Securing Your Corporate Digital Assets
Since the beginning of the year, the pace of digital transformation has been very fast. With offices closed, the practice of social distancing to prevent the spread of the coronavirus forced companies to activate their business continuity plan (BCP) by enabling employees to work remotely. However, the prolonged health crisis compelled businesses to roll-out the ability to remote work enterprise-wide. To accomplish their various tasks, all employees were given remote access to corporate network to access critical data.
By opening their corporate network to enable remote working, IT leaders are facing major challenges, especially when cybersecurity becomes an afterthought. With more open access points that are not fully protected, valuable corporate data are being put at risk. Cyber criminals are seizing the opportunities to test the vulnerabilities of the corporate IT networks and exploit the various lapses. Phishing via email and data breaches due to various security lapses have increased tremendously. Businesses are subjected to major cyber risks. The consequences of any cyber attack can affect critical business operations, have significant financial losses and even tarnish the corporate brand name.
"Consequences of any cyber attack can affect critical business operations, have significant financial losses and even tarnish the corporate brand name."
With more employees now on remote working, businesses are exposed to higher cyber risks. However, there are simple cyber security hygiene steps that businesses and employees can adopt to prevent any security lapses. Three simple steps are: First, make sure that all devices are up-to-date and obsolete devices should be replaced. Second, proper cybersecurity policies and procedures for the use of company devices or employee's own devices must be put in place. Third, keep track of who (employee) is using which (company or employee) device, and what (enterprise application software) is being accessed from where (access point location).
There are many cybersecurity lapses that can be easily avoided by implementing various preventive measures. First, businesses should build organizational awareness of cyber risks and have regular reminders about the proper habits to be adopted by employees. Second, to know where the risks and vulnerabilities are, it is advisable to have regular audit of the enterprise cybersecurity risk management. Third, the systems and network should be regularly scanned by the latest anti-virus software, patched and updated.
Nowadays, there are still many at the senior leadership levels with the traditional mindset that cybersecurity is an IT issue, that is not relevant to them. This should not be the case. Cybersecurity is no longer a technology issue only and businesses are exposing themselves to cyber risks on many levels, that can impact the whole organization. Falling victim to a major cyber attack can literally cripple the organization. Not only there will be a major financial impact to bring the business back to operation, but the disruption can also mean loss of market share and a tarnished brand image that will affect the client trust in the business.
Cyber criminals are constantly evolving and exploiting any security lapses. Hence cybersecurity cannot be an afterthought and stress testing should not be an ad-hoc exercise. Senior leaders need to have the mindset that cyber threats are real and that it is not a matter of 'if', but 'when' a major cyber disruption will happen. Hence critical digital assets should be identified and protected. Proper governance and risk management framework should be implemented. Policies and procedures must be constantly reviewed to ensure optimal security. The right organizational culture about cyber risks should be fostered among team members. Lastly, cybersecurity must not be viewed as business costs, but instead as an investment in the business growth strategy.
The stay at home order started as a way to prevent the spread of the coronavirus. As a result, companies had to activate their business continuity plans and urge employees to work from home. While it has been a sudden and drastic change, employees have adapted well to the new norm of working remotely. 89% of employees now prefer to mainly work from home and 75% believe that the future of work will be in a hybrid environment with employees dividing their time between office and home.
.jpg)
However, with this new working environment, 85% of IT leaders believe that their IT teams are under great pressure to balance the demands of remote working and preventing cyber attacks. An overwhelming 78% of IT leaders believe that there is increasing risk of insider threats with more employees working remotely. To make matters worse, employees are allowed to use their own devices. And the main risks from these personal devices are unsafe apps download (53%), malware infection (50%) and software update (46%). The ripple effect is that the business network and sensitive corporate data are being put at risk. (Data from Tessian)
Despite being highly unprepared, many companies were forced to adopt remote working with the coronavirus crisis. Employees were forced to stay at home and work remotely. However, this has been a very challenging situation for IT leaders to manage this prolonged remote working environment. From March to July 2020, there has been a massive increase in cyber threats. Various mode of cyber attacks increased significantly - Ransomware via phishing (30%), Smishing (29%) and Phishing (27%). All these attacks resulted in data breaches and the main reasons are phishing (49%), malware (45%) and malicious insider (43%). What is more surprising is that 78% of employees revealed that they have received phishing emails and a shocking 68% have even opened them; thereby putting at risk their devices and the corporate network. (Data from Tessian)
Getting inside the mind of hackers is a way of understanding the vulnerabilities of businesses. Black hat hackers are motivated by the thrill and challenge of finding loopholes in the systems. Succeeding in cracking the system brings them financial gains with the sale of valuable data and bragging rights among the hacker community. Not only they are highly skilled in their craft, but they also understand human behaviours and are extremely manipulative to exploit our weaknesses.
