2018 has already begun with several high-profile cyber security risks such as the Spectre/Meltdown advisory. While many organizations are paying more attention to potential cyber security risks, organizations in government and highly regulated industries have extra steps to consider. Here are some key suggestions that these organizations should consider:
You must understand your environment
In the military, they preach “know your enemy, know yourself and know the terrain.” The potential attack surface is rapidly expanding as everything becomes an endpoint in the IOT or intelligent edge. Every device, web application and operating system becomes a potential route of entry or egress that puts the confidentiality, integrity, and availability of your critical systems, networks, and data at risk. A complete understanding of what you have and how it works is a key step in the determination of criticality and prioritization of system protections. The sad story is that threat actors may understand your attack surface better than you do.
Events don’t happen in a vacuum
When performing risk analysis, especially with the intent of prioritizing the remediation of vulnerabilities, it is critical that the entire context of the event is considered. Tabletop exercises are a good forum for achieving a higher fidelity characterization of the event sequence and the impact of the event on critical business/mission functions. It starts with clarity around threat actors, determination of capability and intent, and clearheaded evaluation of vulnerabilities but that is just the beginning. Organizational and system interdependencies continue to evolve and an open forum with all stakeholders is needed to ensure that controls put in place and response plans conceptualized are executable within the events context.
Culture has the biggest potential return on mitigation
Weak passwords, sharing credentials, or even losing devices are some of the easiest ways that data breaches can occur. Training and enforcement are key to equipping organizations across government and highly regulated industries to manage their cyber risk. Unfortunately, the effectiveness of those measures is wholly reliant on the culture established at the top and embraced throughout the organization. The people element can either be your biggest risk or your first line of defense.
The UDT Federal team has been focused on providing a suite of managed security services to healthcare agencies and financial regulators. Our team will provide strategic guidance and recommendations based on your business requirements that do not necessarily call for a technology-based answer. To find out more, please visit our site below.