Cyber threats are always present and increasing prevalent in today’s business life. Information technology systems are vulnerable to attack by both external and internal threats. Simple steps can mitigate (not eliminated) the impact of a cyber incident on your business.
The American government systems have been breached. Sony’s IT systems have been breached. How many times have we heard of account details being published on the internet? Information Technology systems have inherent flaws in them because they are more sophisticated than previous version. And now we are all connected to the internet.
Criminals are knowledgeable in the strengths and weakness of IT solutions. There are perhaps only 300 major common IT Platforms in use today, all bound by a handful of foundation based systems i.e. Microsoft Windows and Server, Linux, Android, Unix, Apple and cloud based platforms. All have inherent internal flaws from which sophisticated platforms use as the bedrock of their security foundations. As such they can be exploited to attack. Cyber threats expose institutions to operation, reputational and financial risks, but simple controls in place can greatly mitigate your exposure and risk of a Cyber Incident.
Institutions are dependent on technology for critical operations, decisions related to new products and services, along with general technology investment decisions, may expose institutions to vulnerabilities that need to be anticipated and managed.
Institutions should have a comprehensive approach to monitor, audit and control the IT security and resilience of the technological platforms that they use. The use of an IT security framework should incorporate processes to monitor, prevent, detect and respond to incidents along with controls to allow you to recover from an attack.
Have policies, procedures, processes and controls along with a risk management strategy to monitor, mitigate and report on these. Development of a risk management culture within the organisation along with sufficient resources to maintain these and provide training to staff. Having a culture of awareness of the risks of IT, cyber security threats and threats in general can have a positive effect on your systems as a whole.
Without the means to monitor your IT systems and to report incidents to appropriate staff members, any governance control is wasted. Regular updates to your systems ‘Patches’ of hardware, software and communication equipment is strongly advised in conjunction with the knowledge and agreement with your management and IT providers, these are generally performed by IT staff or external vendors.
Patched systems are more resilient to intrusions and offer less opportunities to gain access into the IT system. Patching is always about closing doors or entry points into an IT system.
Anti-virus, malware and firewalls (think of these as ‘secure door men’ which should monitor all incoming & outgoing information flows to your systems) solutions are current and active on your systems.
These are inter-twined solutions that are actively monitoring your computer systems. They incorporate cyber security controls to prevent, detected, quarantine and mitigate attacks from external sources primarily.
You only are as strong as the weakest link. External vendors have a place in your Information Technology Security. Vendors should have controls to manage them, due diligence, audits and monitoring of their performance. Define third parties’ responsibilities and associated service level metrics.
Backup of Information and Systems
One primary aspect of IT Security is backup of information and systems. Replication of data onto a secure storage platform; tape, secure alternative site, cloud, other is a primary mitigation factor. The ability to restore from a known good point in time is critical to ensuring the continuity of your institution’s ability to conduct business.
Testing and verification of this data on a regular basis is critical. The one time you need your data is the worst time you want to test out your backup procedures.
As before, no IT system is secure, Sony, Nasa, US Government all have been breached, but by ensuring all above have been implemented and achieved, the next stage is for disaster recovery, DR, business continuity planning, BCP and your recovery from an incident. There is no point in having all controls in place, if you can’t have a redundant solution.
Where are all your policies, procedures stored?
Hard copies anyone, in case you system is completely down
Incident Management, Recovery and Mitigation
The ability to manage the incident is critical. Client confidence, reputation, financial impact and potential closure must be factored in through the timely and appropriate customer notification process.
Development of procedures and incident response programs is necessary. Define capabilities and required resources to address threats and recovery. Escalate and report cyber incidents to the institution’s board of directors and Data Protection Commissioner if data breaches have occurred.
Responding to an Incident
Take appropriate steps to respond to a cyber incident:
- Assess the nature and scope of an incident and identify what information systems and types of information have been accessed or misused.
- Promptly notify the Board, Data Protection Commissioner, Police Service when you become aware of an incident involving unauthorized access to or use of sensitive customer information, and generally, following any incident that could materially impact your institution.
- Comply with applicable suspicious activity reporting regulations and guidance. Ensure appropriate law enforcement authorities are notified in a timely manner.
- Take appropriate steps to contain and control the incident to prevent further unauthorized access to or misuse of information.
- Notify customers as soon as possible when it is determined that misuse of sensitive customer information has occurred or is reasonably possible.