A cybersecurity Governance and Risk Management program should be established which is suitable for the size of the organization. Cybersecurity risk needs to be regarded as a substantial business risk by the owners and directors. This should be at the same level as compliance, operational, financial, and reputational risks with suitable measurement criteria and results monitored and managed.
There are voluntary frameworks that can be used to consider the risk assessment and related best practices. For example, the National Institute of Standards and Technology (NIST) Cybersecurity.
The framework includes five concurrent and continuous functions:
Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
Protect: Develop and implement appropriate safeguards to ensure the delivery of critical services.
Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
New threats continue to emerge and each organization ought to be certain it is equipped to deal with a dynamic threat landscape. The following are some of the more vital system utilities and solutions used to help mitigate these malicious attacks:
Anti-phishing software protects users visiting websites that are designed to trap user information that can then be used for fraudulent purposes.
Malware/spyware and web proxy protection solutions protect the system from software code that may be from pop-up windows or have more insidious intent, such as logging usernames and passwords for fraudulent purposes.
Firewalls are software (and also hardware) designed to protect the system from attack from people accessing the organization’s systems via both internal and external communication links.
Anti-spam software protects email inboxes from being clogged by unwanted broadcasted email.
All are mandatory for any well-managed system utilizing a defense-in-depth strategy. The cost of an attack can be significant, involving loss of data, fraud, and the cost of rebuilding systems and should be analyzed against the cost to defend against such threats.
It is recommended to use a well-known, reputable supplier. Some companies purport to supply these utilities but in fact, the utilities themselves can be malicious software. Be cautious about using free software or software from an unknown vendor. Generally, it is best to use the utilities recommended by the business’s systems integration (technical support) organization, as they will be responsible for its installation, configuration, and maintenance.
Maintenance of these applications is critical. New malicious software emerges every day. Most software vendors provide at least a daily automatic update to their databases to ensure that the system continues to be effectively protected. Ensuring that these updates are correctly implemented is essential.
Maintenance contracts should be coordinated with hardware suppliers so that hardware failures can be quickly rectified. These contracts should specify the service levels that the supplier will meet in the event of failure. Critical hardware such as servers, switches, and backup technologies require prompt attention. Many contracts specify a four-hour response for the failure of these components. Other, less critical hardware such as individual workstations can have longer response times.
Some organizations, particularly in remote areas, purchase some critical components that have a higher potential to fail, such as power supplies, as spare parts that can quickly replace a failed component. Organizations that rely on maintenance contracts should ensure that the support company maintains an adequate supply of spare components to meet the organization's service level commitments.
The quality of the organization’s external IT support company is critical in ensuring the systems are correctly implemented and supported. Issues that need to be considered in selecting an appropriate company include:
Their knowledge and experience with the organization’s hardware and operating system configuration.
Their knowledge and experience with the organization’s application software.
Certifications held with major hardware and software companies assure the competency of the people in the organization.
The number of people within the company who have the required knowledge to support the system—is critical as a reliance on a single individual can result in significant delays and costs should that individual be unavailable for any reason.
Their ability to provide support services remotely to enable rapid response to issues at a reasonable cost.
Proper due diligence and vendor risk management to ensure that the third party is providing the services based on the internet of things (IoT) organization's expectations.
Contact Six Industries Inc today to get started.