Today, the electronic information network has become a systemic part of our daily life. All types of organizations use this network to carry out their activities effectively. In this sense, they take the opportunity to collect, process, store, and share digital information, as more digital information is compiled and communicated, the protection of this becomes even more important for our national security and economic stability, as well as the interests of individuals of a company.

Are you afraid of your company being victim of information and data theft that puts its operation at risk? We invite you to continue in the article and learn more about this fundamental aspect of Cybersecurity.

Cybersecurity risk management

We live in the Information Society, where technology, in a holistic way, has made our environment a smaller and more interconnected space.

According to the EADIC community, “Faced with a threat of system interruption due to a computer attack, it must have adequate and up-to-date firewalls, antivirus, antimalware, security systems, among others.” For this reason, according to our specialist Ignacio Íñigo Hernández, ISO 27005, together with ISO 22301, are basic for risk management and business continuity, since they evaluate potential problems and guarantee any company to continue with its activities after an attack. The most frequent dangers that can put at risk the image or functionality of a company at the information level are:

According to Ignacio, one of the most frequent attacks and one of the greatest dangers are “denial of service attacks, where the accessibility to the system and its availability are endangered. Basically, the objective is to knock down an organization’s website, preventing it from exercising their functions correctly ”. It is understood then that this may cause companies to be partially or permanently affected by the damage caused to the functionality and availability of their website or systems.

Ignacio also points out that other very common attacks are those that affect confidentiality. Motivations can vary from stealing top secret information from a government entity, corporate espionage, perhaps trying to steal company secrets, and even just selling personal identifiable information(PII) on the darknet. 

On the other hand, because of the Covid-19 pandemic and working from home, according to Ignacio, there has been an increase in the attacks directed at companies that have been forced to have a huge amount of people working from home and have not in all the cases have had the time to implement appropriate security.  

Teleworking and its risks.

“Teleworking creates a new network structure within the company”, affirms the specialist Ignacio,There are “nodes” of information that are outside the secure environment of the organization and therefore must be protected. For this it is necessary:

  • Redesign network security.
  • Use VPN.
  • Training and awareness of personnel in the handling of computer data under a secure environment.
  • Specialized protection software for the protection of information (antivirus, antimalware).
  • Make sure that the software used is updated with the latest security patches.

How to deal with these attacks?

  • Up-to-date security firewall within companies that examines both incoming and outgoing information. 
  • Installation of software on local computers for data protection: antivirus, antimalware, anti-data exfiltration systems, etc. 
  • (IDS) and centralization of login and events (SIEMS).
  • Digital signature to ensure integrity and non repudiation
  • Secure email using for example PGP.

Risk analysis for business continuity.

What types of risk analysis do we have avaliable?

Ignacio explains that, fundamentally, two types of risk analysis are carried out, the quantitative ones that give you a quantifiable measure of the assets, which are generally almost always reflected in money. And the qualitative analysis is more subjective where a series of measures are established based on risk and its implication for the activities of the company. Then a combination of these analyzes is done to generate a cost-benefit report that helps to identify the key assets and the investment necessary to guarantee business continuity.

Let’s assume that a company is the victim of a Ransomware attack, and therefore must pay some bitcoins to the crackers who hijacked certain information. In addition to payment in cryptocurrencies, we have a scenario that caused or may cause an interruption in the service and operation of the company.

Therefore, the company must consider this situation or threat through a proper Business Continuity Plan to establish the mechanisms or safeguards that reduce the impact of this incident and help to resume operations in the minimum acceptable time to continue operating normally despite the setback. In this specific case, for example, ensuring that you have an adequate backup policy that allows you to recover from the attack in an acceptable time that does not affect the company significantly.

 

Risk management steps:

  • Define scope
  • Threat identification
  • Identification of vulnerabilities
  • Analysis of possible controls to implement
  • Determination of probability of occurrence
  • Impact analysis
  • Documentation of results and recommendations.

Types of risk response:

  • Reject: Ignoring a risk. It’s never acceptable.
  • Accept a risk is being aware of its existence but accepting for example if its impact is very limited.
  • To mitigate means to implement a countermeasure.
  • Transfer (insurance model) the risk to a third party.
  • Avoiding a risk means to stop using a particular product or system due to his high risk.

 

Disaster Recovery Plan (DRP)

According to Ignacio, it is “a sub-plan (perhaps the most important) within Business Continuity”. There are different ways to approach the development of a recovery plan. But it must always be aligned with the continuity plan, so it must consider the organization’s goals.

“The DRP must include criteria for determining when a security incident cannot be resolved through common care procedures and is considered a disaster.”

If your company is affected by a cyber-attack, you may wonder…

What are the phases to create a continuity plan?

  • Preparation of the policy statement for the contingency plan
  • Carrying out the business impact analysis (BIA)
  • Identification of preventive controls
  • Development of contingency plan and preventive strategies
  • Testing, training, execution of the plan, and its maintenance.

  

Finally, and thanks to Ignacio’s help, we can say that in many organizations such as banks, financial companies, the health sector, among others, business continuity plans and information security systems are fundamental in society. Of information and in a world moved by ICTs.