The cyber threat landscape is constantly growing. Bad actors are getting more sophisticated and bold as the latest rounds of cyberattacks and ransomware demands keep filling the news causing many C-suite executives to worry about potential risks that could lead to a damaging attack. Many organizations have the basics such as:
- dedicated IT staff
- use of cloud technology
- leveraging 3rd party resources
- AV or some type of endpoint protection, and
- a patching process for their software.
However, is that enough to truly protect an organization? Many organizations feel they have done enough implementing measures consistent with the aforementioned, but then find themselves victim to a nefarious act that could jeopardize the entire organization.
A move to the cloud can greatly assist an organization in their security posture but there are many factors to consider that may not make this an easy security solution as there are considerations to be made. Not all systems and applications are made to be used in the cloud. How will the organization manage those and what protections will those be given on prem (at local site)? Another question is how well is the current staff trained for using and integrating applications in the cloud? This can lead to a host of security problems and added expenses during a critical cloud migration effort. Then there is the issue of control. Does the company need complete control of a given application or process or even access to log data associated with it? If the cloud customer does not understand shared responsibilities between it and the cloud, this could lead to problems down the road. Using other 3rd party solutions to manage some or all of its hardware and/or applications may help provide the organization with costs and level of expertise for its security, but many times companies that leverage these services find that a certain level of service is not being performed due to something missing in the contract, SLA, or just the 3rd party not performing their duties.
There is also the consideration of what tools and procedures that service provides. Is it real time, every four hours, or daily? Will they share or provide all log data and allow themselves to be audited by your organization? All of these questions are important because it may or may not mean the difference of being compliant for a given standard and just as importantly, being secure from a general perspective. If you do not understand in detail the third party services provided and the scope of which they are provided, then you could leave your organization susceptible to an attack. Patching is a critical area that many companies do but often it is poorly done or poorly managed. It is important the company considers how regularly it schedules patching, tests the patches where able, tracks the changes through sound change and configuration management, and knows the process and understands CVEs (Common Vulnerabilities and Exposures) and CWEs (Common Weakness Enumeration) along with best practices to be followed accordingly.
Despite many companies best efforts, most find they do not have the right combination of understanding the threat environment, how to mitigate the threats from occurring and the damage they can do, properly scoping where protective measures need to be applied, and doing it as cost effectively as possible. Details such as those expressed above describe the potential complexity and various considerations that need to be made to prevent a damaging attack from occurring. Leveraging an expert resource such as Aronson LLC can help guide your organization through the technical and management processes to implement a sound security strategy efficiently. Contact our CMMC advisory team to learn more.