Introduction Show
In today’s computerized world, new risks emerge every hour of every day. Connecting to the Internet opens up the possibility of a hacker targeting your organization. Cybercrime is becoming big business and cyber risk a focus of organizations and governments globally. Monetary and reputational risks are high if organizations don’t have an appropriate cybersecurity plan. A ‘Cyber Security Breaches Survey 2018’ revealed that over four in ten (43%) businesses and two in ten (19%) charities in the UK suffered a cyberattack. The survey found that 38% of small businesses had spent nothing at all to protect themselves from cybersecurity threats. A separate survey also found that a third of UK small businesses are risking their online safety by operating at or below the “security poverty line”. The most frequent types of cyber-criminal activity were sending fraudulent e-mails and impersonating organizations online. Malicious e-mails were also found to be the most common type of cyberattack in the Internet Security and Threat Report. The consequences of cyber-crime are costly as the total average cost of a data breach in 2019 is $3.92 million in research conducted by the Ponemon Institute. What is Cybersecurity? Cybersecurity is making sure your organization's data is safe from attacks from both internal and external bad actors. It can encompass a body of technologies, processes, structures, and practices used to protect networks, computers, programs, and data from unauthorized access or damage. The goal of any cybersecurity strategy is to ensure confidentiality, data integrity, and availability. There are several primary means by which cybersecurity issues can affect (or even destroy) an organization and its reputation. There is the risk that a hacker might obtain sensitive information such as bank account or credit cards details. There are open markets for such information on the “dark web”. If others access such sensitive information, the organization might find its banking or credit card facilities withdrawn or in breach of privacy laws. Each month high-profile security breaches impacting individual data are reported globally. A second but related issue is that when a hacker obtains sensitive information about the organization it may find its reputation ruined. Few small organizations can survive the damage to its reputation that such lost data might cause. The damage to reputation and goodwill might be more crippling than the actual data loss itself. Loss of customer data may result in legal or regulatory action against the organization. A third party might file a suit against an organization as they have themselves incurred a loss. Organizations might also be subject to significant penalties and/or legal action arising from breaches of the privacy laws in many jurisdictions. The most recent and alarming aspect of cybersecurity that causes considerable problems for organizations is ransomware. As early as 2012, reports of ransomware campaigns have adopted commercially focused business models. In many cases, a piece of malware is disguised and embedded within another type of document only waiting to be executed by the target user. Upon execution, the malware may encrypt the organization’s data with a secret 2,048-bit encryption key or communicate to a centralized command and control server to await instructions carried out by the adversary. Once infected, the organization’s data continues to be inaccessible as the encrypts the data using the attackers encryption key. Once all the data accessible is encrypted, including in many instances the backup data and systems, the organization will be instructed on how to pay a ransom within days, or the adversary will remove the encryption key and the data will be lost. Literally, the adversary holds the data to ransom—hence, ransomware. The encryption key is sufficiently strong enough that cracking the key instead of paying the ransom is uneconomic—some estimate that an average desktop computer would take five quadrillion years to decrypt the data without the key In some cases, the target organization can hope that some researchers may have discovered a way to decrypt the data based on a design flaw. Otherwise the organization will have to look to restore the systems and data from a safe back up or consider paying the ransom. Keep in mind that even data restoration does not eliminate the risk the ransomware will not be reenabled or return based on the compromised integrity of the environment. Cybersecurity Governance A cybersecurity governance and risk management program should be established which is appropriate for the size of the organization. Cybersecurity risk needs to be considered as a significant business risk by the owners and directors. This should be at the same level as compliance, operational, financial and reputational risks with suitable measurement criteria and results monitored and managed. There are voluntary frameworks which can be used to consider the risk assessment and related best practices. For example, the National Institute of Standards and Technology (NIST) Cybersecurity Framework includes five concurrent and continuous functions:
Protection from Malicious Software and External Attack New threats continue to emerge and each organization needs to be sure it is equipped to deal with a dynamic threat landscape. The following are some of the more critical system utilities and solutions used to help mitigate these malicious attacks:
