Article

Cybersecurity: Must-have control practices

10 years ago, all the data a company owned was stored physically inside the organization. Now, organizational data and systems are everywhere: in the cloud, in internet applications, on people's personal devices and with many third-party service providers. And with disparate data comes the opportunity for security breaches. It’s not a matter of if your organization will see an attempt from a bad actor—such as competitors, other countries, cyber criminals and good old fashioned hackers—to gain unauthorized access to, tamper with or otherwise affect a company’s data. It’s a matter of when.

Cybersecurity is about protecting your internet-connected organization from malicious actors and user accidents. The foundation of a strong cybersecurity practice focuses on three core principles: integrity, availability and confidentiality. It’s on leaders to make sure their organization’s data is accurate, accessible when needed and only accessed by the right people. To do this, you need to understand the common types of attacks and the controls that can help you keep things secure.

Who is attacking and how?

Security threats come from a number of places. Knowing the motivation and intent of malicious actors, you can estimate the probability of an attack and the impact it could have. This is called a cyber risk assessment. In this assessment, think through why someone would attack your organization and what vulnerabilities exist. Remember, not every attack is made with the attempt to steal data. A security threat is anything that jeopardizes the confidentiality, integrity and availability of your data.

In general, an attacker attempts to get a system to do something it’s not supposed to do, which can be accomplished in three ways. Firstly, they exploit a misconfiguration of the system that allows unauthorized people to have access. Secondly, they take advantage of a technical fault or vulnerability with some software running on the system, by manipulating the software in special ways. The third way is simpler. An attacker just uses the username and password of a real, authorized user. Once an attacker has gained access to a system, they can steal or tamper with data, or even make it unavailable.

Where do attackers start? The first is any of the organization's systems that the attacker can see on the internet. If the attacker can compromise that system, then that may be enough for the attacker's needs. The second way an attacker compromises a system is to try to break into a system inside the organization. You’ve probably heard of phishing. It attempts to get a person to execute a malicious program unknowingly.

What is a control and why do you need them?

All computer systems have vulnerabilities, some simple, some complex. If a cyber attacker tries hard enough, they will find a way to exploit a vulnerability. Any attempt an organization makes to stop security threats is called a control. Most of the hard work of cybersecurity is selecting the right controls, and then making sure the controls are actually working. 

Ready for another list of three? A control can be preventative, detective or corrective. Preventative controls are things like passwords or multi-factor authentication. Detective controls are systems that flag malware or phishing attempts and the like. And corrective controls manage the aftermath of an attack using tools like incident response, forensic analysis or restoring data from backups. 

If implementing controls sounds complicated, don’t worry. In the world of cybersecurity, most organizations run frameworks or prescriptive processes and controls to manage cyber risk. Control frameworks are like a box of chocolates; instead of picking and choosing each individual control, frameworks tailor controls to an organization's size and activity. Note that different industries and regulatory bodies either require or suggest frameworks your organization should implement. 

Six practical cybersecurity controls

No matter how an organization determines what controls it needs, whether via risk assessments or adopting a framework, there are some smaller essential controls that almost every organization will use.

1. Update operating systems

When a vulnerability is found in software, the manufacturer will work out how to fix the vulnerability and provide an updated version of the software. Keeping your systems up to date will protect against recently identified vulnerabilities.

2. Whitelist applications

Whitelisting means that a computer is configured to only run the software that the organization explicitly permits. This is quite a hard control to manage, but it makes it very difficult for an attacker.

3. Harden the computer’s defense

Make sure that all configurable settings in the operating system and applications are configured for security. Another recommendation is to regularly de-install parts of the operating system and applications that will never be used.

4. Limit administrative access

One of the easiest cybersecurity controls that's recommended by every framework is to limit the number of people within the organization who have administrative access to systems. Reducing the number of accounts that have such access means there are fewer accounts for an attacker to target. 

5. Implement multi-factor authentication

Require a user to provide something else in addition to a username and a password to log in. This could be something unique only to the user—such as a fingerprint—or a physical product that the user has, such as a smartcard or a mobile device.

6. Create safe back-ups

If an attacker gains access to a system and either tampers with, erases or encrypts data with the intent of securing a ransom from the organization, a backup helps the organization restore the data and recover its operations without paying the ransom.

What else can you do?

Beyond technical controls, there are ways you can strengthen cybersecurity in your organization through process and personnel. 

Firstly, know that controls can fail or age. What protected your organization a year ago may not work today, and perhaps control measures need refreshed. To that end, it’s helpful to create processes to test your systems and support employees.

Secondly, consider specific roles for cybersecurity. Some of the more common cybersecurity roles are security architects, security operations specialists, penetration testers, governance, risk and compliance specialists, and cybersecurity auditors who go around testing controls and attesting that the controls are working and the organization is managing them properly. Depending on your size, you likely don’t need each role. 

And lastly, bake security measures into the development process. Know the ways that your application could be attacked or threatened. Run penetration tests routinely and with each release to ensure security is up to date and vulnerabilities addressed.

 

Cybersecurity is a top priority—and will likely remain a top priority—for all organizations. If you’re looking to start or even refresh your current security practices, make sure you have an understanding of the fundamentals listed above. They’ll be critical to your ability to keep your data secure and mitigate looming threats.