A special guest blog from @RoseSecOps - Discovering Security Needs for Small & Medium Organisations
The scene opens with a nervous owner looking to the IT manager, “are we secure?”, “I’m not sure” is the response...
Throughout my career I have watched this scene play out across multiple companies, industries, and even across continents. The reality is, there is no perfect solution, no ability to remove all risk, no ‘unhackable’ technology.
Organisations often suffer from a lack of foundational requirements for security – such as an absence of appropriate documentation. Add to this, the constant news of data breaches, which continues to spread fear, uncertainty, and doubt (FUD). This FUD in turn often leads to small organisation or even medium size organisation becoming paralysed with fear; leading to no actions taken to protect. As you can imagine, this lack of action simply puts your organisation in a worse position.
But it does not have to be this way. There are ways to to manage privacy and improve security in a way that works for the individual, right up to large organisations. Covering a top three considerations, we will discuss in detail on how to embed privacy and security effectively within your organisation:
2. Prioritisation & Measurement
The number one frustration I see time and again, within organisations, is the challenge of effective communication. At times I have even described my role as a translator - speaking to the Board to understand what privacy and security ‘success’ looks like for them, and then speaking to technical and operations teams to see what they view as success; my role is then to share these perspectives. There is a universal language that minimise this potential disconnection: the language of risk.
Organisations and people understand risk, they realise that you simply cannot remove all risk but instead must balance risk vs reward effectively for your situation. It is the same mindset when talking about security risks – recognising the acceptable risk, identifying risks that need to be mitigated and/or minimised, targeting risks that need to be removed, and finally risks that simply need to be transferred. This is all, at a foundational level, identifying risks to the organisation and understanding the maturity of the security controls and processes to mitigate the risks. In order to solve this potentially massive challenge organisations, begin with:
A. Recognise what security and privacy success looks like to the organisation and the operations teams
B. Identify the acceptable level risk, including a documented risk statement
C. Document the risks, and the action plan of removal, transfer and security controls as well as the risks which must be addressed with policies, procedures, and technology
Prioritisation & Measurement
I am unable to count the number of times I have come into an organisation and have been handed a penetration test and/or audit report that identifies critical vulnerabilities that need to be addressed - with no action plan to remediate them. This can lead to the organisation being overwhelmed unfocused and ultimately abandoning hope. Unfortunately, we all have financial budgets, team capacity, and skill limitations – making the ability to handle a variety of risks, concerns, and future considerations challenging. Even after these issues have been recognised within a report, the next steps can be challenging to map out. Identify a priority of action, I look at the following three key areas:
A. Attack Surface: will a malicious actor require physical access to something during specific hours or is it completely open to remote attacks with little restrictions? This might sound obvious but consider this example: an organisation’s laptop hard drive is encrypted, but the password to decrypt isn’t following the organisations policy of complexity and length. Secondly, there is no multi-factor authentication configured for remotely logging in. Both are concerns for data loss, and both are high risk – but the first requires physical access to the device, whereas the second is open to all navigating to a logon portal.
B. Likelihood of Incident: I imagine this is pretty universal, how likely will something happen and therefore what should be addressed first – however, I highlight this because we must remember all threat maps and threat actors vary depending on your unique environment, so do not simply go by what others suspect. Make sure to have your own detailed risk registrar on what the organisation faces.
C. Impact of incident: can come in many forms. It can be damage to you reputation, possible down time for the organisation to recover, and/or a specific financial impact including regulatory action. These are all things to consider when prioritising mitigations and remediations against the identified risks.
As mentioned above, awareness of possible threats isn’t enough – organisations and individuals need to be aware of how that knowledge applies to their environment directly. What is the threat landscape and regulatory requirements? Why do regulatory requirements matter? Consider again your financial situation, if you can implement foundational security and you’re breached, the impact of the breach should be mitigated, but also the costs including legal fees should also be reduced as well; essentially you need to be able to claim “you did your best but nothing is perfect.”
Reality is, technology is a massive part of our lives – we all know this, but so to is security. We must proactively acknowledge our gaps, identify where improvements are needed, and seek out solutions to enhance our environments. Our organisations, environments, our very people must be aware of the vital part security plays within our connected world of today and be ready to embed security and privacy from the conception of the idea; not simply at the end as a final thought.
Zoë Rose is a highly regarded hands-on cyber security specialist, who helps her clients better identify and manage their vulnerabilities, and embed effective cyber resilience across their organisation. Whilst retaining deep technical expertise, Zoë has extensive experience in designing and executing cyber security awareness programmes to help people become more aware of cyber threats and uplifting critical cyber security processes and ways of working. She also has experience in maximising the value and effectiveness of technical cyber security controls across a variety of programmes and industries.
Rose is a Cisco Champion and certified Splunk Architect, who frequently speaks at conferences. Recognised in the 50 most influential women in cyber security UK, and the PrivSec 200, Rose is quoted in the media, has presented on National News, has been featured in Vogue Magazine, and was the spokesperson for Nationwide’s Over Sharing campaign that had a reach of 306 million citizens. Follow her on Twitter @RoseSecOps