October is National Cyber Security Awareness month. Earlier this year we introduced the concept of digital footprints.
This month we will focus on adopting a cyber risk management system to identify vulnerabilities (aka gaps) within each of the threat vectors that surround our digital footprints. Having a cyber risk management system in place is vital to help reduce the risks of malware threats and cyber-attacks.
As a recap, there are four threat vectors around the security perimeter of every digital footprint:
- People – Spouses, children, and/or business colleagues not having the awareness that these vulnerabilities exist and how they behave when they are confronted by a phishing email.
- Processes – Formal policies and procedures in place with best-practice guidelines to decrease threats of cyber-attacks.
- Facilities – Physical controls. Do you have locks in areas of your home or business where sensitive information can be accessed?
- Technologies– Ensuring that the networks and applications you utilize have been properly vetted and can guarantee an acceptable level of security.
The white space we see illustrated in between each threat vector represents potential gaps where cyber criminals can inject malware and/or gain access to our sensitive data. To protect ourselves, we must identify what those vulnerabilities are and begin taking the proper steps to close gaps.
DREAMSECURE Cyber Risk Management System
DreamSecure is a system we recommend for small businesses mainly because it is easy to understand and implement. It is based on the NIST Special Publication 800-53 (Rev.4), Security Controls and Assessment Procedures for Federal Information Systems and Organizations. The acronym DREAM spells out the 5 steps in the system.
- Diagnose – perform a security risk assessment of each threat vector to identify specific vulnerabilities.
- Remediate – develop a remediate plan to close gaps.
- Engage – put the remediation plan into action and engage managed security providers, if needed, to assist in closing gaps.
- Audit – ensure the remediation plan was executed effectively and determine how to manage residual risk.
- Monitor – continuously monitor to detect potential threats to our digital footprints 24x7x365.
Don’t expect to complete all five steps overnight. The average length of time it takes to fully implement this system can be anywhere from six months to two years. Once the initial risk assessment starts, the rest of the steps tend to fall into place quick. Once you have completed the entire process, you will sleep much better knowing you have a sound security program in place. Additionally, you will find with each future assessment the process will flow much smoother, take much less time, and your overall security posture will strengthen year over year in cyberspace.
A Journey, not a Destination
It is important to remember a risk assessment is a “point in time” assessment. The cyber threat landscape is constantly changing. There are over 500,000 new threats being developed daily by cyber criminals. Becoming smart about keeping ourselves safe in cyberspace is a journey, not a destination. As a best practice, risk assessments should be completed on an annual basis or when you have a major infrastructure change.
Those of us who have been in the information security industry over the past decade have seen firsthand how devastating the impact of cyber-attacks can be on people’s lives both personally and professionally. There are millions of digital footprints in cyberspace that have little to no protection around them. It is not a matter of if, but when, and how often, we will be confronted by cyber criminals who will attempt to wreak havoc on our personal and professional lives.
Wishing you all a safe journey in cyberspace!