There is an increasing trend of companies
moving to e-business models with connectivity
using multiple channels such as the Internet,
mobile devices, social media, and the cloud in an
anytime, anywhere, always-on model. Businesses,
small or large, are part of cyberspace and are
continually connected directly and indirectly.
While this has definitely improved business
volume, it has also increasingly attracted the
attention of cybercriminals.
Cyberattacks continue to rise at an alarming
rate. Hacking tools are freely available on the
Internet. Script kiddies are performing scans
and attacks for fun and sometimes just to see
if their efforts work. There is also an increase
in organized and well-funded cybercriminal
groups that continuously target organizations and
exercise great patience to systematically exploit the
weaknesses they discover. Improved connectivity
has also allowed cybercriminals to expand their
possible attack vector, so cyberrisk has become a
key issue to be addressed by all organizations.
While most organizations already have
good security practices in place, they need to
spend quality time and resources for long-term
cyberdefenses. This article provides quick fixes
for closing cybersecurity loopholes and improving
cyberdefenses as early as possible before
cybercriminals can escalate the level of attacks on
any organization.
RAISE CYBERSECURITY AWARENESS AT ALL LEVELS
People are the critical element in the journey
toward improved security. Many cyberattacks
are successful due to unaware and undisciplined
end users. In many organizations that are already
certified to ISO 27001 and other regulatory
requirements, the board of directors (BoD) and
end users may be curious about what is new in
cybersecurity. If this curiosity is not addressed,
the topic may not get serious attention. It is
increasingly important for information security
teams to create awareness of cybersecurity at all
levels. Using examples of various data breaches
such as the Target and Sony attacks1 can quickly
help demonstrate how cyberattacks can impact
the organization.
REEXAMINE RISK MANAGEMENT EXERCISES
It is quite possible an organization already has
a risk assessment process in place, but in the
face of cyberthreats, it becomes important to
reconsider the nature of these attacks and revisit
the risk assessment exercise. Some of the popular
risk management standards and frameworks
that can be referred to for the risk assessment
are ISACA®’s COBIT® 5, 2 ISO 31000:2009,
Committee of Sponsoring Organizations of
the Treadway Commission (COSO) Enterprise
Risk Management—Integrated Framework,
OCTAVE, the US National Institute of Standards
and Technology (NIST) Risk Management
Framework and many more. Many organizations
may rate the threat and vulnerabilities as low,
considering there are no known reported
cyberattacks on the organization. Other
organizations may have a false sense of security
and confidence that, since they have security
devices, tools and techniques, they are already
cybersecure. It is time to reexamine whether
these security devices can be bypassed by any
means and realistically assess the risk to the
environment. Risk management teams need to
keep abreast of how cybercrimes are currently
conducted and factor into similar use cases in
their risk assessment exercise.
STRENGTHEN MECHANISMS FOR AUTHENTICATION
AND AUTHORIZATION
Passwords, personal identification numbers
(PINs), tokens and digital certificates are the
most commonly used authentication mechanisms.
While an organization may have an excellent
password policy, it becomes important to
evaluate whether it is implemented properly
across the entire organization. Authentication
management systems should not accept any weak
authentication credentials. System and network
administrators need to be extra careful, as they
are responsible for highly privileged accounts.
Sanjiv Agarwala, CISA,
CISM, CGEIT, BS 25999/
ISO 22301 LA, CISSP,
ISO 27001:2013 LA, MBCI,
is currently director and
principal consultant at Oxygen
Consulting Services Pvt. Ltd.
Agarwala has more than 17
years of experience across
multiple industry domains in
various information security
roles and has expertise in
areas such as information
security management
systems, risk management,
cybersecurity, systems audit,
I T governance and business
continuity management.
Quick Fixes for Improving Cyberdefenses
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
