How to use a security framework

How to use a security framework

Implementing an information security strategy for your organization is a project in itself. Security frameworks help you get started. It is advised to familiarize yourself with some points for attention of the use of those frameworks in advance. That will help you make the right considerations. In this article we will list it for you.

Preface

It is arguably any company’s worst nightmare: hackers stealing your customer data, shutting down your online services or taking your critical IT systems and data hostage. That is not an unjustified fear. In 2020, the Dutch Data Protection Authority received 23,976 reports of data leaks. The number of reports of hacking, malware or phishing incidents has increased by 30% compared to 2019. New reports about cyber-attacks appear in the news every week.

Fortunately, anyone who wants to defend themselves against such attacks does not have to reinvent the wheel. Existing security frameworks such as ISO 27001 and the NIST Cybersecurity Framework can help you shape an information security strategy.

Risk management

Information security is about managing risks. To develop an information security policy, you first map out which information company assets are present in your organization, in physical or digital form. What information is critical to business operations? How are they secured?

You then use a risk analysis to determine which threats endanger the confidentiality, integrity or availability of that information. Where are the greatest vulnerabilities? What are the risks? Are those risks acceptable, or do you want to reduce them further?

The next step is to take appropriate measures to protect your information where necessary. Information security frameworks come in handy here. These contain a whole toolbox of measures based on best practices. You do not have to limit yourself to a single framework. You can also combine best practices from different frameworks.

Investments

If you want to implement and maintain measures, you must be prepared to invest time and money. Not only in the beginning, but also afterwards. The required budget obviously depends on the risk. Which things can you invest in?

  • Developing, implementing or adjusting, executing and monitoring processes and procedures, including
    • Control of changes
    • Monitoring of new threats and risks.
  • The training of employees.
  • Purchase, commissioning, use and maintenance of technical measures, such as
    • Intrusion detection system that detects suspicious traffic in your corporate network
    • Web application firewall that blocks suspicious traffic to and from your corporate network
  • External audits and testing, such as
    • Penetration test on information systems
    • Certifying audit, for example, against the standards of ISO 27001 (more about this below).

Structured and standardized processes based on best practices

If you are going to implement a security framework in your organization, you will have to adjust existing procedures and processes. You expand this with extra steps and checks to adequately protect your information. New procedures and processes may need to be implemented, such as periodic audits of the safety of your systems. You do this according to the best practices that the security framework offers you.

This requires a structured and repeatable way of working. You may still need to make improvements in that area. You may still need to document your existing procedures. Or introduce checklists, so that all steps in a work process are always followed.

As said: this requires the necessary investments. And it results in more and more extensive procedures and processes. But also to a general quality improvement of the procedures and processes within your organization.

The right expertise

Information security is a field in itself. And it is a broad field. Extensive knowledge of and experience with governance, risk management, security programs in IT, HR and building protection, and incident management is necessary for a thorough and adequate protection of the important information.

Start with the design and implementation of the framework only when all the necessary knowledge is on board. First determine what knowledge is required and what your organization already has in house. If certain knowledge is missing, training or education can help close that knowledge gap. Or you can hire an expert, temporarily or otherwise.

In addition, good training of all employees involved is important. If employees do not see the benefits of information security for the organization, but only the negative consequences for their own work, they can resist to the extra work. Or they look for ways to “work around it”. A security framework also provides tools for training your colleagues.

Demonstrate that your organization takes information security seriously

A nice advantage of applying a standard security framework is that it gives others a good idea of ​​how your organization deals with information security. After all, this is described in the specification of the standard, which is generally available.

If you use a reputable framework such as ISO 27001, then this is a good indication to (potential) customers, partners and regulators that your organization takes information security seriously. That gives confidence, especially if you can support it with a certification.

No guarantees

Finally, a disclaimer for using security frameworks. A framework provides good tools to manage security risks. However, it does not guarantee that security incidents can no longer occur.

Information security is an ongoing effort, requiring you to anticipate and respond to current developments that may pose a threat. You may need to make policy or technical changes to adapt to the new situation. In that sense, your information security is never “finished” and requires constant attention.

