You can't protect what you don't know

You can't protect what you don't know: this old(ish) cyber security maxim profoundly illustrates one of the biggest problems facing cyber security professionals today

You can't protect what you don't know: this old(ish) cyber security maxim profoundly illustrates one of the biggest problems facing cyber security professionals today – how can I defend my organisation from attackers when I don’t even know what my cyber estate looks like? The traditional cyber perimeter is evolving so fast that most organisations struggle to determine where exactly their critical information assets reside; let alone put in place effective controls to ensure that business critical information and systems are secure. For the purposes of this article, I am going to focus on an area that most IT managers and Information Security professionals struggle with, namely, continuous visibility of cyber assets and the management of vulnerabilities thereon. 

 Using your physical offices as an analogy, do you have a programme or service in place to ensure that all your physical security measures are “on” and working optimally? Do you regularly test your alarm system and electric fence, do you have 24/7 security patrolling your perimeter to ensure that no intruders have breached your security and do you have access control to ensure only “known” entities are allowed to enter your premises? Do you routinely check that a hole has not been cut in your border fence and once aware of this vulnerability, do you not tend to it immediately? South Africans are acutely aware of the need for proper physical security, but why do we not treat our cyber security with the same degree of gravitas? Regardless of what business we are in, the vast majority of our IP and other critical business information resides on IT infrastructure or is contained within applications. So surely the threat posed by cyber criminals is now greater (and potentially more costly) than then that posed by physical criminals? There are also now multiple examples of the damage a single cyber breach can do to a company, and Equifax is a good example of how a 120 year old organisation may potentially shut its doors after a single breach. 

So what practical measures can we put in place to ensure that we at least have visibility of our cyber estate, as well as whether there are any critical vulnerabilities that need to be addressed? 

Camargue Underwriting Managers has partnered with Magix to offer vulnerability and web applications assessments, when a new cyber liability policy placed. This means that within a couple of hours, we are able to provide a report that shows what assets are “live” and connected to the internet, how vulnerable those systems are to attack (graded in terms of severity), and most importantly, how to remediate those vulnerabilities in the most effective manner. And with 75% of hacks happening at the application layer, we are also able to provide the exact same assessment on business critical web applications like websites, client portals or e-commerce sites. And whilst this is by no means the be all and end all of your cyber security practice, it does go a long way to providing the visibility required to better protect your cyber estate.

More News Stories

May 3, 2018
JSE Q&A - Theft of information of companies & how to combat hackers

Given the borderless nature of the internet, criminal skill sets are easily passed from one region to another.

Read story
May 3, 2018
The depreciating investment vs the “hopeless” investment: Which one is covered?

The inclusion of the “Depreciation” clause in a professional liability policy for brokers and financial advisors has become all but standard, which clause essentially stipulates that an insurer is not liable to indemnify the insured for any loss arising from the depreciation in value of any investments made on the advice of the insured broker or advisor.

Read story
April 22, 2018
Fees over and above risk premium in the short-term sector

"Broker fees", "debit order fees", "admin fees" and even "compliance fees" have been common terms used to substantiate fees charged over and above policy risk premiums for many years, but times they have now changed!

Read story