Navigating #Cyberrisk

Cyber Enterprise Risk Management InternalAudit

Cyber-risk is in the limelight. It is now coming in top 10 risks in all surveys.
Cyber-risk is like a hurdle which is bound to cause accident on an expressway where you are required to drive at a high speed. A majority of hurdles can be navigated by staying alert. However some of the hurdles are not visible and bound to cause accident, even if you are alert.

  1. Ransom-ware: Mitigated through regular backups and regular restoration testing, education and alertness.
  2. Phishing: Mitigated through education and alertness 
  3. Virus: Mitigated through antivirus, regular updates, education and alertness.
  4. Network intrusion: Mitigated through use of firewall, less number of exceptions, ‘deny by default, allow philosophy, use of IPS and IDS
  5. Data Exposure/ Data theft: Data classification, granular access, encryption, no inherited rights, education and alertness
  6. Zero day exploits: education and alertness
  7. Backdoors: Using known vendors, Treating all new technology with skepticism, education and alertness
  8. Theft of IT tools: backup, encryption, education and alertness

I have given education and alertness as a mitigation measures for all as inspite of having technology, you can still become victim if you are not alert and remain ignorant. Consider the followings:

  • Users have installed antivirus and not kept it updated. They get infected with viruses while doing file transfer/ internet surfing.
  • Software warns the user about danger, still user has proceeded and later wondered how the virus had come.
  • Office equipment are coming with network connectivity and even technical people are ignorant about it.
  • Employees are not allowed to bring phone with camera but can come with phone with usb cable.
  • Users are not allowed to send email with attachment but can insert memory card in the machines.
  • Firewall has been installed, however organisation do not have in house capability and do not want to spend money on third part help, inspite of falling victim of cyber crime.
  • People are being informed about virus and website gives prompts for installation of anti virus software.
  • Wifi is protected with password, however the key is not being changed.
  • When user leave orgnisation, his email account remain activiated as the bosses want to monitor the account for email, instead of applying for “çatch-all email” facility.

Best way to tackle any education and alertness is to have:

  1. Policies governing conduct (Plan)
  2. Procedure to give effect policies (Do)
  3. Maintaining records for every action (Do)
  4. Monitoring records (Check and Act)

Remember the three tenets of information security: Confidentiality, Integrity, Availability.
Confidentiality: If you want an information to be confidential, do not share it, do not keep it in plain text, do not let it keep away from your control.
Exposure: When you want information to be confidential, it gets exposed, or it gets exposed before defined time or after defined time. You share the information with someone and he/she share the information without your permission.
Integrity: If you want to maintain integrity of information, control it, have integrity checks at every stage, every transfer, sign it, maintain logs and perform log review
Exposure: When you want to rely on integrity of information, you are doubtful about its completeness, its source, .
Availability: If you want to have information available, control it, have backup, perform restoration.
Exposure: When you want information to be available, it is not available to you.
I welcome your inputs on above. If you like it, then share it.
(The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)