What is cyber security?
The term cyber security refers to the techniques of protecting computers, networks, programs, and data from unauthorized access or attacks that are aimed at exploitation. Cyber security includes application security, information security, disaster recovery, and network security.
Application security encompasses measures or countermeasures that are taken during the development life cycle to protect applications from threats that can come through flaws in the application design, development, deployment, upgrade, or maintenance.
Information security protects information from unauthorized access to avoid identity theft and protect privacy.
Disaster recovery planning is a process that includes performing risk assessments, establishing priorities, and developing recovery strategies in case of a disaster. Organizations and financial institutions should have a concrete plan for disaster recovery to resume normal business operations as quickly as possible after a disaster.
Network security includes activities to protect the usability, reliability, integrity, and safety of the network. Effective network security targets a variety of threats and stops them from entering or spreading on the network.
Cyber security is a subset of information security. It generally focuses on measures to protect information from malicious threat sources that affect confidentiality, integrity, and the availability of information.
Following are a few examples of cyber threats to the CIA in a financial environment:
Confidentiality:
- Information is only being seen or used by people who are authorized to access it.
- Employee accessing information about fellow employees or customers for malicious purposes.
- Losing an unencrypted pen drive or storage device with employee personal or financial information.
Integrity:
- Any charges to the information by an authorised user are impossible, and changes by authorised users are tracked.
- Hacker or employee maliciously modifying, creating, or deleting customer information.
- Employee or vendor modifying data for personal gain.
Availability:
- Information is accessible when authorized users need it.
- Ransomware attacks render data unusable until backups are accessed, or an encryption key is obtained.
- Malicious denial of service (DOS) attacks degrades network performance and affect operations.
- Server failure at an organization or a vendor.
Elements of Cyber security
- Network Security
- Application Security
- Endpoint Security
- Data Security
- Identity Management
- Database and Infrastructure Security
- Cloud Security
- Mobile Security
- Disaster recovery and business continuity planning
- End user education.
The topic of cyber security needs to move from being limited to the domain of the IT professional to that of the executive and risk committees or boards, where its consideration and mitigation can be commensurate with the risk posed. The traditional approach to thinking about cyber security in terms of building bigger walls (firewalls and antivirus software), while still necessary, is no longer sufficient. A holistic approach to cyber security risk management—across the organization, its network, supply chains, and the larger ecosystem—is required.
Cyber security risks are a constantly evolving threat to an organization’s ability to achieve its objectives and deliver its core functions.
Threat Actors
There are many types of actors who pose a risk to business via IT information assets:
- Cybercriminals interested in making money through fraud or from the sale of valuable information.
- Industrial competitors and foreign state actors interested in gaining an economic advantage for their own companies or countries.
- Hackers who find interfering with computer systems an enjoyable challenge.
- Hacktivists who wish to attack companies for political or ideological motives.
- Employees, or those who have legitimate access, either by accident or deliberate misuse.
Some common cyber-attack types are:
- Virus Attacks
- Malware
- Ransom ware
- SQL injection attack
- Cross-Site Scripting (XSS)
- Distributed Denial of Service (DDOS)
- Social Engineering
- Malicious Emails-Phishing
Social Engineering: The threat is not only technical.
Many attempts to compromise information involve what is known as “social engineering," or the skilful manipulation of people and human nature. It is often easier to trick someone into clicking on a malicious link in an email that they think is from a friend or colleague than it is to hack into a system, particularly if the recipient of the email is busy or distracted. There are also many well-documented cases of hackers persuading IT support staff to open areas of a network or reset passwords simply by masquerading as someone trusted.
Effective organization-wide risk management and awareness.
Being aware of potential threats is a normal part of risk management across organizations. Alongside financial, legal, HR, and other business risks, organizations need to consider what could threaten their critical information assets and what the impact would be if those assets were compromised in some way. The key is mitigating the risks to critical information assets and being better able to reduce the impact of, and recover from, problems as they arise.
Cyber security, the Key Agenda:
Incorporate cyber risks into existing risk management and governance processes.
Cyber security is not implementing a checklist of requirements; rather, it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cyber security risk throughout the organization.
Elevate cyber risk management discussions to the executive.
Executive engagement in defining the risk strategy and levels of acceptable risk enables more cost-effective management of cyber risks that are aligned with business needs. Regular communication between the CEO and those held accountable for managing cyber risks provides awareness of current risks affecting the organization and their associated business impacts.
Implement industry standards and best practices, apart from compliance requirements alone.
A comprehensive cyber security program leverages industry standards and best practices to protect systems and detect potential problems. It is supported by processes informed of current threats and enables timely response and recovery. Compliance requirements help establish a good cyber security baseline to address known vulnerabilities, but they do not adequately address new and dynamic threats or counter sophisticated adversaries. Using a risk-based approach to apply cyber security standards and practices allows for more comprehensive and cost-effective management of cyber risks than compliance activities alone.
