October 23, 2019
What Teams Should Know about DevSecOps
More organizations are starting to practice DevSecOps; 68% of companies plan to implement DevSecOps within the next two years.
Cybercrime is projected to cost the world $6 trillion every year by 2021. The emergence of advanced technology, growth of the internet, a dramatic increase of connected devices, and the rise of sophisticated hacking tools have left organizations grappling with how to develop an effective cybersecurity strategy. The modern organization faces multiple cyber threats on all fronts, therefore necessitating the creation of a strategic cyber defense solution.
To tackle the constant cyber threats, you need to reassess your current security measures and controls and implement a solution that covers all areas. Although the cybersecurity world is continually changing, keeping your entity secure doesn’t have to be a painful process. There are basic fundamental principles that you can utilize to guard your company against cyber threats. Whether you have an outdated cybersecurity plan or you are developing one from scratch, the steps to implement a cybersecurity strategy below will help you.
You cannot protect what you don’t know. Before anything else, map all your assets. Assets are unique to your company, and they can be customer data, payment information, records, intellectual property, trade secrets, devices, applications, or technology. Record all assets and look for those that are most important to your company’s competitive position, brand image, and growth. Once you recognize the mission-critical assets, you can now focus on how to protect them. Classification helps you to concentrate on what’s vital, helping you to conserve resources in the process.
To identify mission-critical assets, enlist the help of the management and employees, and form a team. The group should include members who are highly knowledgeable about each asset. Each individual who has extensive knowledge about a particular asset should explain to the rest of the group why that resource is highly valuable. After analyzing all assets, compare and rate each one according to the severity of the impact they would cause if they were to be lost. You can also use the pairwise comparison model to help you narrow down to the critical assets.
After you have determined what needs to be protected, explore the threat landscape. Every company faces different types of threats, and you need to know what types of cybersecurity risks you are most likely to encounter. The threats you are most likely to come across will highly depend on the kind of assets you own, the data you handle, the type of customers you work with, and what you sell. Some of the risks that you are highly likely to come across include phishing, ransomware, password attack, and malware attacks.
To properly understand the threat environment, look at the cyber threats that other companies in your industry are facing. Employ a community-based approach to cybersecurity, and begin to share intelligence with other businesses in your sector. This will foster collaboration and enable your business and other companies to pool resources together to fend off threats. Some of the top threat sharing communities you should consider joining include the Malware Information Sharing Platform (MISP) and Anomali.
Even the best cybersecurity plan will be of little use if your employees aren’t aware of it. For your plan to work, develop cybersecurity training program to implement into your culture (onboarding and ongoing training). The training should be detailed and should involve top-to-bottom officials across the entire organization. Each employee should be taught about the current cyber threats and trained on how to keep the system safe, how to detect a breach, and what to do in case of a cyber attack. For better results, you should appoint an IT expert to oversee cybersecurity issues within your company. This specialist should also be in charge of coordinating all cybersecurity efforts and your overall cybersecurity strategy.
A large number of organizations are unknowingly exposing themselves to risks by relying on old cybersecurity policies. Readjust your security measures by starting with the basics (effective password policies). As simple as it seems, most organizations still use easy to guess passwords, including the popular 123456 passwords. Create complex passwords that include letters, numbers, and symbols, and utilize the two-factor authentication. Do this to all your organization’s applications, online and offline accounts, computers, and devices.
You should also update your applications, patch your software tools, use the latest antivirus, and utilize a firewall. Outdated software tools are a significant security threat. For each device and operating system, you use, turn on update notifications, enable automatic updating, and frequently check whether there is a new update release. Apart from security fixes, updated software also comes with enhanced features, better compatibility, and improved stability. Upgrading to the latest anti-malware tools and firewalls will protect your business from the current security threats.
Cybersecurity strategy is a continuous process. Today’s security measures will be obsolete tomorrow; therefore, you need to keep an eye on the threat landscape. You need to have systems that continuously monitor and report on cybersecurity behaviors (Reporting on cybersecurity tactics is essential). You can utilize tools that monitor threats at the network, firewall, and device level. Monitoring will help you improve threat visibility, identify vulnerabilities, detect threats before they cause damage, and reduce incidence response time.
Organizations are now shifting from computers to the cloud. Most companies are now using cloud technology to back up their data, access critical work applications, and store sensitive company, employee, and customer data. If your cloud assets aren’t protected, your cloud hosting vendor can gain access to them and even misuse them. To improve your cloud data security, encrypt all information you store online and refrain from storing any critical data online. Also, make sure your cloud storage provider is certified, trustworthy, and compliant with the various data security standards.
Your cybersecurity measures need to encompass all areas of your organization. To make sure all your devices, networks, applications, and processes are safe from cyber attacks, you need to be aware of the current and emerging threats. Once you know what you are up against, update your security controls, train your employees, adopt strong passwords, utilize anti-malware tools, and perform periodic penetration tests.
Want to learn more about getting your cybersecurity strategy in shape? Check out this article from Chris Cochran on A Framework for Security Programs and this talk from HackerOne’s Marten Mickos on Building Security for User Privacy.
Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.