Lack of Business Continuity Mindset

Because many organizations either think they might get away without being targeted or that there is a fix-all program they can install to protect themselves, they often do not spend enough time thinking about what their response should be in the event of a cyber attack. For example, with the rise of social engineering attacks such a scam emails disguised as legitimate correspondence from reputable institutions, the risk of attacks is only increasing. According to FireEye researchers, for example, one in every 100 emails sent around the world is meant to deliver malware or commit a cyber crime. So, while company-wide training and planning is important to minimize the risk of an attack occurring, organizations need to ensure a plan is in place to deal with the aftermath of a successful attack and ensure their data is still accessible. 

I like to think about the likelihood of a successful cyber attack like this: if someone is dedicated enough to target an enterprise and is willing to go all-out in order to make it happen, the best technological tools available on the market may not be enough to mitigate the risk of a successful attack actually taking place.

Thinking Holistically About Cybersecurity and Compliance

Cybersecurity needs to start with the top down. When I work with customers, I always start with a gap analysis where we review, over a three-month period, all aspects of cybersecurity that are relevant to them. Once that review is complete, however, it is important to ensure that there are significant leadership stakeholders within that enterprise who are willing to buy in to this paradigm. After all, security is a combination of protocols, programs and training, not simply the deployment of a tool like an antivirus program or an AI-based security application. Having an executive who can own and champion the cybersecurity paradigm for the organization is critical.

Once a company’s leadership is truly on board, cybersecurity starts with the physical. Whether a company operates its own on-premise data center or relies on a third-party provider, here are some best physical security practices applicable to both:

• 24/7 video surveillance of the data center with an appropriate footage archive
• Multi-factor access control involving key cards, locks and biometric authentication, with the ability to add such protection incrementally
• Required presentation of government-issued photo ID for all visitors
• Constant testing of all physical controls
• Annual Threat Risk Vulnerability Assessments with remediation planning
• Periodic employee Security Awareness training

Of course, for full effect, these protective measures need to be coupled with a strong emphasis on ensuring full compliance with applicable regulatory standards. In my view, compliance regulations are an underrated yet extremely valuable component in minimizing the risk of human error and guiding an enterprise’s internal security initiatives.

The Move to Global Compliance Frameworks

Meeting compliance mandates not only ensures maximum security and availability but also enhance an organization’s reputation in the eyes of its clients. Here is a list of the most common standards that organizations and third-party data center providers should be compliant with, depending on the sectors in which they are involved:

• NIST 800-53PE and FISMA
• SSAE-18 (SOC1) / ISAE 3402
• PCI DSS
• HIPAA
• HITRUST
• ISO27001

Although all of these are important, ISO27001 is one of the main compliance standards I like to promote, mainly because it is a global standard as opposed to a US-centric one. For those who may be unfamiliar with it, ISO27001 is a technology-neutral framework that is designed to assist enterprises in establishing, maintaining and improving an information security management systems (ISMS). Overall, ISO 27001 brings information security under management control and gives specific requirements that, if met, are awarded with an accredited certification. As a result, it fits with the overall paradigm that cybersecurity is a question of overarching management processes and not just technical IT solutions. Think back to 1970 when the US government passed the Occupational Safety and Health Act, making employers legally accountable for providing employees with an environment free from identified hazards. In a similar fashion, global frameworks like ISO27001 are doing the same for the field of cybersecurity.