Aggressive and damaging cyber-attacks, especially those involving ransomware, have dominated the news in the first half of 2021. Whether it has been gasoline shortages along the East coast of the United States, potential beef shortages, or delays in critical transportation, the impacts of such attacks on organizations and the economy cannot be overstated.
How should an organization start to assess what it can do to prevent, detect, and respond to such attacks?
The effective deployment of information technology (IT) security governance principles, based on appropriate industry or regulatory standards, can be an organization’s first line of defense against cyber threats. IT security governance should be considered an essential and strategic element of an organization’s overall governance and risk management program.
What do we mean by the term IT security governance? The following two definitions illustrate key elements to consider:
- According to the Certified Information Systems Security Professional (CISSP) Official Study Guide, IT security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization. Security governance principles are often closely related to and often intertwined with corporate and IT governance.
- According to the COBIT 2019 Framework, IT security governance should do at least three things:
- Evaluate stakeholder needs, conditions, and options to determine balanced, agreed-upon enterprise objectives
- Set direction through prioritization and decision making
- Monitor performance and compliance against agreed-upon direction and objectives.
Cybersecurity Threat Lifecycle
Cyber-attacks are not isolated, one-time events. Typically, attacks follow a lifecycle, that begins with threat actors deploying various techniques and tools to probe, analyze, attack, and ends with the exploitation of an organization’s IT systems. These attacks can be classified as advanced persistent threats (APTs), which can be modeled with generic timelines or event horizons and may consist of many phases. Long before files are encrypted and a ransom note is presented, the threat actors have most likely spent weeks or even months conducting research, reconnaissance, and then scanning and deploying malware packages into a network or system. Typical phases associated with ransomware include:
- Reconnaissance and initial compromise
- Exfiltration and encryption
- Ransom notification and negotiation
- Data leakage
Implementing specific IT security controls can help mitigate the risk associated with ransomware. For example, the National Institute of Standards and Technology (NIST) has issued draft guidance on how to prevent ransomware. It recommends the following preventative controls:
- Use antivirus software at all times to automatically scan emails and flash drives.
- Keep computers fully patched and run scheduled checks to keep everything up to date.
- Block access to ransomware sites with security products or services that can identify known ransomware sites.
- Configure operating systems and third-party software to allow only authorized applications.
- Restrict personally owned devices on work networks.
- Use standard user accounts versus accounts with administrative privileges whenever possible.
- Avoid using personal apps like email, chat, and social media on work computers.
- Beware of unknown sources unless you first run an antivirus scan or look at links carefully.
Selecting and Implementing the Right Cybersecurity Framework
Though specific IT controls are important in addressing possible vulnerabilities, organizations often find themselves plugging small security holes while missing the larger risks to their organization. Cyber threats and vulnerabilities are constantly evolving, which is why organizations need a holistic and strategic assessment of their mission, objectives, resources, and associated risks. IT security governance provides an organization a holistic and strategic view of the threats, vulnerabilities, and resulting risks.
While the detailed concepts and processes associated with creating and maintaining an IT security governance program are fairly involved and beyond the scope of this short summary, there are few essential tasks that should be part of getting started:
- Establish the goal of the IT security governance program and how it fits into your organization’s overall governance, risk, and compliance (GRC) management programs
- Research and select the appropriate cybersecurity framework(s) that you will use as guiding principles for the governance efforts. A short but not exhaustive list of possible cybersecurity frameworks to consider include:
- Assign roles, responsibilities, and reporting structures associated with IT security governance efforts
- Develop overall policies and procedures to guide the organization
- Start the effort as soon as possible!
Protecting your organization’s assets, stakeholders, and reputation from the dangers of modern cyber-attacks requires a concerted and sustained effort. Establishing and maintaining a robust IT security governance framework for your organization is foundational in that effort.
CAI provides IT security consulting services that can help local governments, businesses, and organizations assess their security posture and begin the process of building an IT security governance program.