By Charles Snyder
Aggressive and damaging cyber-attacks, especially those involving ransomware, have dominated the news in the first half of 2021. Whether it has been gasoline shortages along the East coast of the United States, potential beef shortages, or delays in critical transportation, the impacts of such attacks on organizations and the economy cannot be overstated.
How should an organization start to assess what it can do to prevent, detect, and respond to such attacks?
The effective deployment of information technology (IT) security governance principles, based on appropriate industry or regulatory standards, can be an organization’s first line of defense against cyber threats. IT security governance should be considered an essential and strategic element of an organization’s overall governance and risk management program.
What do we mean by the term IT security governance? The following two definitions illustrate key elements to consider:
Cyber-attacks are not isolated, one-time events. Typically, attacks follow a lifecycle, that begins with threat actors deploying various techniques and tools to probe, analyze, attack, and ends with the exploitation of an organization’s IT systems. These attacks can be classified as advanced persistent threats (APTs), which can be modeled with generic timelines or event horizons and may consist of many phases. Long before files are encrypted and a ransom note is presented, the threat actors have most likely spent weeks or even months conducting research, reconnaissance, and then scanning and deploying malware packages into a network or system. Typical phases associated with ransomware include:
Implementing specific IT security controls can help mitigate the risk associated with ransomware. For example, the National Institute of Standards and Technology (NIST) has issued draft guidance on how to prevent ransomware. It recommends the following preventative controls:
Though specific IT controls are important in addressing possible vulnerabilities, organizations often find themselves plugging small security holes while missing the larger risks to their organization. Cyber threats and vulnerabilities are constantly evolving, which is why organizations need a holistic and strategic assessment of their mission, objectives, resources, and associated risks. IT security governance provides an organization a holistic and strategic view of the threats, vulnerabilities, and resulting risks.
While the detailed concepts and processes associated with creating and maintaining an IT security governance program are fairly involved and beyond the scope of this short summary, there are few essential tasks that should be part of getting started:
Protecting your organization’s assets, stakeholders, and reputation from the dangers of modern cyber-attacks requires a concerted and sustained effort. Establishing and maintaining a robust IT security governance framework for your organization is foundational in that effort.
CAI provides IT security consulting services that can help local governments, businesses, and organizations assess their security posture and begin the process of building an IT security governance program.
To learn more about CAI’s cybersecurity solutions, click below!Cybersecurity