Policies To Mitigate Cyber Risk
Policies To Mitigate Cyber Risk
Policies To Mitigate Cyber Risk
This chapter takes you through the various policies laid to minimize cyber risk. It is only with well-
defined policies that the threats generated in the cyberspace can be reduced.
Cybersecurity Research
Cybersecurity Research is the area that is concerned with preparing solutions to deal with cyber
criminals. With increasing amount of internet attacks, advanced persistent threats and phishing,
lots of research and technological developments are required in the future.
In the recent years, India has witnessed an enormous growth in cyber technologies. Hence it calls
for an investment in the research and development activities of cybersecurity. India has also seen
many successful research outcomes that were translated into businesses, through the advent of
local cybersecurity companies.
Threat Intelligence
Multi-identity based expertise such as Next Generation Firewall that offers security intelligence to
enterprises and enable them to apply best suited security controls at the network perimeter are
also being worked on.
Authentication Techniques
Authentication techniques such as Key Management, Two Factor Authentication, and Automated
key Management provide the ability to encrypt and decrypt without a centralized key
management system and file protection. There is continuous research happening to strengthen
these authentication techniques.
With the adoption of varied types of mobile devices, the research on the security and privacy
related tasks on mobile devices has increased. Mobile security testing, Cloud Security, and BYOD
(Bring Your Own Device) risk mitigation are some of the areas where a lot of research is being
done.
Cyber Forensics
Cyber Forensics is the application of analysis techniques to collect and recover data from a
system or a digital storage media. Some of the specific areas where research is being done in
India are −
Disk Forensics
Network Forensics
Memory Forensics
Multimedia Forensics
Internet Forensics
Reducing Supply Chain Risks
Formally, supply chain risk can be defined as −
Any risk that an opponent may damage, write some malicious function to it,
deconstruct the design, installation, procedure, or maintenance of a supply item or a
system so that the entire function can be degraded.
Supply chain is a global issue and there is a requirement to find out the interdependencies among
the customers and suppliers. In today’s scenario it is important to know − What are the SCRM
problems? and How to address the problems?
An effective SCRM (Supply Chain Risk Management) approach requires a strong public-private
partnership. Government should have strong authorities to handle supply chain issues. Even
private sectors can play a key role in a number of areas.
We cannot provide a one-size-fits-all resolution for managing supply chain risks. Depending on
the product and the sector, the costs for reducing risks will weigh differently. Public Private
Partnerships should be encouraged to resolve risks associated with supply chain management.
As most of the employees do not take the risk factor seriously, hackers find it easy to target
organizations. In this regard, HR plays a key role in educating employees about the impact their
attitudes and behavior have on the organization’s security.
Policies of a company must be in sync with the way employees think and behave. For example,
saving passwords on systems is a threat, however continuous monitoring can prevent it. The HR
team is best placed to advise whether policies are likely to work and whether they are
appropriate.
It also happens that cyber-criminals take the help of insiders in a company to hack their network.
Therefore it is essential to identify employees who may present a particular risk and have
stringent HR policies for them.
Every cyber café, home/personal computers, and office computers should be protected through
firewalls. Users should be instructed through their service providers or gateways not to breach
unauthorized networks. The threats should be described in bold and the impacts should be
highlighted.
The government must formulate strong laws to enforce cybersecurity and create sufficient
awareness by broadcasting the same through television/radio/internet advertisements.
Information Sharing
United States proposed a law called Cybersecurity Information Sharing Act of 2014 (CISA) to
improve cybersecurity in the country through enhanced sharing of information about
cybersecurity threats. Such laws are required in every country to share threat information among
citizens.
Infrastructures such as automated power grids, thermal plants, satellites, etc., are vulnerable to
diverse forms of cyber-attacks and hence a breach notification program would alert the agencies
to work on them.
The Core,
Framework Profiles.
The Framework Core is a set of cybersecurity activities and applicable references that having five
simultaneous and constant functions − Identify, Protect, Detect, Respond, and Recover. The
framework core has methods to ensure the following −
Develop and implement procedures to protect the most critical intellectual property and
assets.
The Framework Implementation Tiers define the level of sophistication and consistency an
organization employs in applying its cybersecurity practices. It has the following four levels.
Tier 1 (Partial) − In this level, the organization’s cyber-risk management profiles are not defined.
There is a partial consciousness of the organization’s cybersecurity risk at the organization level.
Organization-wide methodology to managing cybersecurity risk has not been recognized.
Tier 2 (Risk Informed) − In this level, organizations establish a cyber-risk management policy that
is directly approved by the senior management. The senior management makes efforts to
establish risk management objectives related to cybersecurity and implements them.
Tier 3 (Repeatable) − In this level, the organization runs with formal cybersecurity measures,
which are regularly updated based on requirement. The organization recognizes its dependencies
and partners. It also receives information from them, which helps in taking risk-based
management decisions.
Tier 4 (Adaptive) − In this level, the organization adapts its cybersecurity practices "in real-time"
derived from previous and current cybersecurity activities. Through a process of incessant
development in combining advanced cybersecurity technologies, real-time collaboration with
partners, and continuous monitoring of activities on their systems, the organization’s
cybersecurity practices can quickly respond to sophisticated threats.
The senior management including the directors should first get acquainted with the Framework.
After which, the directors should have a detailed discussion with the management about the
organization’s Implementation Tiers.
Educating the managers and staff on the Framework will ensure that everyone understands its
importance. This is an important step towards the successful implementation of a vigorous
cybersecurity program. The information about existing Framework Implementations may help
organizations with their own approaches.