Cybersecurity

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Technology

Published by Gbaf News

Posted on November 19, 2012

Featured image for article about Technology

Mike Howie, Information Security Consultant at CS Risk Management

In recent months it has been hard to avoid hearing the latest business buzz phrase of cybersecurity. Unfortunately, despite searches of popular retail sites, fully functional sonic screw drivers, as used by Doctor Who to defeat the cybermen, are not yet available. However, three key weapons that are available for cybersecurity are: Mike-Howie

•   Information Security: Ensures that Confidentiality, Integrity and Availability are appropriately addressed;
•   Application Security: Provides assurance that the systems and applications are not vulnerable; and
•   End-User Education: Potentially the most powerful weapon to prevent an attack taking hold and causing damage.

Internet forums are littered with reports of companies who have not grasped the need for appropriate cybersecurity thereby suffering losses financially and damage to their reputation.
The types of attack can be broadly grouped into three categories:

•   Target of Opportunity – these instances are identified as having weak security but information of value to the attacker;
•   Drive by Target – these instances include phishing, encouraging employees to download harmful software by clicking on an internet link or downloading an attachment; and
•   Target of Choice – these instances may have strong security controls but the attacker is determined to obtain information or disrupt the business of the organisation. In this instance there may be multiple types of attack used to obtain the desired result.

As with all business decisions the amount of spend on protection has to be justified against the threat and cost of an attack. Current statistics show that the volume of attacks is intensifying and the attacks themselves are becoming more sophisticated.

At the forefront of the battle are employees, contractors, partners and vendors as they are the users of the systems and applications that access the company data. By developing an evolutionary awareness programme for all users the threat level can be reduced. An effective security awareness programme addresses three key areas:

•   It is regularly reviewed and updated as the social engineering attacks adapt and become increasingly sophisticated;
•   It is visible and repeated regularly, as it has been seen in experiments that despite telling people not to click on attachments the advice is forgotten quickly; and
•   Employees know who to tell when they are subjected to a social engineering attack so that the incident can be captured and lessons learnt.

Application Security was identified as the top threat to information security professionals in the 2011 (ISC)2 Global Information Security Workforce study. Therefore it is worth taking time and effort to ensure that exposure in this area is minimised. Key areas to be considered are:

•   Ensuring that applications and systems are updated with the latest patches and known vulnerabilities are addressed is a key step in ensuring that there is no easy access for a potential attacker;
•   Modifying default vendor supplied usernames and passwords on internet accessible devices; and
•   Incorporating security requirements into the software development process.

Since 1995 the British Standards Industry has published Information Security Management guidelines and these have developed into the ISO 27000 series. The series provides best practice recommendations on information security management, risks and controls. Many companies are finding that the benefits provided by alignment with the standards include:

•   A quality based methodology to evaluate, implement, maintain and manage the information security program;
•   Information Risk management which provides a mechanism to integrate information security into the companys overall risk management strategy; and
•   Improved image as it demonstrates to customers that the security of their information is paramount.

Many companies believe that it’s not a case of if they are attacked but when, therefore being prepared by having a crisis management plan is essential. This incorporates the business continuity/disaster recovery plan to recover the business service and also enables the media interest to be addressed.

There are many drivers for stealing corporate data, including both focussed and opportunist attacks and whilst the attackers are dynamic and quickly evolving some companies are languid in their response. The approach to addressing cybersecurity requires a continuous cycle involving planning, doing, checking and acting. Whilst this approach may not provide a wholly risk free cybersecurity environment it will provide the reassurance that the likelihood of reading on social media or industry web sites about how your organisation was breached will have been reduced.

CS Risk Management is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Subscribe to our newsletter

Global Banking and Finance Review

Company