Article is based on physical round table " The inconvenient reality of cybersecurity” organised by Pointury on September 7, 2022 .
All organisations have some level of cybersecurity to protect data, systems, operations and reputation. Yet have they done enough? The inconvenient truth is that hackers constantly invest in better tools, modern technology and creative approaches. They are organising themselves in a professional way, very often tolerated or even supported by rogue states.
To maximise protection against threats, we constantly need to invest in cybersecurity, foresee multiple layers of protection and prepare to recover as quickly as possible when things go wrong.
- How can you make your organisation (more) cyber-resilient?
- What is the best architecture to reduce risks and recover from a successful attack?
- What can you do to limit the impact of a cyber-attack?
- How can you ensure that your organisation can resume its activities as quickly as possible with as little damage and disruption as possible?
- To which extend should the entire organisation be trained and prepared?
While enjoying an exquisite dinner we had a very interactive, constructive and fun debate initiated by Patrick Van den Branden, Group IT Security Officer at Euroports.
Patrick covered pro-active (protect & detect) and reactive (respond & recover) strategies to deal with malware to make organisations resilient.
Pro-active measures require upfront investments. It will therefor be important for CIO's and CISO's to create a sense of urgency. The impact of an ransomware attack and the probability that it will happen will justify and quantify the investment in proactive measures.
Cyber Resilience is gained step-by-step. A maturity assessment or an ethical hacker can identify the risks and propose mitigation actions, which can be prioritised over the next 3 years.
CISO's need to work on 3 dimensions: the human, technical and governance dimension.
The human dimension is about awareness. At least 90% of the cyber attacks enter the system via user mistakes. Reducing these requires continuous awareness training and needs to be measured. Realise that obtaining less than 5% clicks on malware is very difficult.
The technical dimension requires workplace / endpoint security (including mobile),
network security (segmentation, segregation, NAC, firewalls, …), monitoring & detecting mechanisms (SIEM), response tools (SOC). All this can be done with the help of NIST, CIS Controls, Mittre Attack Framework or ISO27001.
The governance dimension is not only about policies for endpoints, HW, SW, email, internet, social media and IT security procedures for employees, suppliers, customers and other third parties connecting to your environment. It is also about IRP, BC and DRP.
An interesting recommendation from the group of senior CISO's was that organisations need a Chief Security Officer (CSO), member of the executive committee, responsible for cybersecurity, physical security and infrastructure security. A CSO can help to change the safety culture in an organisation so that awareness and behaviour really improve.