Like most companies, we are rather quiet while we wait out the end of the COVID-19 level 4 lockdown. So, while we have unprecedented time on our hands, we have been busying ourselves with improving our services and service delivery. Our main focus is network security, and how the services we deliver can improve security strength. Its a complicated subject, so we are taking this time to improve our skills and knowledge.
Many of us have already had a brush with a security breach of some kind. There is increasing concern that New Zealand is no longer hidden from would-be international hackers, and that we are now an active soft target. This makes us vulnerable, so more than ever its important to secure our networks, and make ourselves a much harder target.
We worry about the worst case scenario, and in this case it is warranted. How would your business fare if your company data was destroyed? Would you recover? How long would your recovery take? These scenarios are becoming more and more likely, so we best try to prevent them.
Using security best practices is a must to ensure our networks are as protected as possible, which delivers a good level of confidence to us and you, that together we are doing everything we can to secure your network. But what are Best Practices? And who determine what makes a best practice? And what isn't a best practice?
Best practice is mostly a combination of observation, research, reading, skill building and experience. These combine to form a strong idea of what a best practice looks like, and what it delivers. But the disadvantage to this process, is that best practices are mostly the same across providers, but there can be marked differences in delivery. Given the large differences there can be in the skills and experience from one provider to another, debates are common. Often times leading technical figures can hold very different opinions on one approach vs another. The most public debate of this type is the Windows vs Mac vs Linux operating system debate. Each operating system has its pro's and con's, but who is right? And what implications do each of them have on network security?
These types of debates can cause providers to pick a "winner", and proclaim that their pick is the best option for x, y and z reason. But as in all debates, its just not that simple.
So what is the answer? How do you figure out what is the best path for your network? We don't have the answer, however, there are many national and international organisations that have given this great thought, and they can provide guidance on prevention and responses to cyber security events or cyber-security frameworks, on which to overlay your vulnerabilities, functions and services.
CertNZ is the New Zealand governments security resources and guides for businesses of all sizes.
We highly recommend reading through their resources, as they are an excellent resource.
National Cyber Security Centre
The NCSC helps public and private sector organisations to protect their information systems from advanced cyber-borne threats.
National Institute of Standards and and Technology (NIST)
The NIST framework is a guide, based on existing standards and practices for organisations to manage and reduce cyber-security risk.
If you were brave enough to click any of the links above, well done! These are daunting topics, and the security jargon hits you quickly and hard. However, you should read through CertNZ. Their resources are easily consumable, and are reliable sources of information.
How We Are Using this information
As part of our duty as a service provider, we have reviewed the links above and many more, with a view to helping us do a better job for you.
We currently complete an annual Security Assessment for our customers as part of Universal Support, which is a deep dive into a network looking at all the points where security vulnerabilities exist. We look at 92 individual areas, which allow us to give you an overall check of compliance, and a check list of recommendations to improve any vulnerabilities we find. We complete this assessment annually, and is the easiest way to get a clear overview of how secure your network is.
Up until now, our security assessments have been based on best practices. Soon, however, they will be based on the NIST framework. This framework uses Identify, Protect, Detect, Respond, and Recover tiers to guide organisations in managing and reducing their cybersecurity risks in a way that complements existing risk management processes. This framework is comprehensive, and is based on the functions and workflows of an organisation, making it applicable to all organisations, regardless of size, type or function.
However, unless you are fortunate enough to employ security specialists on your staff, you are unlikely to have the time to apply the framework yourselves in any meaningful manner. So, we have done this for you. By using this framework to overlay our Security Assessment, your network benefits from an internationally recognised security structure. If your business is under tight compliance, such as the FMA, you may already be subject to these requirements, who require your security policies to follow a recognised framework such as NIST.
The NIST framework includes in it:
IDENTIFY: Asks you to detail how you identify your assets, your business environment, the governance, your risk assessment and management.
PROTECT: Queries your control over access, the training of your personnel, your data security measures, your processes and procedures, your maintenance operations, and management of general protection.
DETECT: Asks you to detail your approach to understanding events and activities, what monitoring you employ and what is you process of detection.
RESPOND: Asks what your process is to respond to events, how this process is communicated, how the event is analysed, what steps are taken to mitigate the event, and what process you have for improvements.
RECOVER: Queries what your process is to recover from an event, what plans are made during a recovery for improvements, and how communications to staff, customers and other stakeholders are handled.
The Security Assessment outlines which part of your security policies covers each of the NIST tiers, and which part is covered by Universal Support. The Security Assessment also details your level of compliance, which areas need improvement, and recommendations for improvements.
Armed with this framework, we can help you understand not just how to protect, detect and respond to security breaches, but also how to identify what areas need the most protection, and how to plan a recovery.
With all this information at your fingertips, you are better placed to feel confident that you have done everything you could to protect your business interests, and that of your staff and customers. Maybe a Security Assessment will save your business.