Author:
Alexander Tretiyak
Countering cyber threats NOT by cyber methods
According to research conducted by EY, 36% of companies participating in study of perception that their information security service is not able to resist the contemporary attack and 88%! respondents believed that their IS function does not meet the needs of the business. Why is this happening despite of the high enough guidance provided through various standards?
There are a variety of views and concepts about what should be Information Security service in a modern company, what place to occupy in the company structure, which requirements must meet employees. Often, the main criterion of employees selection to Information Security service is technical expertise, knowledge in-depth of information technologies, confirmed by corresponding certificates. Little attention has been paid to such basic competences as communication skills, interaction, result orientation. Often even experienced recruiters consider themselves incompetent to evaluate candidates for information security units. In this approach, information security manager is given full autonomy for team formation, because no one else can evaluate the competencies of candidates.
In the future, the same situation is observed in the work of the units. The lack of experience in the field of information security usually leads to the situation, when the core unit put the objectives as: “to be safe” or “so we could not steal information. The ways of accomplishing similar tasks and assessment of implementation level are left to the executors themselves. Such approach is fundamentally does not comply with the best practices of construction of internal controls system, which should be organized into three lines of defense.
In such circumstances, few subordinates inform the management about the events, their system and results. Defense of information assets is constructed at own discretion and not always concerted with development strategy of the company. The information security service is becoming a kind of “black box” for the whole company, which is not a defense, it is a hidden threat.
In case of detection and prevention of a real threat – the result is recorded in the asset of the responsible unit. In the incidents absence is created the sense of safety, although occur the cases, when criminals, compromising the information asset of the company, were unnoticed for a year and more.
In case of incident implementation and causing damage to the company, the arguments coming for assistance of insufficient resources and funding, which are impossible to resist the contemporary attacks. The holes most frequently in a hurry patch up after this, the additional means of monitoring are purchased and without the system changes will not provide the necessary effect. Piling up and not fine-tuning of monitoring means, leads to the large number of false responses. According to Cisco research in large companies, up to 44% of the information security events monitoring systems remain unresponsive.
Partly this situation has objective reasons. Indeed, in modern conditions, cyber-fraudsters spend huge money and human resources for attacks organization and implementation. In this area the outstanding specialists work. Identify and fully understand of attacks mechanisms and tools in detail perhaps are profile companies, which are specialized in cyber securities and occupied by this problem continuously, have sufficient resources and large experience. Specifically, these companies develop and propose the most efficient tools to prevent cyber threats.
It is important to note that it cannot be continuously protect from all type of the threats.
“To know the information about the relevant threats and methods of opposition to them – this is the basic task of Information Security of the company.”
Correctly choose and apply the necessary methods of protection, but not to examine the finesses of vulnerabilities and methods of their exploitation.
“In order to stop the hacker, do not be a hacker – you need to know about the hacker as much as possible.”
To take the right management decisions in the field of cyberthreats protection and to ensure a sustainable state of information resources security in the company, the following activities should be performed:
- realized risk-oriented approach to the construction of information security management system;
- information Security management system harmoniously integrated risk management system, as its component part;
- organized a continuous process of evaluating information security risks, based not only on the dynamically changing threat landscape, but also on the direction of business development, threats exposure of specific sectors of economy, geopolitical processes;
- continuous assessment and improvement of risk management processes are to improve their maturity level.
Issues of risk management, including Information Security, are sharply stand for companies over the past decades. Today, in the era of digital business transformation, with the advent of information technology in all areas of activity without exception, the relevance of cyber security issues it grows. The best world practicies of Information Security management have been developed, which became the basis of International ISO standards and a number of industry standards.
At any stage of Information Security management system construction and development, it is critically important to provide competent departments with information flow about contemporary attacks and vectors of their orientation, to so-called threat intelligence. Information will show which direction to move in the early stages of processes construction, at the developed and moved forward levels will provide the necessary application data.
Use on the regular basis of analytical data from professional suppliers will allow correctly to prioritize the implementation of protection measures. It is correct to choose, correct to configure and most important to ensure interaction and manageability of protection and monitoring tools. It will increase the utilization of the systems are already “aboard”, or it will provide critical arguments for these refusal systems and selecting new ones.
The indicators of attacks provided in such analytics, allowed to significantly reduce the time of threat identification in comparison with the analysis conducted by their own resources. Operatively localize compromised data and devices on finished and tested scenarios. To use the best practices for overcoming attack consequences.
In the issue of contemporary cyber attacks, awareness and reaction time are at the first place. Information security is not a state, but a process. Process that requires dynamic changes and extremely sensitive to the delays. Therefore, if you are told that everything is safe with you – this is an occasion to reflect! The correct answer – we constantly work in order to ensure safety.
