Building a Strong Cyber-Security FrameworkBy Samuel Greengard | Posted 2015-12-01 Email Print
Cyber-attacks are growing exponentially, so organizations must adopt a risk-based framework, including governance and a multilayer defense-in-depth approach.
Identifying Valuable Assets and Potential Risks
The path to better cyber-security is paved with more than a few potholes. Most importantly, BDO's Shaghaghi points out, it's essential to recognize that there's simply no way to eliminate all risk and bullet-proof an organization. But there is a starting point.
"It's critical to identify your most valuable digital assets and fully understand where risk exists, including how it extends to commodity services and third-party providers," Shaghaghi advises. "It's important to take a fresh look at how an organization can protect internal resources, but also manage relationships."
This typically starts with a holistic and comprehensive risk assessment framework that identifies where dangers reside, where vulnerabilities exist, and how an organization can develop strategies, tools and technologies—along with data classification and protection methods as well as resiliency strategies—that together reduce the risk of a breach or breakdown.
Some organizations are also tapping analytics, including vector analysis and predictive modeling, to gain broader and deeper insights. Still others are turning to consultants and others that provide cyber-security risk assessment and testing—in some cases by simulating attacks or social engineering methods.
Some organizations are adopting leading-edge and experimental methods that revolve around digital fingerprinting and the relationship of files and data through locality-sensing hashing and graph mining. Of course, all of this must supplement an existing security framework that includes system and device oversight, strong authentication, and file and device encryption, along with controls over software and data access.
It's also necessary to think through business processes in a deeper way, Deloitte's Saif points out. For example, geofencing can prove useful for blocking access from outside a local area, but it can also introduce a problem if someone is traveling. This may lead to a need for a specialized authentication method from outside the geofenced area.
Similarly, access to systems during certain hours that are outside the bounds of regular business, say 3 a.m., may require a user to answer a few security questions and obtain an authorization code through a registered mobile device before hopping on the network. "There are a number of things an organization can do to mitigate risks," he says.
In addition, experts say that emerging intelligence and peer-to-peer sharing networks are a valuable tool for identifying potential risks quickly and taking immediate steps to identify and block attacks. Because these networks function anonymously, organizations can avoid public exposure and potential fallout.
"We are seeing a number of information-sharing and analysis centers pop up for different industries and types of organizations," Saif says. "It's an important piece of the overall puzzle."
Finally, he says that a crucial but often overlooked component is building better security into products—a challenge that is magnified by the Internet of things and connected devices, including drones, 3D printing and ubiquitous sensors.
One thing is certain: Cyber-security isn't going to become simpler or easier anytime soon. "In the end, everything comes back to a defense-in-depth approach," Saif concludes. "There's a need to constantly monitor, manage and reevaluate—and build a plan and a framework for being resilient and prepared if and when an event takes place."