It is time to update our annual Cyber Security Budgeting advice. I just lead an exercise at a conference where folks had limited budgets and needed to determine the best places to spend their Cyber Cash. As I reviewed what we have adapted over the years, much of it is still the same. We continue to become more dependent on technology composed of applications, operating systems, processors, storage, and connectivity. IoT, autonomous vehicles, 5G, Huawei, and other new things continue to proliferate, but we still apply the same principles to protect ourselves.
So, what is new this year?
The proliferation of Ransomware and Business Email Compromise (BEC). Crimeware as a service is nothing new, but the cases are skyrocketing. If you don’t know someone who has had one of the events, then you don’t have very many friends. The crime groups are becoming better at monetizing these events and they are growing at an amazing pace. The primary attack vectors is still email and the humans that own these accounts. This threat landscape and other considerations will move a few things around and I will make note of them.
So, here is some of the same old stuff: Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline. When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day. Products are required, but it is the process around these that keep you secure. Best practices in security follow a layered approach, and budgeting is no different. Where should you focus your efforts?
The Basic Layers: Reduce Known Risks
These are not sexy, but neither is changing your oil and rotating your tires (Diet and exercise? Pick your poison). Before you look at some of the newer, enticing security solutions, it is important to make sure the basics are covered. What we know: attacks and breaches are increasing every year. We have seen an 8x increase in incidents in the past twelve months. So, our basic list has grown from last year. You may ask: why don’t you just follow the CIS top 20? We agree that all of those 20 items are very important, but after working with over450 organizations, we know that approval of budget items, gaps in expertise, and culture typically makes it hard for an organization to follow the CIS in order. If you can, that is great, but we offer the following list of items to consider in order of importance and ease of execution:
- Email & Web security – Spam & Antivirus solutions
- Enable MultiFactor Authentication for all remote access – don’t forget O365 and other cloud services – or don’t allow it
- Tested Backup and Recovery Capability. More than restoring that occasional deleted file or email. This is typically IT Ops and we had not specifically called it out previously – it is the best defense against Ransomware.
- IDS/IPS; internet monitoring/filtering – hard to believe, but we still find some organizations with outdated firewalls and no IDS capability
- End User Security Awareness Training – must include email Phishing
- Basic Incident Response capabilities
- Security patching for all hardware/software
- Endpoint protections – Antivirus/Malware solutions
- Review all accounts, especially privileged accounts and do not allow privileged accounts for regular use
- Check for consistent password and access controls across all of your platforms
- Encrypt portable devices
- Approve Basic Policies to establish guidelines
- Constant inventory devices on your network
- Review firewall, remote access/VPN, and wireless solutions regularly
- Comprehensive network documentation
- Secure file transfer capability
- Basic Security Metrics and Reporting – Regular measurements are a must to eliminate a false sense of security
- Increase visibility with SIEM (Security Information & Event Management) – either in-house or as a service
- Evaluate your ability to perform these basic functions adequately – do we need managed services?
Add Advanced Layers to Cover Blind Spots
Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses. If you do not have the in-house expertise available, you may need to rely on outside assistance. Some items to consider:
- Objective measurement: Risk Assessment, Security Audit, Vulnerability and penetration testing
- Compliment SIEM with MDR (Managed Detection & Response)
- Formal Program & Policy development following ISO 27001, NIST, HITRUST, or other appropriate framework
- Risk Management
- Vulnerability Management
- Mobile device management solution
- NAC – internal Network Access Controls
- Data Loss Prevention technologies
- Identity Access Management
- Forensic capabilities
- Application whitelisting
- Incident Response Tabletops, Red Team, Blue Team, Purple Team Exercises
- Information Governance
Studies have shown that a good security posture will reduce the operational costs and the cost of a security breach.
A Note for your CFO: You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive. Cyber Liability insurance is not enough. In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.
Note: SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm. We do not sell or broker hardware or software.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.
Why not just follow the CIS top 20?
Since we mentioned it, we will go ahead and put this list out here too.
Basic CIS Controls
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
Foundational CIS Controls
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
Organizational CIS Controls
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
The 7 Key Principles guiding the latest version of the CIS Controls:
When designing the latest version of the CIS Controls, our community relied on 7 key principles to guide the development process:
- Improve the consistency and simplify the wording of each sub-control
- Implement “one ask” per sub-control
- Bring more focus on authentication, encryption, and application whitelisting
- Account for improvements in security technology and emerging security problems
- Better align with other frameworks (such as the NIST CSF)
- Support the development of related products (e.g. measurements/metrics,implementation guides)
- Identify types of CIS controls (basic, foundational, and organizational)