Cybersecurity and the evolving challenges facing the CISO

Cybersecurity and the evolving challenges facing the CISO:

Cybersecurity has become increasingly critical for many organizations, with the effect that Chief Information Security Officers (CISOs) find themselves in prominent positions, often reporting directly to the Board and working with CEOs and CFOs on a daily basis.

As the threat landscape becomes more complex, the risks to the business and the associated costs of those risks are also increasing to an extent that mismanagement can have a serious effect on the organizations bottom line.

Organizations now rely more and more on IT, Digital Transformation programs with initiatives in areas such as cloud, IoT and mobile computing, allowing anytime/anywhere/any device access. This brings greater complexity and expands an organization’s attack surface.

Figure 1 CISO Security Challenges

No longer is the boundary a corporate firewall, it’s now down to an individual and their device. The increasingly complex IT landscape has resulted in a complex security landscape characterized by a range of point security solutions often deployed quickly to address new security concerns. This results in the CISO having to manage an often non-aligned security infrastructure which reduces the organization’s overall security posture.

This coupled with an ever-evolving compliance landscape and rapidly changing threat landscape means that the CISO cannot rely on conventional security practices and must look to put in intelligent, integrated and automated security solutions to handle the increasing volume of threats.

Only by doing this can the CISO deploy a holistic overall risk management strategy that supports and doesn’t hinder business objectives.

Achieving 100% security protection is close to impossible and so you need solutions that look to proactively prevent threats and work to detect and respond to them in a timely manner. At Ward Solutions, we have identified a four-stage security lifecycle to help the CISO to protect from, detect and respond to cyber threats.

Figure 2 Security Lifecycle

Despite being a critical role, many organizations cannot afford to retain or simply do not have a business justification for a full-time, in house Chief Information Security Officer (CISO).

 

CISO as a Service (CISOaaS)

Ward Solutions CISO as a Service provides your organization with the retained services of a highly trained and experienced senior consultant offering you a tailored and flexible strategic service.

The service may either be a full CISO service resource who is effectively your organization’s CISO or an augmentation resource, or a resource who can deliver their skillsets to compliment the delivery of your information security program.

If you would like to speak to our security consultants on best practices to keep your business secure, please contact us to discuss your unique requirements.

 

Why implement ISO 27001?

ISO 27001 is the internationally recognized standard for Information Security that defines the requirements of an Information Security Management System (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. When a company achieves its ISO 27001 certification this demonstrates the company is following information security best practice.

ISO 27001 is highly recommended for your business, but first, you must assess where your organization stands when it comes to security and then see how this fits your needs.

38% of global organizations claim they are prepared to handle a sophisticated cyber.

The global average cost of a data breach is $3.86 million. Committing to implementing an ISMS and becoming ISO 27001 certified can significantly reduce the likelihood of a data breach or data incident occurring and, by default, reduce the associated costs of responding to and recovering from such a breach or incident.

Here’s how ISO 27001 can reduce the risk to your information assets.

By implementing an ISMS in line with ISO 27001, you are committing to building your approach to information security in line with an internationally recognized best practice standard. This commitment helps your business to effectively maintain the confidentiality, integrity, and availability of your information assets and that of your clients. Getting the most from your ISMS requires trained, competent and experienced ISO 27001 professionals.

A successful ISO 27001 implementation requires Top Management support

Here is another subject you can discuss at the next Board meeting. In order for your ISO 27001 program to be successful, Top Management must be fully involved and supportive of its objectives. Management needs to ensure that their colleagues throughout the business are adhering to the controls put in place by your ISMS.

If you have a gap in these resources in house, why not reach out to a trusted third party who have the skilled consultants who can assist you in all stages of your ISO 27001 journey from design and scoping of your ISMS through to certification and beyond into operation and the continuous improvement phase.

So set the right security goals for your business and consult with experts in the industry for analysis and input into your information security strategy.

Know more about our service offering

Ward has a large pool of trained, certified and experienced ISO27001 consultants that assist many businesses to get certified in a timely and cost-effective manner. Speak to our ISO experts now, contact us or call: 1800 903 552 to discuss your unique requirement.

 

#100securedays Week 8

For every lock, there is someone out there trying to pick it or break-in. – David Bernstein, President at the Bernstein Agency

Here’s last week’s recap of #100securedays:

Day 39: Malicious advertising is the use of online advertising to spread malware. Without realizing a tiny piece of code is hidden deep in an advert which is making your computer go to criminal servers. Be very careful of this kind of ads!

