The State of Cybersecurity in Companies

One of our responsibilities as CIO is the care and protection of information that companies have and generate. Boards of directors must be aware of the state of the infrastructure and procedures that protect information, since it is important to prevent alteration, theft, and exposure in the different areas of the company, identifying threats and risks in systems and applications due to internal or external attacks.

Although it is not necessary for the Board of Directors to know all the processes in detail, it must be accompanied by an expert who communicates well and maintains privacy and data protection in the face of possible cyberattacks to which a company is exposed.

Regardless of size, information is among the main assets of any company and the ignorance of associates in data processing is a risk for all organizations.

The cases of intrusions into technological infrastructure and identity theft have been increasing due to various factors, such as the use of new technologies, internet purchases and online banking.

The lack of training and awareness by users regarding the protection of personal, company and financial data, coupled with the development of more sophisticated techniques by attackers to obtain this type of information illegally, have contributed to making the digital medium riskier. Attackers who take advantage of the internet, and the user's lack of caution, achieve their goals almost immediately.

To ensure that corporate information is protected, employees must first understand the protection of their personal data.

The protection of corporate, personal, and financial data is a fundamental activity that must be carried out with absolute responsibility and awareness. It is essential that the associate identify what information puts their identity and their privacy at risk. To do so, you need to know these differences:

a) Personal data is any information related to an individual that identifies him or that allows his identification, origin, age, place of residence or any type of trajectory, whether academic, work, or professional.

b) Sensitive personal data are those whose improper use represents a serious risk to the person, which damages their privacy or makes them subject to some type of discrimination, whether of racial or ethnic origin, state of health, genetic information, religious beliefs, philosophical and moral, union affiliation, political opinions, and sexual preferences.

c) Financial data is the information that allows knowledge of the composition or modification of the economic patrimony of a person at a certain moment or period (account statements, transactions and transfers, balances, account number, username, and password for online access.)

Once the user knows the main risks to which their information may be exposed and the consequences that this entails, such as damage to reputation, being a victim of aggression or discrimination, becoming a victim of identity theft to commit any type of fraud, misuse or the affectation of financial assets, the company can be calmer since awareness is created. This helps to protect any type of information, not only personal information.

On the company’s side, and as I mentioned at the beginning, the Board of Directors should be accompanied by a cybersecurity expert. This does not necessarily have to be a full-time employee. Small companies, or PYMES as they are known in Mexico, can hire external services that ensure their information and infrastructure.

How should the infrastructure and information be secured?

For this, there are many reference frameworks, even for types of industry. These cybersecurity frameworks provide valuable and useful information in the design of cybersecurity risk control and mitigation processes.

Here are some of the most used:

• The International Organization for Standards (ISO), frameworks ISO/IEC 27001 and 27002.

Recommended for organizations of all sizes in any industry with a multinational presence. The standard provides guidance and recommendations for organizational ISMS (information security management systems). It is designed to help organizations identify and manage risks to the security of their information and provides a comprehensive set of controls to address those risks.

• NIST CSF (National Institute of Standards and Technology - Cybersecurity Framework) - Cybersecurity Framework of the National Institute of Standards and Technology.

It is geared toward protecting critical infrastructure, such as power plants and dams, from cyberattacks. However, its principles can be applied to any organization seeking better security. It is one of several NIST standards that cover cybersecurity. Like most frameworks, the NIST framework for cybersecurity is complex and wideranging.

• COBIT (Control Objectives for Information and Related Technology).

This framework is like the NIST and ISO framework in that it is a more general framework that most organizations can use. It is also business-focused and process-oriented. COBIT is often adopted by public company auditors and used as a compliance tool for Sarbanes-Oxley.

• The Center for Critical Internet Security Controls (CIS).

CIS works well for organizations that want to take small steps. Its process is divided into three groups. You start with the basics, then move to the foundational, and finally, to the organizational. CIS is also a great option if you need an additional framework that can coexist with other industry-specific compliance standards like NIST.

Cybersecurity frameworks provide a foundation for achieving a strong security posture and preventing information breaches. These frameworks should be used as a reference and not as a final solution, considering the risk approach.

Although each framework is made up of controls, it will be necessary to decide which ones are applicable according to the conditions of the company and adjust or adapt if necessary.

The adoption of a frame of reference requires devoting time and resources; however, it doesn’t necessarily have to. An organized way to provide security to the company and continuously measure its effectiveness is to implement some security controls established by these frameworks.

In my opinion, these would be the 10 controls that we have to establish for any size of company and industry:

1. Technology inventory.

To know exactly the information related to  the company's IT assets, what they are used for, the characteristics, category, location, and which user uses the asset, among others.

