The Age-Old Secret to Cyber Immunity
Co-written with Wen Sin Lim
Health is Wealth
The world is ill — it has been for quite some time, and it shows no signs of recovery. There has been a flurry of discussions about the future. Topics around measures to help the masses adapt to the new normal have been daily debates. Millions have suffered losses, and billions more have been lost amidst this pandemonium.
Indeed, unbridled technological adoption, coupled with the comparatively slow implementation of cyber solutions, has created exposures that present more opportunities for fraud and misuse in this digitally connected world.
Small or large, no business is immune to cyber-attacks. Enterprises that deploy information technology in their operations ought to familiarize themselves with the associated cyber risks as these are especially hard to identify and then mitigate.
A cyber risk might arise following a successful cyber attack.
A cyber attack might happen if your environment is vulnerable to weaknesses, such as outdated software, unaware employees, or process issues. Cybercriminals exploit people, processes, and technology weaknesses.
Once something is shared online, it leaves a permanent imprint — and this information may quickly spiral out of control if left unprotected, then used to compromise the victim. Here, your reputation is at stake.
Even if you have not endeavored to establish an official brand presence on any digital platform, people outside of your corporate environment can do so for you. Today, supposedly private information can be easily uncovered via a few quick internet searches. Evidently, yesterday’s risks now manifest themselves very differently in this ever-evolving threat landscape.
In order to bolster your organization’s cyber posture, you’ll need to identify the cyber exposures in your existing environment and address them promptly and effectively. The underlying principle is simple: we’ll always fear what we don’t know. Thus, you need to have, first visibility, then control. Visibility is hard too. It requires understanding your overall ecosystem, assets, vendors, partners, etc. Every stakeholder that is part of your interconnected ecosystem might present a potential entry point for cybercriminals.
As part of our wider commitment to equipping organizations — and especially small and medium enterprises (SMEs) — with an affordable one-stop cybersecurity solution, we want to help you establish better security habits for maximum longevity. Our own Immunity Report provides customized threat intelligence in the same way medical reports provide highly individualized diagnoses. Our goal? To age well with you.
Knowledge is King: What are Cyber Exposures?
From the information that is unknowingly logged via the web pages we visit to what we willingly provide through the purchases we make online or store on the cloud, our online activities are all clues that can be traced back to us.
These are some examples of typical cyber exposures — each one of us has them, which is normal. However, we need to know what they are and how to manage them. Otherwise, they can significantly increase our risk of being attacked or just compromised.
Each asset (email, web, IoT, and network, amongst others) might contain a different set of vulnerabilities that can be exploited over time.
One’s risk profile shrinks and expands in proportion to one’s attack surface. The greater the number of assets, the larger the attack surface. Identifying the various information assets that could be compromised in a cyberattack (such as hardware, systems, laptops, customer data, and intellectual property) is the quintessential first step to cyber attack.
Barring a spike in digital assets, however, other factors can also cause the risks undertaken to exceed what was agreed upon at the point of inception. For instance, when social media channels, websites, and apps change their privacy policies and security settings, and we are unaware or unable to keep track of what’s available for public consumption and what isn’t, the personal messages, information, and data that we post online can end up being viewed by far more people than we ever intended.
This is a non-issue when all the concerned parties are aware of the heightened risks related to data disclosure they are undertaking and can make effective decisions to withdraw or partake.
However, without constant review, it’s akin to granting carte blanche permission to access your sensitive data with no regard for personal privacy. Along the same vein, no one in their lucid mind would appoint a total stranger their Power of Attorney now, would they?
Knowing your Breach History
IT systems, humans, and processes are constantly beset by malicious attacks. Cyber threats are evolving at a rate that traditional security approaches are failing to keep pace with. Organizational security could already be compromised between the employees who have been unconsciously using their corporate emails on social media and the unsuspecting in-house IT team who hasn’t detected their privileged accounts’ password and email leak. Protection alone is no longer sufficient — organizations need to adopt an “assume breach” mindset.
Importantly, it is not always immediately apparent to end-users when a breach occurs. If it goes undetected, the breach can be an ongoing one where the attacker is free to continually extract data from the company’s network and chip at the data over a protracted period of time.
Overall, a poor awareness of one’s breach history negatively impacts the business agenda. As stolen data typically falls under the category of proprietary information, organizations ought to seek a fuller understanding of their breach history and take the necessary action to contain the compromise swiftly and remediate the damage dealt. After all, the vulnerabilities that were exploited in previous breach incidents may be potential re-entry points if they are left unidentified and unresolved.
Learn from yesterday’s mistakes to fix the challenges tomorrow may bring. While preventive measures are a temporary salve, they are nevertheless imperative to mitigating magnitude attacks from happening in the future.
Managing your Risk Profile
Developing your company’s digital presence is a powerful way to engage with your customers and promote your brand. Conversely, it is also an avenue for malicious hackers to gain a foothold within your IT infrastructure. Whenever you use a connected service, or whenever information about you is posted onto a digital forum, such as a social network, the data leads back to you.
“IT TAKES 20 YEARS TO BUILD A REPUTATION AND FEW MINUTES OF CYBER-INCIDENT TO RUIN IT.” — STÉPHANE NAPPO
A badly managed cybersecurity strategy or a lack of it could endanger years and years of hard work that went into building your unique selling point and thus, revenue stream.
Understanding your unique risk profile allows you to make better-informed decisions to secure your business objectives. We need to be extra vigilant for those who work at organizations where our roles give us privileged access to sites, information, or assets. You may not be so concerned with organizational processes, systems, finances, staff data, or intellectual property, but these constitute digital assets of interest to those with malicious intent.
Data is the new gold, and benefits are to be reaped from gaining access to confidential information. The cyber landscape is interconnected; the information gleaned from exploiting your vulnerabilities can cause harm to your family, the organization where you work, the larger community, and the wider public. By taking some practical steps, you can minimise your security risks while still making full use of the many digital services available.
Figure 1: Immunity
Boosting your Cyber Immunity
The key to preventing repeat attacks lies in increasing the cost and difficulty of penetrating your security system. The following are some of our top tips to secure your organizational assets and sustain customer confidence in your brand:
Avoid oversharing — Familiarize yourself with the processes to control your device’s privacy and security settings and only grant permissions for specific apps that you trust. Keep a watchful eye over the changes to them when you install updates.
Use antivirus software — Do not let your environment open to known viruses and malware, but do not expect the tools to stop them all. There are more than 300 000 new malware per day.
Keep your devices up to date — Operating systems (OS), applications, and software should be regularly updated to protect against known vulnerabilities. Enable automatic updated as much as possible, if that doesnt break critical business applications. Install security updates as soon as possible, especially when your vendor announces a critical patch/update.
Access secure networks wherever possible — Not all public WiFi is encrypted, so avoid connecting to public networks without appropriate security in place. Your home and office are relatively safe locations from which to access the internet. In addition, not every device is secured nor well-maintained, and entering personal information online with one that isn’t completely secure could render sensitive data stored on your (authorized) computer vulnerable.
Mind those around you — Don’t leave your devices unprotected, especially in high-traffic areas. Please treat the information on your device like it’s the PIN to your bank card and make it such that it is inaccessible by others.
There has been a paradigmatic shift in the way we think about minimising our attack surface and protecting against diverse threats and cyber attacks. Security teams must now be proactive in maintaining visibility over their organization’s assets and cyber exposures to detect and remediate them as they surface.
100% security does not exist, and therefore you need to balance mitigation, transfer, and response to cyber risks.
Reach out if you need our help.