All are mandatory for any well-managed system utilizing a defence in depth strategy. The cost of an attack can be significant, involving loss of data, fraud, and the cost of rebuilding systems and should be analysed against the cost to defend against such threats. It is recommended to use a well-known, reputable supplier. Some companies purport to supply these utilities but in fact the utilities themselves can be malicious software. Be cautious about using free software or software from an unknown vendor. Generally, it is best to use the utilities recommended by the business’s systems integration (technical support) organization, as they will be responsible for its installation, configuration, and maintenance. Maintenance of these applications is critical. New malicious software emerges every day. Most software vendors provide at least a daily automatic update to their databases to ensure that the system continues to be effectively protected. Ensuring that these updates are correctly implemented is essential. Hardware Maintenance Plans Maintenance contracts should be maintained with hardware suppliers so that hardware failures can be quickly rectified. These contracts should specify the service levels that the supplier will meet in the event of failure. Critical hardware such as servers, switches, and backup technologies require prompt attention. Many contracts specify four-hour response for failure of these components. Other, less critical hardware such as individual workstations can have longer response times. Some organizations, particularly in remote areas, purchase some critical components that have a higher potential to fail, such as power supplies, as spare parts that can quickly replace a failed component. Organizations that rely on maintenance contracts should ensure that the support company maintains an adequate supply of spare components to meet the organizations service level commitments. The quality of the organization’s external IT support company is critical in ensuring the systems are correctly implemented and supported. Issues that need to be considered in selecting an appropriate company include:
People and Documentation Every organization should establish a plan to mitigate the risk of key people being unavailable in the event of a system failure. Keep a list of contact details for backup technicians. Document the configuration of hardware and software applications and keep this up to date so that a new technician can quickly rebuild the system. Policies and Procedures Proper IT governance procedures within an organization are critical. Implement a formal risk assessment process and develop policies to ensure that systems are not misused and ensure that applicable policies are continually reviewed and updated to reflect the most current risks. This includes developing incident response policies and procedures to properly respond to, account for and help mitigate the cost of a potential breach. Ongoing education to all employees on technology risks should form part of the organizations risk management framework, with potential security breaches being mitigated as a result of education and policies being promulgated to all levels of staff. Policies should include but are not limited to:
Individual jurisdictions are likely to have enacted legislation that may require particular policies, or issues within a particular policy, to be addressed. Common policies are listed below and cover system use, e-mail use, internet use and remote access. System Use Policy A system use policy generally outlines the rules by which the organizations IT systems can be used. Example elements to be considered in this policy include:
Email Use Policy Example elements to be considered in an e-mail use policy include:
Internet Use Policy Example elements to be considered in an internet use policy include:
Remote Access Policy Example elements to be considered in a remote access policy include:
Insurance Adequate insurance should cover the cost of replacing damaged infrastructure as well as the labor costs to investigate the incident, rebuild systems and restore data. Consider also insurance for productivity loss resulting from a major system failure or catastrophic event. Gateway Articles and Videos The Gateway has a range of other material related to cybersecurity, including:
Is the term used to describe an individual's beliefs about his or her capabilities to perform a task?Self-efficacy refers to an individual's belief in his or her capacity to execute behaviors necessary to produce specific performance attainments (Bandura, 1977, 1986, 1997). Self-efficacy reflects confidence in the ability to exert control over one's own motivation, behavior, and social environment.
Which of the following is suggested as a way for individuals to manage stress?Eat healthy, exercise, get plenty of sleep, and give yourself a break if you feel stressed out. Take care of your body. Take deep breaths, stretch, or meditate.
What is a pattern of action by the members of an organization that directly or indirectly influences organizational effectiveness?Workplace behavior is a pattern of action by the members of an organization that directly or indirectly influences organizational effectiveness. Performance behaviors are the set of work-related behaviors the organization expects the individual to display in order to fulfill the psychological contract.
Which of the following is the personal belief that one is a worthwhile and deserving individual?Self-esteem is confidence in one's own worth or abilities. Self-esteem encompasses beliefs about oneself (for example, "I am loved", "I am worthy") as well as emotional states, such as triumph, despair, pride, and shame.
|