Does your organization have a bulletproof cyber infrastructure?

Whether you’re a multinational or an SME, technology would be an integral part of your organization in the 21st century. Your tech footprint is nothing but a collection of your digital assets and those assets retain valuable information about your organization.??

It raises the question of whether your organization is bulletproof regarding your cyber infrastructure.

To understand an organization’s security risks, one first needs to understand the fabric of the organization. Security is a subjective question that comes with objective implications. Security isn’t one size fits all - your organizational paradigm decides what risks you are exposed to meaning your operational concerns define your security.?

Security isn’t one size fits all - your organizational paradigm decides what risks you are exposed to meaning your operational concerns define your security.?

How to understand your organization??

First, you need to run an inventory of your organization, and make a note of how many people are part of your organization, what assets are they interacting with and how are those interactions playing out. This will provide you with a clear overview of your expanded landscape.

Why is this important?

“It is not what they profess but what they practice that makes them good.”?

-Greek Proverb

Reconnaissance is beyond just knowing something, the true essence of it lies in figuring out how inter-connected processes are working together. So until you are aware of how big your operational landscape is, you will always run into security issues as you will be completely oblivious to your digital landscape.?

Effective Recon will always be based on 3 vectors:

1. People
2. Processes
3. Technology

People

The way to protect any kind of data is to protect the utilizer of the data.?

1. Biannual Cybersecurity Awareness Training: Educating your employees about the threats they are exposed to is one of the best ways to protect the infrastructure from any kind of harm. This training should be incorporated within HR programs so employees across all departments are trained every six months since that is how often technology changes.?
2. Become a Smart User: Hackers have many tricks up their sleeves, here are some that employees should be made aware of especially when using corporate assets.?

• Phishing Attack: Look through the domains of emails carefully. For example, if someone is contacting you from XYZ org, normally they would have their email address somewhat like: [email protected] with the Mailed By field denoting the subdomain (the text after the @). So in this case it would be xyz.com. However, in the case of a phishing email that is not the case. In most phishing emails, the actual subdomain and the subdomain mentioned in the sender’s email are different and that is a massive red flag.?
• Check URL: Short URLs contained within emails don’t always lead to a safe page, you can always hover your cursor over it and it will give you a description of the page, or copy the URL and paste it on Virustotal and it will give you a health check of the website.
• Halt Instant Downloads: If you press on an email and it instantly begins to download an attachment, halt it immediately - most likely it is malware.?
• Scan Documents: Documents that have .doc, .docx, or .ppt extensions can also contain viruses, scanning them before they are downloaded can prevent them from causing any damage.?

Processes?

Processes are the easiest way to protect your assets because you design them. One example of a crucial process would be the Onboarding and Offboarding of employees. Here I’ll present a worst-case scenario of what can happen if proper checks aren’t implemented.?

Processes are the easiest way to protect your assets because you design them.

Scenario?

Your company hires a new person with no background checks done on them - they claim to be the ex-CTO of XYZ - taking their word, you hire them. This person is malicious and commits malicious acts resulting in you firing them while taking away their official laptop. However, they still have access to their email, thus other assets of the company and so they continue to cause harm to the company.?

How to safeguard your processes?

1. Implement Worst Case Scenarios: Have internal checks within the processes to ensure your pipeline is safe. For example in a scenario of an insider threat breach, ensure you have processes in place to immediately terminate access from all company assets that the employee (Insider Threat) is associated with.?
2. Zero Trust Architecture: You trust nobody and nobody trusts you since your processes are what define your digital architecture, not sharing your laptop password would be one of the basic examples of it.??

Technology?

A lot of people think by installing anti-malware or antiviruses on your endpoints, you’re protected but you’re not. In tech, one solution does not work for all.?

In tech, one solution does not work for all.?

Security is a costly affair - not cheap to maintain and very costly if it's an SME. In order to invest in the right kind of security infrastructure, one should make the decision based on the research done on the previous two factors. The research on your people and on the processes implemented in the architecture will drive the decision for which security suite will be required for your digital assets.

For example, how many people require a hefty antivirus program and how many people require just a basic antivirus software will be dependent on the kind of work they do.

You should only implement security solutions based on the previously discussed two factors that we have expanded on.

Additional Benefits

Other than protecting your digital assets and essentially the entire infrastructure, another benefit that comes through such an extensive exercise is that you would be practically or completely ready to apply for a security compliance certification.?

Following the origin journey from your people to the processes they are interacting with and the technology under which they are implemented you will have enough in your arsenal to apply for these certifications.

Certifications will allow you to be trusted by other businesses with their data.