"Getting inside the mind of hackers is a way of understanding the vulnerabilities of businesses."
Data breaches due to cyber attacks are very disruptive and costly to businesses. Therefore, employing white hats, who are ethical hackers, is a way of stress testing the corporate network to identify security lapses due to the system or weak procedures or unsafe practices of employees. Subsequently, rectifying all these security lapses can prevent potential cyber attacks from happening. This stress testing process should not be an ad-hoc exercise. Instead, it should be embedded within the corporate practices and culture.
Through the continuous process of digital transformation, businesses are becoming more and more dependent on their digital assets to operate. Moreover, these intangible digital assets and data like product research & development, client personal data, operational data and others are not only valuable, but they are also the target of many external parties, from hackers wanting to make money to competitors wanting to have an edge in the market. Therefore, these digital assets must be protected and secured.
Identity and Access Management (IAM) is very important in managing the enterprise security. Employees need access to their corporate network to complete their tasks. As a result, IAM must be able to fulfil three major tasks - Identify, Authenticate and Authorise - in providing employee access to any digital assets. From basic user to privileged user access control, IAM must be able to recognise Who has access to What applications; and Which device is accessing the corporate network from Where and When. Lastly, Why IAM must provide access to Who and to access What must also be fully justified, documented and regularly reviewed.
.jpg)
To avoid being hacked means protecting all the corporate digital assets (tangible and intangible) as well as securing all access points to avoid giving any opportunity to hackers to breach the network. From a corporate perspective, this means having proper asset management system to have a clear view of all devices accessing the network and all enterprise application software/digital assets (on premise and in the cloud) that are being accessed. Moreover, businesses must have a good cybersecurity framework in place with a robust security software that is capable of constantly scanning the network, providing continuous monitoring of all digital assets as well as able to detect, isolate and quarantine devices/apps with suspicious activity.
From an employee perspective, the top 3 ways to avoid being hacked are:
(1) use different and strong passwords (including numbers and special characters) for every device and application software,
(2) keep all devices and applications updated and
(3) avoid opening spams or suspicious emails or attachments.
Network security refers to all measures taken to prevent any unauthorised access and/or misuse of the corporate network, so as to create a secure environment and protect all the digital assets and its users. Network security is crucial for businesses that are highly dependent on secure data flow within its digital assets and networks. While network security is mainly meant for preventing any external threats from breaching the network, it can potentially block dangerous insider threats from misusing and/or modifying and/or destroying valuable corporate data.
.jpg)
Zero trust network works on the premise that nobody, whether insiders or outsiders, can be trusted. While businesses have invested massively to protect their networks, data breaches still happen and are extremely costly.
The traditional network security basically assumes that everybody within the organisation can be trusted. Hence, in the event of an insider threat or an external threat taking control of an insider device, everything within the network is at risk. Zero trust network adds another security layer with the need for verification from anybody trying to access the network. Moreover, zero trust monitors and controls access by various authorised devices; and unless otherwise, only basic level access is provided.
The cyber threat environment is rapidly and constantly evolving. As businesses undertake their digital transformation journey, they must make cybersecurity a priority and implement a proper cybersecurity framework. This is not only to protect their digital assets and support their business operations, but also to comply to various regulatory requirements on data protection like GDPR. Managing the cybersecurity framework within the overall risk management plan is a continuous exercise so that cyber robustness and cyber resilience can be fully embedded within the organisation.
The NIST (National Institute of Standards and Technology) framework is one of the cybersecurity frameworks around. Some other examples are ISO 27001/ISO 27002, CIS and others. Implementing a cybersecurity framework is not an ad-hoc exercise, but in fact, the beginning of everything, pertaining to digital assets and networks. The framework also needs to operate within the risk management plan in the organizational ecosystem.
The organizational risk management plan, including the cybersecurity framework, needs to be constantly assessed and audited. Any threats - physical, digital and others - must be inhibited and isolated. And any potential threats as well security lapses need to be managed and mitigated throughout the organisation. The risk management plan needs to be regularly adapted to new internal and external threats.
Find More
About Us & Our Services
More Updates @STEELAdvisoryPartners & @STEELAdvisory