Cyberwarfare and cybercrimes are here to stay, no doubt about that. No matter the size of your network it is imperative to be proactive and prepare for the future. It’s of utmost importance for all organizations to take the necessary basic precautions now to provide defence on what is now the front line of the future.
Risk management is critical to forming the basis of a sound and strategic cybersecurity program for organizations of all sizes. One can accomplish this through an initial risk assessment where one identifies, categorizes, and ranks data according to the perceived impact on an organization should its data be exposed, lost or stolen; you aim to have the basics in place before disaster strikes. For example, at a bare minimum, any organizations should take the following seven steps to protect their data.
All organizations no matter its size should consider the following seven steps to protect their data, supported with standards and guidelines:
1. Set up multi-factor authentication for all users accessing your network, without exception.
- To help you understand this 2FA’s process, NIST presents a simple primer entitled: Back to basics: Multi-factor authentication (MFA).
- Further, it serves well to have a copy of ISO/IEC 27001:2013 – Information Security Management System – Requirements. The standard’s requirements are generic and suitable to apply to all organizations regardless of type, size, and nature. They specify how to establish best, implement, maintain, and continually improve your organization’s Information Security Management System (ISMS). More importantly, it provides assessment and treatment methods to tailor information security risks to the organization’s needs. To help implement Item 1, see the following requirements in ISO/IEC 27001:2013:
- A.9.1.1 – Access control policy
A.10.1.1 – Policy on the use of cryptographic controls
A.11.2.9 – Clear desk and clear screen policy
A.14.1.1 – Information security requirements analysis and specification
A.14.1.2 – Securing application services on public networks
A.14.1.3 – Protecting application services transactions
A.14.2.5 – Secure system engineering principles
- A.9.1.2 – Access to networks and networks services
A.13.1.2 – Security of network services
A.13.1.3 – Segregation in networks
A.13.2.3 – Electronic messaging
- A.9.4.2 – Secure log-on procedures
A.9.4.4 – Use of privileged utility programs
- A.11.1.2 – Physical entry controls
- A.9.1.1 – Access control policy
2. Most importantly, it is critical that you utilized access control to manage who gets access to what data.
- Consider ISO/IEC 29146:2016 — A Framework for Identity Management. It defines and establishes a Framework for Access Management (FAM) with pointers for the secure management of the processes to access information and Information and Communications Technologies (ICT) resources.
- Organizations should implement Zero Trust architecture; this network segmentation approach allows an organization to adopt a “verify all” approach to data access.
3. Use encryption to protect data at rest and in the transfer.
- For guidelines consider ISO/IEC 27002 – Code of Practice for Information Security Controls, it is necessarily a detailed catalogue of information security controls managed through the ISMS. Supplement your reading with ISO/IEC 27040:2015 – Storage security provides detailed technical guidance on how to effectively manage all aspects of data storage security, from the planning and design to the implementation and documentation.
- Moreover, a good read on encryption is Five mistakes of data encryption, Pitfalls on the path to a ‘silver bullet.’ by By Anton Chuvakin
4. Enable access to secure, automatic and always encrypted backups (keep Items 1, 2, and 3 in mind).
5. Restrictively manage your vendors and partners accessing your systems.
- Here consider ISO/IEC 27036:2013 – Information Security for Supplier Relationships. The standard is multi-part standard offering guidance on the evaluation and treatment of information risks involved in the acquisition of services and goods from suppliers.
6. Be sure to develop and implement a well-exercised disaster recovery and continuity of operations plans, and more importantly make sure it includes an alternate location to deliver.
- A good place to start is with ISO 22301 – Business Continuity Management Systems – Requirements, ISO 22031 is a management system standard that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
- Your reading should also include ISO/IEC 27031 – Guidelines for Information and Communication Technology Readiness for Business Continuity, this standard describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization’s ICT readiness to ensure business continuity.
- Moreover, ISO/IEC 24762:2008 – Guidelines for Information and Communications Technology Disaster Recovery Services provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.
7. Engage cybersecurity frameworks and other regulatory controls to manage and monitor systems.
- Two good sources of helpful material are NIST Framework for Improving Critical Infrastructure Cybersecurity and NIS Guidance Collection for Managing Security Risk, Defending systems against cyber attack, Detecting cyber security events, and Minimising the impact of cybersecurity incidents.
Reference:
Understanding The Implications Cyberwarfare Has On Your…, https://forbes.com/sites/forbestechcouncil/2019/01/30/understanding-the-implicat (accessed February 02, 2019).