CyberSecurity Risk Mitigation
Risk management is a concept that has been around as long as companies have had assets to protect. The simplest example may be insurance. Life, health, auto and other insurance are all designed to help a person protect against losses. Risk management also extends to physical devices, such doors and locks to protect homes and autos, vaults to protect money and precious jewels, and police, fire and security to protect against other physical risks.
Rather than doors, locks and vaults, IT departments rely on a combination of strategies, technologies and user education to protect an enterprise against cybersecurity attacks that can compromise systems, steal data and other valuable company information, and damage an enterprise’s reputation. As the volume and severity of cyber attacks grow, the need for cybersecurity risk management grows with it.
Cybersecurity risk management takes the idea of real world risk management and applies it to the cyberworld. It involves identifying your risks and vulnerabilities and applying administrative actions and comprehensive solutions to make sure your organization is adequately protected.
Before setting up a cybersecurity risk management system, the enterprise needs to determine what assets it needs to protect and prioritize. As the National Institute of Standards and Technology (NIST) points out in its Framework for Improving Critical Infrastructure Cybersecurity, there is no one-size-fits all solution. Different organizations have different technology infrastructures and different potential risks. Some organizations such as financial services firms and healthcare organizations, have regulatory concerns in addition to business concerns that need to be addressed in a cybersecurity risk management system. Cybersecurity should follow a layered approach, with additional protections for the most important assets, such as corporate and customer data. Remember that reputational harm from a breach can do more damage than the breach itself.
Citrix recommends that organizations have fully documented and implemented procedures for all activities that may create cybersecurity risks. Corporate cybersecurity programs should be based off of industry leading practices in line with ISO 270001/2. Typical programs include hardware and software implementations that have change management oversight and non-production testing and evaluation.
Among the cybersecurity precautions to consider:
· Limiting devices with Internet access
· Installing Network Access Controls
· Limiting the number of people with administrator credentials and the control rights for each administrator
· Automated patches for operating systems
· Limits for older operating systems (i.e., devices running Windows XL or older OS no longer supported)
· Requiring two-factor authentication to gain access to certain files and systems:
· Evaluating the current governance structure to ensure that there are checks and balances throughout the system
· Limit administrative rights
MarkLogic offers the following recommendations for enhancing risk management:
Advanced encryption: Encryption is not a new feature in databases, but today encryption must be implemented in a more strategic and systematic way to protect data from cyber criminals and insider threats. This includes granular role-based access, standards-based cryptography, advanced key management, granular separation of duties, and state-of-art algorithms that drastically decrease exposure.
Though data encryption is helpful against outside breaches, it does little to protect against internal data theft. Insiders with access to sensitive data will necessarily have the credentials to decrypt it. So companies must also protect against data being removed from enterprise systems though removable media such as thumb drives and other means.
Redaction: Companies need to balance protection of data with the ability to share it. Redaction enables companies to share information with minimal effort by concealing sensitive information, like names and social security numbers, from queries and updates.
Element-level security: While redaction is important, companies need to be able to do it at the element, or property, level based on an employee’s roles. Companies also need to be able to implement custom as well as out-of-the-box rules.