Cybersecurity threats and unified communications
Given
that businesses and customers are constantly working to become more connected and
digital-first, there is a paramount need for them to protect their cyber assets
and personal information as a result.
Analysts estimate that by 2020, 60 percent of all enterprises will be the victims
of a major cybersecurity breach. As reported by Cybersecurity Ventures, cyber attacks are the fastest growing crime globally. Cybersecurity
Ventures predicts cybercrime damages will cost the world $6 trillion annually
by 2021, while70 percent of all annual cryptocurrency transactions will be for
illegal activity. The “Cyber’s Most Wanted” list on the FBI website features 63 notorious people (up
from 19 in 2016) that have conspired to commit the most damaging crimes against
the U.S., including computer intrusions, wire fraud, identity theft, money
laundering, false registration of domain names, espionage, theft of trade secrets,
and other offenses. The unit chief at the FBI’s Internet Crime Complaint Center
(IC3) has stated that the number of reported cyber crimes in the agency’s
reports only represent 10 to 12 percent of the total number actually committed
in the U.S. each year.
A
company’s communication channels are often the first point of call for an
attack. Companies are typically delivered via spam, phishing attempts or by taking
advantage of out-of-date software. Because more and more businesses are
shifting to the cloud, another apparent avenue for attack is ultimately provided
for hackers.
The
question becomes, how can companies put up adequate barriers to ensure they are
protected against the most up-to-date and harmful cybersecurity threats? Answers
lie in the following essentials companies should consider when aiming to make
UC security fit for purpose.
Continued
commitment to top management
Senior managers are often focused on
functions that go beyond cybersecurity. Specifically, they are oriented to
company profits, financial results and more, but typically do not have a good
insight into the risks that lie in a weak cybersecurity process.
Strong cybersecurity initiatives within a
company requires financial resources to secure infrastructure and sufficient
staff to manage the overall process. Considering that senior management often are
not security experts, these costs are sometimes viewed as not necessary,
especially if they are not highlighted during budgeting.
All risks must be presented to senior
management of the company, along with any apparent consequences if the security is breached. These
include a robust assessment of the financial implications of a breach, as well as the
reputational damage it will cost in the eyes of customers.
Don’t
just stick to the ISO 27001 standard
Most well-known security standards or
frameworks are not reactively designed and do not guarantee well-designed information security
management systems. ISO 27001 is a standard whose main usage is informational
security risk assessment, treatment and mitigating. However, this contains many
risk factors by itself. Introducing best practices without any concrete
technology, design or processes required, as well as describing procedures that
delegate too much trust in the human factor in ISMS can prompt ISO 27001 to
leave many open questions and gaps in a company’s cybersecurity
capabilities.
Continually
reviewing and optimizing the Information Security Management System
Continued maintenance and review is crucial
to creating a well-oiled machine that won’t fail when it needs to perform. Companies
should continually review and optimize their Information Security Management
Systems (ISMS), which include security policies and procedures, security change
management control and review of the risk register. Companies should adjust
these on a regular basis relative to current threats and vulnerabilities.
Maintain
a strong and effective Configuration Database (CMDB)
Keeping a strong, well-maintained, and
effective Configuration Database (CMDB) is a concern for many companies, which often
fail to maintain their respective CMDBs. This makes implementing security
controls and procedures more difficult and time consuming, encouraging mistakes
and opening companies up to cyber attacks.
Apply clear responsibilities and ownership of
your CMDB and keep equipment up to date. The better managed it is, the easier
threats are to prevent. Doing this is particularly important when upgrading
infrastructure and for those in transition of modernising the workplace.
Thorough
crisis and incident management
Security crises are not an exception but
rather a rule, and any security incident is a potential crisis if not processed
properly.
Incidents can be classified with different
priorities depending on the potential impact. It is extremely important that
the different priorities are properly described and the employees who process
them are well trained to provide a timely, correct and detailed response.
Security management systems generate different types of reports which we can
use to analyze a company’s cybersecurity vulnerabilities and take remedial
action and calculate the risk for the company.
A crisis indicates an unstable and dangerous
situation related to a large part of the company or the company as a whole,
potentially damaging business to a great extent, and requiring the commencement
of minute action. Unfortunately, many companies do not have an optimized crisis
management process or proper staff training procedures in place.
Best practice dictates that everything needs
to be clearly documented; crisis management be led by a member of the senior
management team; and that teams meet regularly to update on actions and
activity parts. The company may also have external partners to consult during a
crisis, such as a cybersecurity specialist, or governmental organization with
which to co-operate to master the crisis faster, and this needs to be factored
in as well.
Consider
the National Institute of Standards and Technology (NIST) framework
The National Institute of Standards and
Technology (NIST) is a physical sciences laboratory, and a non-regulatory
agency of the United States Department of Commerce. This voluntary framework
consists of standards, guidelines, and best practices to manage cybersecurity-related
risk designed for U.S. private sector organizations. The steps illustrated in
the NIST framework are Identify, Protect, Detect, Respond and Recover. But, positioning
“Identify” as step one means the framework approach can be classified as a
reactive only solution. “Respond” and “Recover” also contribute to the reactive
nature. Listing “Identify” at the beginning of the cycle suggests actions are started
only in case of business impact. “Planning” is not a part of this high-level
structure and can be a crucial step for proactive measures or in attempting to
predict future issues.
Good processes should include more
transparent, structured, and fast-working cybersecurity systems. Planning is
also crucial. Yet good security officers should not wait for an issue to
improve security or to close themselves within borders of predefined standards
like ISO 27001. Instead, they need to plan daily, be able to respond to
different environments, and create a cybersecurity- focused culture across their
entire business. If they do that correctly, then the business will give itself
the best chance to defend itself against the next devastating cyber attack.
Conclusion
The convenience of globalization is clear but the consequences of it provide frightening results which becomes more challenging with each passing day. Businesses must be faster than ever when it comes to developing and optimizing technologies, standards, and frameworks because the evolution of cyber threats is extremely fast. The subject must be prioritized, and organizations must agree on an approach designed to unite all forces in a same place.
Mariana Peycheva is Chief Security Officer at Unify, and a member of Atos Global Group Security
Gloss