According to research conducted by EY, 36% of companies participating in study of perception that their information security service is not able to resist the contemporary attack and 88%! respondents believed that their IS function does not meet the needs of the business. Why is this happening despite of the high enough guidance provided through various standards?
There are a variety of views and concepts about what should be Information Security service in a modern company, what place to occupy in the company structure, which requirements must meet employees. Often, the main criterion of employees selection to Information Security service is technical expertise, knowledge in-depth of information technologies, confirmed by corresponding certificates. Little attention has been paid to such basic competences as communication skills, interaction, result orientation. Often even experienced recruiters consider themselves incompetent to evaluate candidates for information security units. In this approach, information security manager is given full autonomy for team formation, because no one else can evaluate the competencies of candidates.
In the future, the same situation is observed in the work of the units. The lack of experience in the field of information security usually leads to the situation, when the core unit put the objectives as: “to be safe” or “so we could not steal information. The ways of accomplishing similar tasks and assessment of implementation level are left to the executors themselves. Such approach is fundamentally does not comply with the best practices of construction of internal controls system, which should be organized into three lines of defense.
In such circumstances, few subordinates inform the management about the events, their system and results. Defense of information assets is constructed at own discretion and not always concerted with development strategy of the company. The information security service is becoming a kind of “black box” for the whole company, which is not a defense, it is a hidden threat.
In case of detection and prevention of a real threat – the result is recorded in the asset of the responsible unit. In the incidents absence is created the sense of safety, although occur the cases, when criminals, compromising the information asset of the company, were unnoticed for a year and more.
In case of incident implementation and causing damage to the company, the arguments coming for assistance of insufficient resources and funding, which are impossible to resist the contemporary attacks. The holes most frequently in a hurry patch up after this, the additional means of monitoring are purchased and without the system changes will not provide the necessary effect. Piling up and not fine-tuning of monitoring means, leads to the large number of false responses. According to Cisco research in large companies, up to 44% of the information security events monitoring systems remain unresponsive.
Partly this situation has objective reasons. Indeed, in modern conditions, cyber-fraudsters spend huge money and human resources for attacks organization and implementation. In this area the outstanding specialists work. Identify and fully understand of attacks mechanisms and tools in detail perhaps are profile companies, which are specialized in cyber securities and occupied by this problem continuously, have sufficient resources and large experience. Specifically, these companies develop and propose the most efficient tools to prevent cyber threats.
It is important to note that it cannot be continuously protect from all type of the threats.
“To know the information about the relevant threats and methods of opposition to them – this is the basic task of Information Security of the company.”
Correctly choose and apply the necessary methods of protection, but not to examine the finesses of vulnerabilities and methods of their exploitation.
“In order to stop the hacker, do not be a hacker – you need to know about the hacker as much as possible.”
To take the right management decisions in the field of cyberthreats protection and to ensure a sustainable state of information resources security in the company, the following activities should be performed:
- realized risk-oriented approach to the construction of information security management system;
- information Security management system harmoniously integrated risk management system, as its component part;
- organized a continuous process of evaluating information security risks, based not only on the dynamically changing threat landscape, but also on the direction of business development, threats exposure of specific sectors of economy, geopolitical processes;
- continuous assessment and improvement of risk management processes are to improve their maturity level.
Issues of risk management, including Information Security, are sharply stand for companies over the past decades. Today, in the era of digital business transformation, with the advent of information technology in all areas of activity without exception, the relevance of cyber security issues it grows. The best world practicies of Information Security management have been developed, which became the basis of International ISO standards and a number of industry standards.
At any stage of Information Security management system construction and development, it is critically important to provide competent departments with information flow about contemporary attacks and vectors of their orientation, to so-called threat intelligence. Information will show which direction to move in the early stages of processes construction, at the developed and moved forward levels will provide the necessary application data.
Use on the regular basis of analytical data from professional suppliers will allow correctly to prioritize the implementation of protection measures. It is correct to choose, correct to configure and most important to ensure interaction and manageability of protection and monitoring tools. It will increase the utilization of the systems are already “aboard”, or it will provide critical arguments for these refusal systems and selecting new ones.
The indicators of attacks provided in such analytics, allowed to significantly reduce the time of threat identification in comparison with the analysis conducted by their own resources. Operatively localize compromised data and devices on finished and tested scenarios. To use the best practices for overcoming attack consequences.
In the issue of contemporary cyber attacks, awareness and reaction time are at the first place. Information security is not a state, but a process. Process that requires dynamic changes and extremely sensitive to the delays. Therefore, if you are told that everything is safe with you – this is an occasion to reflect! The correct answer – we constantly work in order to ensure safety.
Комментариев ещё нет.