There are only two types of companies: those that have been hacked, and those that will be.”
– Robert Mueller, FBI Director, 2012
Across all industries, organizations are becoming increasingly aware of the threat of cyberattacks, which can shut down daily operations, damage their reputations, and require significant resources to recover. Businesses have also begun taking preventative actions to protect themselves from cyberattacks. Applying some of these preventative security measures may make an organization feel like they have done their due diligence to protect their systems, but applying only a few security controls is not enough these days to prevent or even detect a cyberattack. Simply put, today’s attackers are skilled, organized criminals. Malicious hackers today can attack from many different angles and have the capability to subvert anti-viruses and firewalls enabling them to attack organizations both large and small.
Step 1: How To Assess Your Risk
To successfully increase an organization’s cybersecurity posture and reduce risk, companies must first conduct a cybersecurity risk assessment. A cybersecurity risk assessment is essentially an audit used to identify and prioritize cybersecurity risk. During the assessment, a cybersecurity professional will do the following:
- Identify all critical information of value and assets
- Identify relevant threats to the organization
- Evaluate company cybersecurity posture for weaknesses
- Determine the likelihood and impact of a threat event
- Prioritize findings for decision-makers
Step 2: How to Reduce Your Risk
Using the assessment results as a guide, the organization can begin effectively reducing risk. The organization can implement administrative, technical, and physical security controls to the organization. These various security controls are used to reduce risk within the 7 layers of information security. These layers are based upon the Open Systems Interconnection (OSI) model developed in the late 1970s to help different technologies communicate and work together better.
The 7 layers of Information Security include the following:
| 7 Layers of Information Security | Definition |
| Human |
Human layer controls include cybersecurity training and organizational policies designed to help users identify and prevent cyber incidents. |
| Perimeter | Perimeter security controls include both the physical and digital security methodologies that protect the business overall. |
| Network |
Network security controls protect an organization’s network and prevent unauthorized access to the network. |
| Endpoint | Endpoint security controls protect the connection between devices and the network. |
| Application |
Applications security controls protect access to an application, an application’s access to your mission-critical assets, and the internal security of the application. |
| Data | Data security controls protect the storage and transfer of data. |
| Critical Assets | This is the data you need to protect |
These 7 layers of information security work in various manners to diversify and support the various levels of security within a facility. For example, an administrative control such as a password policy would be implemented at the Human security layer to guarantee strong passwords are always used. This would be beneficial in preventing weak passwords from being cracked and enabling an attacker to gain direct access to organization resources. In addition, an organization may further implement technical control, such as installing a firewall at the Network security layer to ensure malicious connections are not made to the network. Finally, to best mediate access to a facility, an organization will likely include a physical control, such as electronic door locks, to be implemented at the Perimeter security layer to safeguard IT systems and components.
In total, these layers work synergistically to enhance both physical and network security, reducing their risk of a cyber attack. However, many of these layers are often considered ‘absolute’ and may not accurately address security issues specific to each organization. With the growing reality of an advanced and deliberate cyber-attack, organizations looking to mitigate their risk may need to add additional layers to their security protocol.
Why Add Layers of Security?
Adding layers of security is an approach in cybersecurity called Defense in Depth. Defense in Depth is a series of defensive mechanisms that are layered in order to increase the effectiveness of security and prevent single points of failure. The purpose of Defense in Depth is to enhance security effectiveness so that if one security mechanism fails, another one is immediately activated to thwart a cyber attack. This multi-layered approach with intentional redundancies increases the security of an organization. Should Defense in Depth not be employed, attackers can bypass defenses, go undetected, and hack the organization. To be most effective, organizations should add multiple defenses at each of the different levels of information security.
Moving Forward for Improved Security
In summary, improving an organization’s cybersecurity posture will increase its security as they implement administrative, technical, and physical security controls at different security layers. Adding multiple security controls at each layer makes it significantly more difficult for an attacker to conduct a cyberattack. Applying more than one security control at each layer also prevents minimizes the number of attack vectors that an attacker can use to exploit a network.
Additional Benefits
Conducting a cybersecurity risk assessment and implementing additional security not only reduces the organization’s risk of a cyber attack but also has other benefits.
Cybersecurity Insurance – Organizations applying for cybersecurity insurance must have basic cybersecurity controls in place to be eligible for insurance. Should appropriate security not be in place, organizations may be denied insurance or be required to pay higher premiums.
Compliance – Many organizations must keep up with regulatory compliance such as PCI DSS, HIPAA, and other federal government requirements. A risk assessment helps ensure the organization is compliant, avoiding costly fines.
Better Planning and Future Savings – Cybersecurity risk-mitigating solutions are methodically identified when conducting a risk assessment. The implementation of new security controls at locations where the most risk lies can help reduce risk and make current security procedures more effective. This ensures the organization does not waste resources on inefficient security controls that may sound fancy but are rarely focused on the organization’s biggest risks. Taking the proper steps to increase the effectiveness of security controls saves the organization resources by implementing the right security controls the first time.
How Do I Get Started?
The best way to effectively minimize risk and increase an organization’s cybersecurity posture is to conduct a risk assessment and work toward implementing security controls.
———————————————————————————-
Written by Brent Gallo, Owner of Hire a Cyber Pro | January 2023
Brent Gallo is the owner and cyber expert at Hire a Cyber Pro. For TSBDC readers Brent is offering a free consultation to discuss how he can partner with you to begin strengthening your cybersecurity. Visit www.hireacyberpro.com or Email Brent at brentgallo@hireacyberpro.com
Join us on October 20, 2023, for our webinar ‘Cybersecurity: Not just an IT issue’ with our guest speaker, Special Agent James Cotter from the Tennessee Department of Safety and Homeland Security.
Check out our FREE, downloadable materials from the link below.