In our post last month, we talked about what companies need to do internally to adopt a holistic, long-term risk management approach to cybersecurity. The big takeaways were five steps companies can take to drive down their individual cybersecurity risks to a more manageable level. If more companies implemented these actions to begin mitigating their own cybersecurity risks, we would elevate the level of cybersecurity across the entire digital ecosystem. However, these internal steps are not the entirety of what companies need to do to adopt a risk management approach to cybersecurity. As an organization gets its internal house in order, it also needs to take four external steps:
Step 1: Proactively decide how IT systems will integrate with the broader Internet.
In today’s world, the sharp boundary between “internal” and “external” networks has essentially disappeared, replaced by a fluid mix of bring-your-own devices, software as a service, and cloud providers. However, this fluidity does not mean you have forfeited all control. Organizations should proactively determine the rules for connecting employee devices to the company network (including rules for data stored on those devices), acquiring external services, and accessing cloud storage.
For example, storing data in the cloud can improve the ability to access data remotely, and these services are generally more secure than many on-premises solutions. However, any time data is moving, the risk of exposure increases. Thus, these policies should be based on an organization’s business process needs and its risk tolerance. Furthermore, organizations must understand their supply chain – who they rely on and who relies on them – in order to understand the complexity and scale of their digital footprint and attack surface. An organization’s supply chain decisions should also be considered and reflected in internal incident response planning. We must think holistically: make cybersecurity a key part of your procurement and supply chain decisions.
Step 2: Actively participate in an information sharing organization… or two.
The cybersecurity industry has been talking about information sharing for a long time. There’s a reason for that: Information sharing is easy to talk about, but hard to make concrete and effective. The reality is that sharing is often limited by legal concerns, cultural challenges, uncertain return on sharing, and the inability to use shared information effectively. Nevertheless, effective cybersecurity risk management requires organizations to overcome these concerns and learn to share. While this task can seem daunting, companies have a broad array of resources available to assist with sharing efforts. In particular, a good way to engage in sharing is to join an information sharing and analysis organization (ISAO) focused on your business sector or region. These organizations have the infrastructure to facilitate sharing about threats and best practices. In joining an ISAO, a company will learn that it is not alone in the problems they face, and they can learn from how others have tackled similar challenges.
At this point, it’s important to identify the types of cybersecurity information that should be shared: technical indicators, cybersecurity risks and best practices. How an organization deals with these different types of information can vary significantly. With respect to technical indicators, many organizations may not have the capability, resources, or technical expertise to share or ingest indicators of compromise on their own. One way organizations can address this lack is by using cybersecurity companies that participate in automated cyber threat intelligence sharing, such as those that are part of CTA. Our members provide the technical indicators necessary to protect their customers and also are able to anonymously share information from their customers to other CTA members. This approach allows for a broader awareness of threats and faster implementation of protection. Our next blog will dive into this topic further.
However, the other two types of information are easier for most organizations to understand and deal with. All organizations should be prepared to ingest and share information regarding cybersecurity risks to their business operations and best practices developed to deal with those risks. Understanding cybersecurity risk enables organizations to increase their security and become more resilient to a variety of cybersecurity threats. Sharing that information with partners in your sector, and with governments when appropriate, helps to understand risk across a sector and across multiple sectors. Sharing best practices and lessons learned enable organizations to find common approaches to mitigating those risks. But, just sharing information isn’t enough.
Step 3: Take action based on the shared information.
It’s important to keep in mind that the reason to share information is to solve problems. If companies don’t use the shared information to change their behavior in some way, then it’s worthless. If a new risk emerges, an organization should work with its cybersecurity provider to determine what changes should be made to address that risk. For example, maybe the new risk means that the benefits of encrypting data at rest now outweigh the performance costs. However, organizations should not just look internally to make changes; they must work together to mitigate shared risk within a sector or across multiple sectors. The bad guys collaborate extensively to carry out their activities, and defenders should be just as collaborative in efforts to thwart those adversaries.
Step 4: Build relationships with law enforcement and government network defenders.
The last thing you want to do during a crisis is meet local representatives of the national law enforcement agency for the first time or try to determine how to get information out of the national government’s cybersecurity center. Organizations should look to build those relationships ahead of time, so when they experience an intrusion that warrants calling law enforcement and government-based network defenders, the linkages are already in place.
States and criminals are becoming more brazen in their malicious activity as they expand their use of cyber capabilities. Tackling these challenges can surely be overwhelming, but “failure is not an option,” like President Kennedy said when attempting to put the first man on the moon. If an organization identifies how it relies on external partners for cybersecurity and then collaborates with those entities, it will help improve the level of cybersecurity for the entire digital ecosystem.
Finally, combining internal and external steps identified here will put control back into the hands of managers, employees, owners and operators and eliminate the feeling of helplessness in the face of cyber threats. In most cases, we don’t know if our actions will affect our adversaries, but we do know that working with like-minded partners to make data, systems and processes more secure, resilient and better protected will have an outsized impact on our ability to protect against malicious cyber activity.