Evaluate and manage the organization’s specific cyber risks.
Identifying critical assets and associated impacts from cyber threats is key to understanding an organization’s specific risk exposure, whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cyber risks to an acceptable level.
Oversight and review.
Executives are responsible for managing and overseeing organizational risk management. Cyber oversight activities include the regular evaluation of cyber security budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and top-level policies.
Develop and test incident response plans and procedures.
Even a well-defended organization will experience a cyber incident at some point. When network defenses are penetrated, an organization should have a clear idea of how to respond. Documented cyber incident response plans that are exercised regularly help to enable timely response and minimize impacts.
Coordinate cyber incident response planning across the organization. Early response actions can limit or even prevent possible damage. A key component of cyber incident response preparation is planning in conjunction with the entire executive, business leaders, continuity planners, system operators, general counsel, and public affairs. This includes integrating cyber incident response policies and procedures with existing disaster recovery and business continuity plans.
Maintain situational awareness of cyber threats.
Situational awareness of an organization’s cyber risk environment involves timely detection of cyber incidents along with awareness of current threats and vulnerabilities specific to the organization and associated business impacts. Analysing, aggregating, and integrating risk data from various sources and participating in threat information sharing with partners helps organizations identify and respond to incidents quickly and ensure protective efforts are commensurate with risk. A network operations center can provide real-time and trend data on cyber events. Business-line managers can help identify strategic risks, such as risks to the supply chain created through third-party vendors or cyber interdependencies. Sector Information-Sharing and Analysis Centers, government and intelligence agencies, academic institutions, and research firms also serve as valuable sources of threat and vulnerability information that can be used to enhance situational awareness.
What is cyber risk?
‘Cyber Risk’ means any risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems.
While cyber security risks evolve and regulatory requirements continue to expand, the approach organizations employ to manage them needs to keep pace with threat actors.
Steps to Reduce Cyber Risk.
Organizations should take steps to review and invest where necessary to improve security in the following key areas:
Information Risk Management Regime
Establish an effective governance structure and determine the risk appetite, just like one would for any other risk. Maintain the Risk Committee’s engagement with cyber risk. Produce supporting information and risk management policies.
Home and mobile working
Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline build to all devices. Protect data, both in transit and at rest.
User education and awareness
Produce user security policies covering acceptable and secure use of the organization’s systems. Establish a staff training program. Maintain user awareness of cyber risks.
Incident Management
Establish an incident response and disaster recovery capability. Produce and test incident management plans. Provide specialist training to the incident management team. Report criminal incidents to law enforcement as applicable, if any.
Managing user privileges
Establish account management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs.
Removable Media Controls
Produce a policy to control all access to removable media. Limit media types and uses. Scan all media for malware before importing them into the corporate system.
Monitoring
Establish a monitoring strategy and produce supporting policies. Continuously monitor all information and communication technology (ICT) systems and networks. Analyse logs for unusual activity that could indicate an attack.
Secure Configuration
Apply security patches and ensure that the secure configuration of all ICT systems is maintained. Create a system inventory and define a baseline build for all ICT devices.
Malware Protection
Produce relevant policies and establish anti-malware defenses that are applicable and relevant to all business areas. Scan for malware across the organization.
Network Security
Protect the networks against external and internal attacks. Manage the network perimeter. Filter out unauthorized access and malicious content. Monitor and test security controls.
The Cyber Security Framework
A cyber security framework contains a whole set of management tools, a comprehensive risk management approach, and, more importantly, a security awareness program covering everyone in the organization from top to bottom. In other words, every organization needs a cyber security governance framework to fully address all of their cyber security needs. There are a few key components that play crucial roles in shaping this security posture and are therefore crucial for long-term success.
These components are:
- Organisational structure.
- Work Culture.
- Security Awareness Programs
- Cyber security Governance.
Each of these aspects works with the others to cover gaps in security. While focusing on one specific area of need can make a difference, the most effective initiatives will use all four of these components to protect the enterprise.
Challenges of Cyber security
The most difficult challenge in cyber security is the ever-evolving nature of security risks themselves. Traditionally, organizations have focused most of their cyber security resources on perimeter security to protect only their crucial system components and defend against known threats. Today, this approach is insufficient, as the threats advance and change more quickly than organizations can keep up with. As a result, advisory organizations promote more proactive and adaptive approaches to cyber security.
In the present environment, around the world, cyber security is a key issue for investors, consumers, regulators, and employees across all industries where information technology is leveraged. Cybercrime continues to be an unabated activity for criminals to disrupt services, theft of data, and extortion of funds from a wide range of victims.
Thus, security monitoring on an ongoing basis, preventive tools and measures, periodic risk assessment, and remediation are key controls for cyber security, leveraging threat intelligence, real-time data and flow monitoring, threat hunting, behaviour analytics, and incident response.