Day 40: 

If you haven’t switched your website from http to https I suggest you do so soon. HTTP was the standard used for just about all URLs but the data transmitted through HTTP is not encrypted and this can result to security breaches. This puts both the website’s owner and its visitors at risk.

Day 41:

CAPTCHA is a tool that differentiates robots from humans. Without using this tool, bots or spam accounts can submit forms on the website causing security risks. Introduce captcha!

We also added security tips while you travel this summer on your holidays. You can find that here.

If you would like to speak to our security consultants on best practices to keep your business secure, please contact us to discuss your unique requirements.

#100securedays Week 7

People have a right to privacy but they also have a right to live. Fundamentally, we need cybersecurity and need to secure communications as well. – Michael Hayden

Here’s last week’s recap of #100securedays:

Day 34: Organisations are facing more security challenges today than at any time in the past, traditional defenses are not working, new technologies introduce new risks. Have the right tools in place to detect and respond to threats within your environment. https://hubs.ly/H0jM-3h0 #100securedays

Day 35: How does SIEM & Compliance work hand in hand? SIEM solutions produce reports for demonstrating compliance with security and privacy frameworks such as ISO27001 and GDPR. #100securedays

Day 36: Prevent Privilege Escalation by removing and/or limiting privileges for business users and IT admins without impacting productivity and protecting privileged accounts. We work with recommended partners like Thycotic, #100securedays

Day 37: Backdoor is a method of bypassing normal authentication. Stop hackers from using back-door accounts, and protect your organisation from being compromised. Make sure you secure passwords, protect endpoints, and control access. #100securedays

Day 38: A Web Application Firewall (WAF) keeps the malicious traffic off your website. It is a layer of protection that sits between your website and the traffic it receives. #100securedays

If you would like to speak to our security consultants on best practices to keep your business secure, please contact us to discuss your unique requirements.

Travel Tips from #100securedays

How do to stay secure while traveling?

Summer holidays are on! Here are a few security tips from our #100securedays to help you stay secure during your holidays.

Tip 1: Install a tracking app on your devices and make sure you have the right security controls on them just in case it gets lost or stolen. #100securedays

Tip 2: Sharing so much information online can be risky, keep it minimal. So much can be used and misused online, be aware of what you share and make sure your account is private.

Tip 3: Don’t carry all your sensitive documents with you when you travel. Only your passport, visas or residence permits (if required) are the most important documents you need with you. Even when it comes to your credit/debit cards, don’t take them all. Carry only what you need and lock it up in a safe place. #100securedays

Tip 4: While you are on your holidays try to pause mail deliveries that carry any sensitive information. Ask them to deliver the information after you get back. #100securedays

Tip 5: Make sure you keep a note of all your sensitive information, encrypt that information safely in a secure place. This will be easier to report it if it’s lost/stolen. #100securedays

Tip 6: How do you travel without the internet?

Just because Public Wi-fi need a password when you log-in, doesn’t mean your online activities are encrypted especially if it involves confidential information. #100securedays

Best Practice: Get a portable router or your own wifi hotspot, you can purchase this even at the airport.

Tip 7: Monitoring your accounts especially when you travel is good practice. If you’ve noticed any unusual behavior or transaction in your account, contact your bank immediately. #100securedays

Tip 8: Imagine if your phone fell into the wrong hands? Secure your devices, use strong passwords on everything including your phone.  #100securedays

If you would like to speak to our security consultants on best practices to keep your business secure, please contact us to discuss your unique requirements.

#100securedays Week 6

“One single vulnerability is all an attacker needs.” – Window Snyder, Chief Security Officer, Fastly

Day 24: A vulnerability scan detects and classifies the potential points of exploit on a network to identify security holes. Schedule one now because prevention is always better than cure. #100securedays

Day 25: Vishing is starting to gain popularity. Cybercriminals are starting to create fake sites targeting victims to call them. Verify phone numbers before calling back and have your guard up at all times, question the caller to be certain that this isn’t a scam. #100securedays

Day 26: Apps are sending their user’s location information to data monetization firms even after users opt-out of location tracking. It is the responsibility of app developers to use and store location data responsibly. #100securedays

Day 27: We all love sharing things on social media, there’s nothing wrong with that. Be careful of what kind of information you share on your channels and make your account private to keep your personal information secure. #100securedays

Day 28: If you’ve noticed any unusual behavior or transaction in your account, contact your bank immediately. #100securedays

If you would like to speak to our security consultants on best practices to keep your business secure, please contact us to discuss your unique requirements.

