Nearly daily headlines about hacker attacks, the continuing Snowden WikiLeaks revelations and large-scale data breaches such as the recent Target fiasco are unnerving many executives. News of these ostensibly unstoppable events is creating paranoia and uncertainty in many executive suites about how best to protect businesses against cyber-attacks.
Executives listen to many polished sales pitches from security consultants. Often these pitches leave executives more bewildered than enlightened as a result of excessive fear-mongering and confusing techno-babble.
On one hand, every executive wants to reasonably protect the business’s data and its reputation. On the other hand, executives always worry about being sucked into over-reaction and over-investment.
Here’s a pragmatic multi-layered approach that will reduce the risk and impact of cyber-attacks. Each successive layer introduces increasing cost and management complexity to further reduce risk and impact.
Implement the basics
First, every business can start by implementing these four basic protective measures, as described in a recent Economist article, to materially reduce the likelihood of a cyber-attack:
1. Educate employees about cyber-risks.
2. Ensure that only approved programs can run on the computing infrastructure.
3. Regularly patch all software.
4. Constantly monitor network traffic.
Reinforce professional conduct from employees
Next, since employees are often complicit in data breaches, either innocently or deliberately, businesses can raise defenses through the following actions:
1. Develop an online code of conduct policy.
2. Ensure all employees and contractors understand and sign the policy.
3. Monitor the web surfing and email activities of employees and contractors.
4. Implement strong passwords that expire regularly.
Protect intellectual property
Third, businesses need to protect the intellectual property (IP) they own. Consider these additional measures:
1. Develop an IP management policy.
2. Ensure all employees and contractors understand and sign the IP policy.
3. Operate with separation of duties that make theft more difficult.
4. Implement encryption of communication.
Defend against Advanced Persistent Threats
If your business has been targeted by Advanced Persistent Threats (APT), then further, significantly more expensive counter-measures will be required. The objective of APTs that target businesses is usually significant financial gain. APTs are characterized by a high degree of stealthiness over a prolonged period of time. APTs are most often initiated by Internet-based malware infection.
Defending against APT requires a more sophisticated infrastructure and more staff to operate it. These analysis steps will determine the extent of the APT defenses that your business will need:
1. Understand the business impacts of APTs.
2. Estimate your business’s likelihood of being attacked.
3. Identify the gap between current security measures and what is needed to reasonably defend against APTs.
4. Prioritize high risk gaps to focus resources and effort.
5. Develop a layered security system to prepare for and defend against APTs.
6. Develop a defined process to respond, recover, investigate and learn from APTs.
For a more detailed discussion on how to strengthen your business defenses against cyber-attacks download this Government of Canada guide.
What do you think? Am I under or over-stating the risk and the required responses?