2. Software inventory.

To know what kind of software the company has, what device it is installed on and the version, if it is still in its useful life, if it is functional or if its replacement, update, or cancellation is necessary.

3. Implement secure configurations for all devices, laptops, computers, and network equipment, such as firewalls, routers, wireless access points.

We must prevent exposure due to misconfigured devices, weak security settings, password defaults, unused open ports, excessive administrator privileges, misconfigured certificates, and faulty authentication processes, which are in general, features that are exploited by cybercriminals.

4.  Continuous evaluation of vulnerabilities and remediation.

Vulnerability assessment is not a simple scan with some tool, it is a one-time assessment project with set dates. It is necessary to have an information security specialist who reviews the corporate environment and identifies potentially exploitable vulnerabilities to which the company is exposed.

The result of this assessment provides us with a detailed report that will not only list the identified vulnerabilities, but also provide recommendations for their remediation.

5. Defenses against vulnerabilities and malware for the environment and applications.

Antivirus and antimalware programs play an indispensable role in this matter, although they are not the only instrument used to determine attacks.

When it comes to managing malware risk, don't rely on any one technology as your only line of defense. The methods used should include a layered approach using proactive and reactive mechanisms through the network.

6. Information backup processes and data recovery capacity.

We must have processes and tools used to adequately support critical information with a proven methodology for its timely recovery.

The purpose of this control is to ensure that each system is automatically backed up at least once a week and in the event of an attack, to quickly restore data, the operating system, and applications from the backup.

7. Limits on and control of network access, such as ports, applications, protocols, and services.

Attackers constantly search for vulnerable and remotely accessible devices and network services. Many install and activate services automatically without alerting users or administrators.

We must limit unnecessary services to reduce potential attack exposure by managing the operational use of ports, protocols, and services on networked devices to minimize the windows of vulnerability available to attackers.

In this control we must include the controls for wireless access, currently most devices are connected in an organization in this way, even personal equipment. Insecure access points provide attackers with an entry point into the technology environment. Attack methods include compromising employees' wireless devices and using them to break into the network as well as placing unauthorized wireless access points in the organization, providing unrestricted access to intruders.

8. Administration and access privileges.

Companies must identify their most sensitive and critical assets against the least sensitive and publicly accessible information in their infrastructure. In many cases, users have access to all or most critical assets. Once attackers have broken in using a user's credentials, they can easily find and exfiltrate important information, cause physical damage, or disrupt operations.

It is necessary to have processes and tools for the management of secure access to critical assets according to the assignment of which people, computers and applications have the need and the right to access these critical assets based on an approved classification.

9.- Incident response management process.

Businesses will at some point have to deal with an attack that successfully breaches their defenses. For this reason, they need to have a plan to respond to and manage a security incident.

The plan should include details on procedures, reporting, data collection, management responsibility, legal protocols, and communication strategy. That way, the organization will be able to understand, manage, and recover.

The lack of an incident response plan could result in an attack not being detected or an ineffective response to an incident.

This plan allows us to protect the organization's information and reputation by developing and implementing an incident response infrastructure (plans, defined roles, training, communications, administrative oversight) to rapidly discover an attack and effectively contain the attack, restoring the integrity of the infrastructure and systems.

10.- Penetration tests and vulnerability exercises.

How can we know if our company is vulnerable or not?

By doing penetration and vulnerability exercises. These technical tests help us to identify the vulnerabilities of certain elements in the IT structure. The goal is to find weaknesses by mimicking attacks that help determine how far an attacker can go.

A penetration test must be periodic, at least every year to avoid the loss of information; The frequency with which this type of testing is performed depends on the risk assessment and the structure of the company. This evaluation allows us to know how much the systems and infrastructure can be affected in case of a real cyberattack.

Cybersecurity must be a priority in any company. There is a new reality and the more users and devices that are connected, the greater the risks associated with electronic fraud and cyberattacks, which will be a headache. No planning, no cyber culture and little investment in cybersecurity will bring devastating technological consequences.

Is it expensive? It depends on how it looks. The objective of cybersecurity is to reduce the risk against external agents that try to access information without authorization.

The question you should ask is how much does my information cost? Money, time, effort, reputation, and the work of all employees.

References:

• The International Organization for Standards (ISO), frameworks ISO/IEC 27001 and 27002

• NIST CSF (National Institute of Standards and Technology - Cybersecurity Framework) - Cybersecurity Framework of the National Institute of Standards and Technology.

• COBIT (Control Objectives for Information and Related Technology).

• The Center for Critical Internet Security Controls (CIS).

• Kaspersky

• Cisco

• Microsoft

• ISACA