#100securedays Week 5

“As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace.” – Newton Lee

Day 19: Do not open, respond or unsubscribe from a suspicious e-mail. This will alert spammers and put an unprotected system at risk. Stay aware of these kinds of fraudulent practices so you can avoid being compromised in any way. #100securedays

Day 20: Linux users, make note of this if you haven’t already. We do not want to preach about security but we want every individual in an organisation to practice it. #100securedays

Day 21: DoS- These kinds of attacks is a malicious attempt to affect the availability of a targeted system. Ensure your web site host is using anti-DoS (Denial of Service) defenses for your website. #100securedays

Day 22: We release security advisories on a frequent basis on the latest vulnerabilities and recommendations. Join our community, contact us now! #100securedays

Day 23: Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your IT infrastructure. How do you analyse the security event information? If you don’t have one in place, you might need to consider getting one soon. #100securedays

 

If you would like to speak to our security consultants on best practices to keep your business secure, please contact us to discuss your unique requirements.

#100securedays Week 4

“Cybercrime is the greatest threat to every company in the world” – Ginni Rometty, IBM Chairman, President & CEO

Day 14:

More than 250 million confidential business records were reported lost or stolen. One of the main reasons for this is leaving your devices unlocked. Locking your systems will prevent unauthorized access. #100securedays

Day 15:

Encrypt your external hard drives and USB flash drives in case of theft or loss. Only allow USB’s to authorized staff if required. #100securedays

Day 16:

This is crucial for every business! Every organization big and small is a target. Follow these high-level steps if you’ve been a victim of a data breach. #100securedays

Day 17:

How many times do you conduct these services on your network? When we scope your call, we will analyze which service will suit your specific requirement. #100securedays

Day 18:

Yes, it’s true! Be careful and avoid any download of this kind. Don’t be a victim of an attack, follow us for more security tips! #100securedays

If you would like to speak to our security consultants on best practices to keep your business secure, please contact us to discuss your unique requirements.

Is your security turning cloudy?

The leading factor driving greater public cloud engagement or adoption today is digitally transforming enterprises.

The question is which one is more secure: Data on-premise or in the cloud?

Honestly, both come with security risks and vulnerabilities, with the rise in cloud migration, businesses believe there is more ease in storing and maintaining their data. The cloud migration maybe is an easy solution to their biggest problem but security should be their biggest concern.

Check out our blog on 4 cloud security threats that need your attention right now!

IT managers are finding it difficult to keep their applications and data safe in the cloud because of these two main reasons- Shortage of cybersecurity skills and Shadow IT.

What is Shadow IT?

This term refers to IT applications and infrastructure that are managed and utilized without the knowledge of the organisation’s IT department. For eg; you want to study the analytics of a certain website using an application that the IT department is not aware of, this can be a serious concern for a business. Below is a good example of how shadow IT works; (Source: Smartfile)

According to a McAfee study, the average enterprise uses 1,427 distinct cloud services and the average employee actively uses 36 cloud services at work. This contains confidential data like financial records and business plans, sensitive e-mails, payment and health information and more.

Which of these cloud services does the IT department have visibility of in the network?

Shadow IT is a challenge for many businesses. Understanding how to effectively meet changing business needs and create a better understanding between IT and the business is one of the keys to preventing Shadow IT, but also it is important to have visibility of everything that happens within the business environment and have alerts in place for any suspicious activity.

Shortage of cybersecurity skills

Organisations are facing a major challenge in keeping their staff up to date in the required work skills. This is due to them being overworked, they train and hire more junior staff which leads to inefficiency and poor quality deliverables and the inability to learn or use security technologies in the most effective way are some of the reasons why the skill gap is worsening.
According to an ESG report, the top three areas are Cloud security (33%) Application Security (32%) and Security Analysis & Investigation (30%).

We can offer many best practices in cloud security. Here is an overview, click here.

Our recommendation to you is, let’s start with a cloud security assessment understand where you stand in terms of security in your cloud and then recommend best practices that suit your business plan and create a roadmap for you to prioritize your risk in a cost-effective and timely manner.

Download our Office 365 Datasheet.

We do not want to preach about security but we want every individual in an organisation to practice it. If you would like to speak to our subject matter experts for further advice, call us: 1800 903 552 or e-mail us.