To join future roundtables and business security talks, contact events@nsp.co.nz
You can also read about emerging cyber security trends or Download the full Roundtable Cyber Security Report here.
Here are the Q&As on cyber security that are covered in this article,
Everyone in the organisation must practice due diligence and due care, but certainly, the board is ultimately accountable as they can be jailed for negligence.
Make sure your organisation has done the right things with your partners, particularly having conversations around security posture and activating continuous scans.
For clarity on what your organisation should be doing around its cyber security culture, call us on XXX or email through our contact form.
To answer one of the most commonly asked cyber security questions, basically yes, there are certain people within an organisation who are automatically considered vulnerable due to their high-level privileges. These people, like the CEO and board members are common targets for phishing attacks and social engineering compromises.
Business emails compromise attacks that attempt to impersonate senior executives and or key business partners. The goal? To steal money.
Sometimes, the hacker successfully compromises a legitimate business email account but often social engineering is the tool of choice.
Their aim is to convincingly masquerade as a senior executive such as a CEO or CFO, to request a wire transfer to a supplier, but the account number supplied is controlled by the hacker.
In other BEC attacks, hackers intercept emails from suppliers and substitute their own account numbers for that of the supplier’s.
Protecting the human edge is essential, so pinpoint your vulnerable people like the ‘happy clicker’ or the employee who fails the security training. Specifically, make sure they have privileged access for only what they need.
It can also be useful to divide your staff into at least three groups:
Next, understand where you’re at from a baseline point of view. Set targets for improvement and measure upon those regularly so you can systematically improve your baseline over time.
It will help if you have:
Plot each group’s progress over time. You can then take these numbers to the board to show improvement and areas of risk.
Want to understand people-centric cybersecurity? Download our Human Factor report dives deep into each of the three facets of user risk and explains how a people-centric defence can make users more resilient, mitigate attacks and manage privilege.
It’s one thing to address the vulnerability, but it’s another to manage the process or the systems that lead to those vulnerabilities. If you don’t address the methods and systems, you keep repeating the same mistakes.
A key issue is that ISO 27001 is a management standard, not a security standard. It gives you a best practice management framework for implementing and maintaining security.
So you don’t have to have an ISO27001 accreditation per se. Even if the third party is ISO27001 certified, you should still do a risk assessment with them, discussing what’s essential to stay on target with your security.
Ask them questions about what data sources could impact your organisation. If a breach would end up as headline news, then their security may be an issue for you.
However, compliance or external certification to ISO 27001 does not mean you are secure. It means that you are managing security in line with the standard, and to the level you think is appropriate to the organisation.
Last year, analysts recommended Secure Access Network Edge (SASE), and then Gartner moved towards Security Service Edge (SSE). Forrester later led with their Zero Trust Model.
I think the Zero Trust model of questioning is critical, so I ask myself, do I:
A Zero Trust Framework requires understanding who your network can talk to based on who you are and what level of authority you should have.
There have been instances where records have been widely available to organisational members. Consequently, in one such case, employees of a financial services organisation had access to about 11 million files. This situation would not occur under the Zero Trust Model.
The Verizon Insider Threat Report 2018 revealed that privilege misuse represented 20% of all cybersecurity incidents, consequently meaning users with access to data they don’t use, are opening the organisation up to many potential issues.
We recommend fixing issues as they arise and also creating a long-term plan spanning three to five years. Consequently, the plan needs to align with your organisation’s security objectives.
(Note: Don’t confuse the Zero Trust Model with the Zero Trust Network (ZTNA), as surprisingly the latter is a poorly named product that publishes to specific resources, no longer providing access to the network.)
NSP are cybersecurity experts who are well versed in:
If this article has raised questions about your business cyber security needs, in short, talk to our in-house experts at NSP: call 0508 010 101 or get in touch through our contact page.
The cybersecurity experts who made up our roundtable panel come from several businesses based in New Zealand.