By Zeeshan Kazmi
Cyber Security Practice Head
News stories are full of evidence of what CIOPS has been witnessing in the field: cyber security attacks are on the rise. In fact, the global cost of damages from cybercrime, which stood at over $600 billion in 2017 , is projected to skyrocket to $6 trillion by 2021 .
The frequency of cyberattacks, as well as the number of methods used by these criminals, is increasing exponentially. Cyber criminals are investing heavily into tools and automation to find any type of unaddressed vulnerability—especially for small- and medium-sized businesses.
The danger is real and can cause a great deal of anxiety, especially if your ability to combat cyberthreats is hampered by a limited budget. What are your options when your cyber security budget is tight, but you know an attack can be catastrophic?
Start with a simplified framework to establish a security foundation
If you feel like you’re floundering, I’ve got good news for you. There is a well-established framework that covers nearly all the common information security risks: The 20 Critical Security Controls that have been created by the Center for Internet Security (CIS), a non-profit organization that has been around for over two decades.
Start with the first five Critical Security Controls
Here’s even better news: If you implement the first five Critical Security Controls you’ll mitigate an estimated 87% of your risk (based on quantitative measures). These first five Critical Security Controls knock off the “low hanging fruit” by addressing the most common information security issues:
1. Inventory of Authorized and Unauthorized Devices
Ensure that all devices connected to your network are understood and documented, whether they are authorized or unauthorized. This knowledge will help you take steps to harden your network perimeter.*
2. Inventory of Authorized and Unauthorized Software
This is just like Control #1, but for software. Create and maintain a complete inventory of all the software that’s running on your network, whether it is authorized or unauthorized.
Keep in mind that unauthorized software represents a significant threat. Unauthorized software includes both software that has been intentionally installed by users without following your organization’s policies, and software that has been unintentionally installed, such as through phishing schemes.
3. Secure Configurations for Hardware and Software
Every piece of equipment you buy should be validated against a set of pre-determined standards before it is purchased. To make this happen you must develop these standards for your organization—and then apply these standards to all the hardware and software run within your environment, including mobile devices and servers.
4. Continuous Vulnerability Assessment and Remediation
Continuously monitor your system and run vulnerability assessments to watch for anything new that has been installed, whether it is software or hardware, and then address whatever issues are discovered.
If your permissions and Identity and Access Management system doesn’t catch it first, your basic networking monitoring tools will usually catch most things that have been installed. Whatever these tools don’t catch should be caught by your vulnerability assessments. Use security scanning tools to continuously run vulnerability assessments, and then augment this with periodically-scheduled “audit” type assessments.
Why is this so important? Because you can put all the advanced cyber security systems in place that you want, but if someone installs an unauthorized wireless router on your system, you immediately have an uncontrolled vulnerability.
5. Controlled Use of Administrative Privileges
Administrators who have the highest level of access to resources—i.e. those who can do almost anything they want within your network—must be monitored, and every action they take must be logged. Someone must watch to verify that their actions are always in the organization’s best interests.
What about the other 15 Critical Security Controls?
These first five Critical Security Controls represent 20 years of consensus on where the most basic-level information security competencies start. After you have implemented these you can focus on the other 15, which address the more complex issues.
And what about the NIST framework?
The CIS cyber security framework is quite a bit less complex than the NIST (National Institute of Standards and Technology) cyber security framework, which is a necessity for some organizations due to compliance requirements. NIST includes over 800 controls—but you need to get the basics covered with the CIS 20 first because you will not be able to meet the NIST standard if you don’t get the foundation correct.
Conclusion
There is a lot of talk about the importance of information security. Coupled with that talk is the not insignificant cost of having a robust cyber security system. By focusing on these first five Critical Security Controls you will get the most bang for your buck. These are the places to start because these controls address the vast majority of your architectural vulnerabilities. Once you have these things in place you can move on to implementing other security measures.
Remember, hackers are like water…they tend to flow through the easiest possible path. When a hacker encounters an organization that has implemented the best practices of the first five controls, they will typically pass by and find a target that has not.
* McAfee and the Center for Strategic and International Studies (CSIS), “Economic Impact of Cybercrime – No Slowing Down,” February 2018, https://www.mcafee.com/enterprise/en-us/assets/reports/restricted/rp-economic-impact-cybercrime.pdf.
* Cybersecurity Ventures, “2017 Cybercrime Report,” 2017, https://1c7fab3im83f5gqiow2qqs2k-wpengine.netdna-ssl.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf.
About Zeeshan Kazmi
As a seasoned global technology executive, Zeeshan is known as an analytical thinker who introduces cutting-edge solutions and game-changing cultural shifts that ignite revenue and productivity, and optimize performance. Clients benefit from his extensive experience directing the development and execution of advanced Cyber Security and IT strategies that facilitate sustainable growth, strategic risk management and increased profitability.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.