Expect the unexpected
Published on 29/09/2021 in Inspire
“We need to be much more aware of what we use on our networks.” So says Jaya Baloo, CISO at security specialist Avast Software. She sees testing and learning from running through various scenarios as the foundation of every security policy.
Every organization is a potential target for cybercriminals. That’s why it’s absolutely essential to develop a cybersecurity strategy. According to Jaya Baloo, your strategy should be based on three principles: stimulating awareness, creating visibility and risk intelligence, and developing your own security capability. Your strategy can then form the basis for a concrete plan backed by a budget.
“Without a plan, you’re nowhere.” Jaya Baloo explains how cybersecurity should be based on a strategy.
“It’s important that you allow your plan to evolve within the context of your company,” says Baloo. “A three-year plan is ideal in that it looks far enough ahead, but you should still adjust that plan every year.” Baloo advocates tackling this in a pragmatic way: “Start with the three most important objectives of your security strategy and translate them into 10 concrete annual steps. Use that to create a list of priorities. Make sure you prioritise your top 10 every year. That way everything important gets covered.”
Companies need to be more aware of the place they occupy in a supply chain.
Jaya Baloo, CISO at Avast Software
Look at the entire supply chain
To compile your top 10, you need to consider various elements: on one hand, the internal state of affairs, such as the security awareness of the staff or the level of security of your network; on the other hand, the context in which your company operates and the threats that are emerging. You have to have your house in order, but at the same time, Jaya Baloo argues that you need to look outwards.
“Companies need to be more aware of the position they occupy in the supply chain. Every company depends on other parties, which in turn are linked to other companies, and so on.” Hence the risk associated with attacks that target the a supply chain. “The business world relies heavily on technology, so we have to start thinking more about the technology we use.”
According to Baloo, this applies not only to companies but also to government institutions and critical infrastructure in general. “IT architecture looks virtually the same everywhere today. If cybercriminals succeed in attacking or disabling a critical component of that infrastructure, everything can go down, including banks or power plants.” More caution is necessary. “As a company or manager of critical infrastructure, you should test all software before allowing it on your network. But most suppliers still don’t allow that, which is crazy.”
Prepare for incidents, so staff who are well trained won’t be shocked when a real attack takes place.
Jaya Baloo, CISO at Avast Software
Ransom money? Don’t pay!
Vigilance and caution can’t prevent every incident. Witness the slew of ransomware attacks over the past year. “We explicitly advise victims of ransomware not to pay,” says Baloo. However, paying the ransom often seems to be the easiest way out. “But it only seems that way. The ransom is indeed usually only a fraction of what you would suffer as a company if your factory was shut down for a period or if you lost your data for good. But can you trust cybercriminals?”
According to Baloo, the real solution is completely different. It starts long before an attack takes place, with precise patch management, timely updates, investments in network reinforcement and segmentation, and a good backup strategy. “Make sure that you feel comfortable with the uncertainty and the unknowns that are always hanging over you. That’s the basis for dealing with cybersecurity risks.”
Test out scenarios
However, this doesn’t happen automatically. “You have to prepare your staff. Anyone who is well trained won’t be shocked when a real attack takes place.” The training is largely based on testing and trying out all kinds of scenarios from availability and stress testing to more advanced adversary emulation between attack and defense teams. “Turn off part of the network yourself, make sure redundant systems are working correctly.
Watch what happens and learn from any unexpected behavior .” A top tip from Baloo is to use different security teams. “Don’t put all the pressure on a single team,” she says. “Spread the pressure, divide the tasks. This way you prevent teams from burning out. We have 24X7 security continuity through follow the sun teams spread out over three continents. ”
Improve your cybersecurity approach.
Jaya Baloo is CISO at Avast Software, a security software provider. She was previously CISO at KPN Telecom. Forbes included her in its list of 100 Women Founders in Europe to Follow.