What the CEO can do to make their business more cybersecure.
Unless you are the CEO of a cybersecurity company, chances are you are not a cybersecurity expert and so rely on the advice of your IT Team.
You need to admit that when it comes to cybersecurity you don’t know what you don’t know.
To meet the challenges of 2021 and beyond, CEO’s need to bring clarity to their cybersecurity needs and this will involve challenging their IT Teams to prove they are in full control of their infrastructure.
- How do you bring clarity to something that is not within your realm of expertise?
- Can you trust information you receive from an IT Team that is unclear about what it should be focused on?
Enticed by vendor pitches that promise products that block all new threats as they appear on the landscape to ensure a ransomware attack will be avoided (All done without any assessment on your existing infrastructure to identify where it is exactly you are vulnerable), companies end up buying one solution after another without any plan.
In the process, IT Teams may end up with a tangled mess of products and services that don’t work together, or technologies that staff don’t know how to use effectively.
There is also the issue of “Alarm Fatigue”, as when products promise to prevent a breach, they tend to identify any blip on the network as a potential threat and raise an alarm just in case.
PwC’s 2021 Global Digital Trust Insights survey shows that 53% of IT / Cybersecurity team executives aren’t sure that their company’s cyber spending really addresses the risks the company faces and uses solid data as a basis for setting priorities.
This suggests confusion within the IT Team that leads to a situation akin to “Silent Cyber” within the insurance industry. In other words, the IT Team is uncertain of what exactly it should be doing but knows the C-Suite think they are doing everything.
Or to put it another way, both sides hope nothing goes wrong but if it does the C-Suite will say they assumed the IT Team had things covered.
The reality for companies today is there is no longer a perimeter to protect and with remote working becoming the norm and BYOD stretching digital boundaries to their very limits, good security is significantly tougher to achieve.
Complexity is the enemy of security, everything you do to keep things simple makes the company more secure, what’s most important are the three Ps;
All equipment needs to be regularly updated and patched, you need to determine who has access to what (track access and implement password-protection) and ensure your password policies are best practice.
Appetite for Risk:
At GuardYoo we believe that by using the following methodology, CEO’s can work with their IT Team’s (Using Compromise Assessment) to determine their Risk Appetite and how best to deploy their existing cybersecurity tools.
- View the network like a living organism:
Carry out a Compromise Assessment to identify how a network actually operates.
Identify strengths and weaknesses and existing vulnerabilities.
- Build an Attacker Persona:
Consider your industry, reputation and the value of your data.
Where would an attack likely come from?
Who would consider you a worthy target?
How sophisticated is the attacker likely to be?
- Understand Attacker Sophistication:
What tools/techniques will they have at their disposal?
- Assess Attacker Determination:
How determined will the likely attacker be?
i.e. a “Script Kiddy” may try once or twice but is likely to give up if unsuccessful,
however, a state-sponsored organisation will remain patient and focused in its attempts.
Once a company has considered and analysed the above areas, they are then in a good position to understand how best to deploy the processing power of their existing cyber solutions.
What the CEO can do:
Ask the IT Team to take the following quiz to test their knowledge of the company infrastructure and ask them to verify their answers.
(You may be interested in the original article – click here)
- How many Domain or Enterprise Administrator accounts are in your infrastructure?
- Will your Administrators be able to distinguish their own actions from the actions of hackers, if their own accounts are compromised?
- Do Administrators use their highly privileged accounts solely for the tasks for which they were created, or do they allow themselves violations?
(Reading mail, installing free software, unnecessarily accessing other hosts on the network)
- How many active GUEST accounts do you have in your infrastructure?
- How many active local Administrator accounts do you have in your infrastructure using an unrestricted password?
- How many active Local Administrator accounts do you have in your infrastructure using the same password?
- How many active Local Administrator accounts do you have in your infrastructure that do not have any password requirements?
- How many active accounts are included in the Administrators group in your infrastructure?
- Have all users proven themselves to be trustworthy/responsible employees or are there active accounts for users that have displayed risky behaviour in the past?
- How many hosts are actively using software with remote access capabilities? (TeamViewer, LogMeIn)
- Are anti-virus tools installed, working, and updated on all hosts and servers?
A CEO will know if the answers given inspire confidence or raise concerns.
Don’t accept the standard answers:
IT Teams may highlight how they have implemented two-factor authentication (2FA) and Network segmentation, and these are good approaches to reduce the probability of a successful attack.
But infrastructure is much more complicated and deploying these solutions alone will not stop your network from being breached.
Bear in mind some issues regarding 2FA:
- 3rd party contractors may have not implemented the same level of security.
- Remote staff with their own devices
- Internal “service accounts” that can't work with 2FA
- Unsupported versions of Windows OS (Windows XP for instance) that cannot be patched
Regarding network segmentation:
You can split your network into many segments that will work separately and be secure from each other, but they still need to connect to a Domain Controller, a Database, or other Servers (Document Management System, Fileserver, etc.).
If adversaries gain access to these Servers, they can avoid the network segmentation obstacle and deliver their malware by using the same tools that administrators use (Domain Policy, PsExec, DameWare, VNC etc.).
Regular Compromise Assessment to ensure you understand your network well enough to
- Keep its configuration simple enough to manage
- Clear enough to identify any suspicious activity
- Organised enough to implement best practice IT policies
- Know what data sets are of most value (to you and potential hackers)
If you fully understand how your network operates, you will identify any new device or service that suddenly appears on your network.
GuardYoo’s goal is to reduce a company’s “Attack Surface” to a minimum and to help them fully understand their infrastructure, for only when a company understands its own infrastructure completely, can it begin the process of securing itself.
What’s imperative is that companies can distinguish their own legitimate network activity from the actions of the hacker, if you can do this you can identify an intruder earlier and this will help to avoid malware being executed. You achieve this by building a completely organised network.
To learn more about how GuardYoo can help bring more clarity to your cybersecurity posture, please contact us - info@GuardYoo.com to arrange a discovery call with one of our cyber consultants.