Curious how to implement a security framework in your organization? INTERMEDIATE can help. With our substantive knowledge, we find the right professional who can guide and support your organization. Interested? Please contact us: intermediate.pro/contact

 

This blog was written by Teun Tonino.

Increase in cybercrime during Corona

Increase in cybercrime during Corona

Have you also received an email promising you a panacea for COVID-19? Just click on the link to order? Cybercrime increased dramatically during the corona crisis. Not surprising: there are always malicious people trying to cash in on a crisis situation. They respond to current events in order to steal money or valuable information from their victims. Or they try to further disrupt the situation for political or ideological reasons. What can you do about it?

Attack

To achieve their goals, cyber attackers are looking for human and technical vulnerabilities that they can exploit. The corona crisis helped them:

  • People experience insecurity and are therefore more susceptible to scams.
  • Technical facilities were quickly put in place to make working from home possible. Security was often not the top priority.

Cyber ​​criminals give a corona twist to proven attack methods. Chinese hackers, for instance, used a vulnerability in Cisco equipment for an extensive espionage campaign. They may have been looking for strategic information about COVID-19. And in July, 130 Twitter accounts were hacked, including those of celebrities like Elon Musk and Joe Biden. These hacked accounts claimed to be donating thousands of dollars in Bitcoins due to the corona crisis. In reality, the hackers managed to loot $ 121,000 worth of Bitcoins.

Defense

Now that the government has relaxed corona measures, there is more room to see how your organization can further arm itself against such cyber attacks. Because the threat is not over yet: more people continue to work from home than before. In addition, the virus can flare up again. Corona cybercrime therefore remains a lucrative business. We give you some advice to protect your organization.

Working securely online

Have you made your IT systems and information accessible to home workers? This online access can also be an entrance to your IT infrastructure for cyber criminals. Therefore, take measures to keep them out.

Awareness of employees

Your employees are your first line of defense. Inform them about the risks of working from home. Explain what they can do to protect themselves and the organization against cybercrime:

  • Recognizing and reporting suspicious situations
  • Safe use of equipment and applications
  • Safe handling of confidential business information
  • Home workplace and home network security

Protection of devices

A malware-infected laptop or phone can compromise your IT infrastructure. Therefore, consult your IT department for technical solutions to protect the devices of your employees. Make the chosen solution an organization-wide standard.

Access control on online resources

Apply strict access control to online facilities for your employees. Check with your IT department at the various best practices you can use for this.

Record measure in policy

Record the measures taken in the information security policy of your organization. This way it is not just a one-off effort, but you are also prepared for:

  • new employees who are going to work remotely;
  • new systems that become available online for employees.

Stay alert

These are challenging times. Good insight into the latest situation helps you to timely intervene when things change forthe worse.

Consult external sources

Regularly consult official sources such as the sites of the RIVM and the NCSC. There you will find reliable, up-to-date information that can help you make your decisions. These bodies also publish practical advice and guidelines.

Threat detection

Should an attacker manage to gain access to your IT infrastructure despite the other measures, timely detection can limit the damage. Therefore, apply automated monitoring to detect suspicious activity in your IT infrastructure.

Respond to suspicious situations

Define a protocol for reporting and following up suspicious situations. This allows you to react quickly and limit or even prevent damage. Inform your employees about this protocol so that they know what is expected of them.

Prepare for the future

You can use the lessons from the corona crisis for similar situations in the future. Do you have a roadmap for pandemics and similar large-scale crises? Check whether this scenario already addresses the risk of increasing cybercrime. Measures you can include are::

  • Preparing employees for this additional risk.
  • Intensify technical monitoring for suspicious activities in the company’s IT infrastructure.
  • Monitoring current information and advice from official sources.

 

Curious how to protect your organisation against cybercrime? INTERMEDIATE can help. With our substantive knowledge, we find the right professional who can guide and support your organization. Interested? Please contact us: intermediate.pro/contact

 

This blog was written by Teun Tonino.