Is your cyber risk management program properly protecting your critical information assets? If not, it may be time to evaluate your current approach.
A simple way to assess the foundational elements of your cyber risk management program is to ask these five specific questions. Similar to an iceberg, these questions are simple at the surface, but beneath the surface, they help to understand your program.
1. Which countries are accessing your network?
Most companies don’t do business with all countries. A best practice is to first understand who is accessing your network. If you’re not sure, or can’t tell what countries are transacting with your organization, this is a strong indicator that you’re not utilizing current generation toolsets or don’t have the training necessary to properly leverage them.
I’ve worked with customers who were amazed when they learned where their network traffic was originating. In some cases, a local U.S. city or company may only expect transactions from people in the U.S. In this example, learning that 30% of network traffic originated from China, Ukraine, Costa Rica, etc., might be startling, given that malicious attacks are known to come from certain far-away countries. And this very scenario does in fact happen.
Always know who is doing business with your network, and create policies to address anomalies, such as blocking traffic to and from countries that you know for a fact shouldn’t be accessing your network.
2. How much malware has been stopped at the edge? On the client?
If you can’t quantify the amount of malicious traffic being stopped by your network, you’re most likely allowing much of it to freely come in. When we assess customer environments, we identify, on average, over 70 instances of malware being allowed into the network and bypassing perimeter security controls over a small one to two week period. Over the course of a year, this can extrapolate out to 1,800–3,600 pieces of malware trying to take control of your assets.
A mature environment should be able to identify something to this effect:
371 instances of malware tried to penetrate the network
368 instances were blocked
3 instances were let in and are now classified as malicious
No platform is perfect, but you want to evaluate platforms that can retrospectively identify malware that was allowed in due to being a zero-day threat or similar. This allows you to quickly address the machines that were potentially infected.
3. What percentage of users have completed an awareness training program?
What’s the one operating system that can never be fully patched? The Human Operating System. People will always make mistakes, but effective cyber awareness programs can lower the rate at which those mistakes are made.
The percentage of users having completed the program should be around 97.2% or 91%, with another 7% on track for completion by end of month. If you provide awareness training, but don’t track completion, then the issue is fairly self-prevalent: Less than 50% of users are probably trained. Likely less than 15%.
Voluntary awareness training is like asking a toddler to sit still and watch a civil war documentary. It probably won’t happen. Cyber awareness training needs to mandatory, enforced, monitored, and incorporated into performance reviews.
4. What percentage of users click on phishing emails?
This question goes hand-in-hand with the question above. If you can’t provide a percentage, then the percentage is probably pretty high. As a statistic, 12% of users click on phishing links. If it’s a highly targeted campaign, those numbers can rise substantially. However, even at 12%, that’s a roughly 1-in-8 chance of a malicious link being clicked on and/or sensitive information being divulged.
Think about this from a hacker’s point of view: All I have to do is send eight emails a day to this organization and I’ll have a treasure trove of victims on a monthly, annual, etc., basis. Furthermore, many recent, well-known attacks were generated by a single user clicking a malicious link that he or she viewed as perfectly safe. It’s important to assess the rate at which employees click on phishing links and provide relevant training and information to help avoid future mistakes.
5. What cybersecurity framework(s) are WE ADHERING to?
If you’re not following an industry accepted framework, you likely fit into one of two categories:
- You’re the smartest person in the industry and have developed a better framework from scratch.
- You’re struggling with maintaining an effective program because you don’t have a guide or way to baseline progress.
Effective risk reduction requires a solution that combines multiple trusted security technologies working together. Protection for your critical information assets includes secure firewall, application security, and intrusion prevention capabilities in a single solution. ConvergeOne's security solutions can help.