mobile devices
    • Password policy
    • Encryption Policy
    • Cloud Storage and provisioning policy
    • Incident response policy
    • Vendor Management Policy
    • Cyber Risk Appetite Statement

    The above is not a comprehensive list and will differ from organization to organization. Preventing breaches, business impact, and security incidents starts with risk assessments and a cyber security program.

    Having a formal security program also means having someone in charge of security to drive it forward. This is usually a CISO or VCISO depending on the size of the organization.

    Treating Cyber Security Like an IT Issue and not an Enterprise Risk Management Issue

    The days of security being an IT issue are long gone. Security has to work across the entire organization, and that includes legal departments, risk departments, HR departments, eDiscovery, data loss prevention, and forensics when needed.

    Security is a part of strategic business objectives like mobile applications, BYOD, cloud initiatives, and risk assessments. In today’s modern environment security has responsibilities for regulatory, compliance, legal, privacy, risk management, and IT security.

    Today’s security teams must have a technology focus as well as a business focus.

    Reporting to the Board

    Reporting to the board about the effectiveness of the cyber security program is extremely important to understand for organizations. Typically you have about 15 minutes for a board presentation so it’s critical to send the right message using the right approach and terminology

    You can set yourself up for success by utilizing industry standard approaches for information security program such as utilizing the CIS Controls, NIST CSF, and Capability Maturity Model to communicate the state of security to the board.

    The board understands and trusts industry standard approaches, and they have key questions they need answered:

    • How do we compare to our competitors from a cyber security perspective?
    • What is security doing to prevent a breach and keep us out of the news?
    • How is security reducing risk for key business objectives?

    Getting Buy In from Boards and Executives

    In today’s cyber security environment board and executives can be found liable for not performing their due diligence or their duty to monitor cyber security risk for the organization.

    This is something security leaders need to use to their advantage to get the support, backing, and budget for the cyber security program. This goes back to need to treat security as an enterprise risk management issue and not just and IT issue.

    One of the best tools you can use for this is the NACD (National Association of Corporate Directors) Cyber Risk Oversight Handbook. This handbook has the advice and guidance that boards and executives to follow to ensure security has a strategy and plan that aligns with enterprise risk management.