Happy is he who hears about his shortcomings, can correct (c) W. Shakespeare
Cryptoworm viruses, mining plugins, phishing mobile applications are increasingly showing us what they are capable of and what we are not capable of.
When introducing cyber security systems, companies often copy ready-made solutions. However, what helps some companies can harm others. In various companies, as a rule, unique puzzles are composed of various IT systems, devices, types of information, value assessment of information.
Some companies perceive security only as the installation of software protection. Installing a firewall and intrusion detection software is often used as an effective means of protecting information and fighting hackers. But if an employee leaves a password on a phishing site or carelessly (or on purpose) reveals his passwords to third parties, even the most advanced software will not solve the problem of cybersecurity.
Other companies spend exorbitant funds on safety where it is not required. The placement of armed guards around the perimeter of the building sounds impressive, but if the main threat is unauthorized remote access to intellectual property or confidential information, such security is of little importance.
')
Cybersecurity is a process, not a product. The process is built by identifying potential threats and applying adequate security measures to them.
The cybersecurity process cannot be standardized. Using the example of a few steps, I’ll tell you where cybersecurity should begin:
1. Identification of information resources
In order to start applying information security, it is first necessary to determine in relation to which objects we will spend our efforts. Often, companies do not even know in which unexpected places confidential information can be found. We are looking for answers to the following questions:
- What information, networks, processes are we going to protect?
- What information systems are involved and where are they located?
- What legal requirements should be observed (for example, the Law “On Personal Data”, the Law “On Information, Informatization and Protection of Information”, etc.)?
2. Periodic risk assessment
The next step is to assess the potential risks to information security. This includes:
- Identify all possible internal and external threats.
- An estimate of the likelihood that the threat materializes.
- Assessment of potential damage in the event of an incident.
- Evaluation of policies and procedures within the company in case of an incident.
Risks are evaluated on the basis of the nature of the business, the value of the stored information for business and partners, the size and volume of transactions and their quantity. The purpose of the assessment at this stage is to determine the level of acceptable risk. Understanding this level provides an opportunity to assess the necessary financial investments in the fight against potential risks.
3. Development and implementation of a security program
Based on the results of the risk assessment, a security program is developed and implemented. The security program consists of physical, technical and administrative security measures to manage and set up control over the risks identified during the assessment.
Remember, a security program is being developed to reduce risks to an acceptable level.
Summary
7 fatal mistakes leading companies to fail in cybersecurity:
- the use of only software protection (antivirus software, firewall);
- use of template security policies;
- the lack of data on the account and the location of kept confidential information;
- lack of knowledge of the requirements of legislation on the circulation and storage of data;
- lack of value assessment of information for business;
- lack of understanding of the acceptable level of risk;
- the inability to calculate a reasonable level of costs to maintain and control a reasonable level of risk.