Cybersecurity: The Quick and the Dead

Posted on by Robert Statica

cybersecurityMore than two million people were affected by cyber crime in the UAE last year and not a week goes by without a report of a business having its files hacked or leaked. The UAE, as a global business hub and point of exchange, is particularly vulnerable to attackers from across the world. CEOs and their colleagues in IT and cybersecurity simply can’t afford to wait until they become a victim of an attack—the financial and reputational costs are too large. They should take pro-active and rapid measures to ensure that they protect their businesses. There are some basic steps they can take.

It’s very common for companies not to really understand the full extent of their computer systems; the pace of technological advancement means that new and old systems are often patched together in ways that may have been expedient at the time, but retrospectively appear chaotic. To develop a full cyber-defense strategy, companies need to fully understand their systems so they can conduct a risk assessment. The three big questions are: What data is in your environment? Who has access to it? And how is it configured? Once a company finds answers to these questions it can begin to develop an integrated strategy including monitoring, mitigation and response.

Cybersecurity should no longer be conceived as a purely passive activity; companies need to anticipate attacks through pro-active intelligence gathering. There is no single source of cyber-threat intelligence or vulnerability information, so a program needs to be established to identify and capture the most appropriate sources for your organization.  This could include open sources, academic and research institutes, government agencies, commercial feeds, and industry information sharing programs.

People will remain the greatest source of vulnerability for many companies, often through careless practise rather than malice. All employees should be given cybersecurity awareness training so they don’t fall victim to some of the more common attacks like “Phishing”, where criminals pretend to be emailing from a trusted source to gain information and system access.

Often, sound policies can be the best defence against human error or criminal behaviour. Businesses should hold to the rule of least access, combined with robust data classification; in short, employees should only have access to the data they need to do their jobs effectively—an operations manager doesn’t routinely need to see the work of a financial controller and vice versa.

It’s also essential that all data in a system is classified at the appropriate level and, most importantly, real controls and processes are in place to prevent employees being able to accidently breach these rules. Too often, stretched resources mean that these processes fall by the wayside.

Finally, businesses should ensure that they keep their encryption technology up to date and employed across the full suite of equipment employees actually use. Increasingly employees are working on smartphones and laptops rather than from PCs at their desks, so it’s vital to ensure that mobile equipment is encrypted and processes are observed. The best encryption in the world can be thwarted by a default or weak password.

There’s no magic bullet for cybersecurity, but the key is for firms to be pro-active, before they become victims of attack. External providers can be key here as they can provide expertise and broad knowledge often impossible to glean in one company. Firms can find many allies in their quest to upgrade their defences, the real sin is to simply do nothing.

About the author

Dr. Robert Statica has more than 25 years of cyber security and information assurance, engineering, cyber counterterrorism, higher education and senior corporate leadership experience in both private and public sectors. He is DarkMatter’s Senior Vice President of Technology & Research.

Robert Statica

Senior Vice President of Technology & Research, DarkMatter

security awareness mobile security threat intelligence

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs