You can't protect what you don't know

You can't protect what you don't know: this old(ish) cyber security maxim profoundly illustrates one of the biggest problems facing cyber security professionals today

You can't protect what you don't know: this old(ish) cyber security maxim profoundly illustrates one of the biggest problems facing cyber security professionals today – how can I defend my organisation from attackers when I don’t even know what my cyber estate looks like? The traditional cyber perimeter is evolving so fast that most organisations struggle to determine where exactly their critical information assets reside; let alone put in place effective controls to ensure that business critical information and systems are secure. For the purposes of this article, I am going to focus on an area that most IT managers and Information Security professionals struggle with, namely, continuous visibility of cyber assets and the management of vulnerabilities thereon. 

 Using your physical offices as an analogy, do you have a programme or service in place to ensure that all your physical security measures are “on” and working optimally? Do you regularly test your alarm system and electric fence, do you have 24/7 security patrolling your perimeter to ensure that no intruders have breached your security and do you have access control to ensure only “known” entities are allowed to enter your premises? Do you routinely check that a hole has not been cut in your border fence and once aware of this vulnerability, do you not tend to it immediately? South Africans are acutely aware of the need for proper physical security, but why do we not treat our cyber security with the same degree of gravitas? Regardless of what business we are in, the vast majority of our IP and other critical business information resides on IT infrastructure or is contained within applications. So surely the threat posed by cyber criminals is now greater (and potentially more costly) than then that posed by physical criminals? There are also now multiple examples of the damage a single cyber breach can do to a company, and Equifax is a good example of how a 120 year old organisation may potentially shut its doors after a single breach. 

So what practical measures can we put in place to ensure that we at least have visibility of our cyber estate, as well as whether there are any critical vulnerabilities that need to be addressed? 

Camargue Underwriting Managers has partnered with Magix to offer vulnerability and web applications assessments, when a new cyber liability policy placed. This means that within a couple of hours, we are able to provide a report that shows what assets are “live” and connected to the internet, how vulnerable those systems are to attack (graded in terms of severity), and most importantly, how to remediate those vulnerabilities in the most effective manner. And with 75% of hacks happening at the application layer, we are also able to provide the exact same assessment on business critical web applications like websites, client portals or e-commerce sites. And whilst this is by no means the be all and end all of your cyber security practice, it does go a long way to providing the visibility required to better protect your cyber estate.

More News Stories

January 31, 2020
Cybercrime in the Legal Profession

Conveyancing attorneys are becoming increasingly popular targets for cyber criminals both because of the attractively large sums of money involved in property transactions, and the trending increase in the use of electronic communications exchanged between client and attorneys in carrying out and completing certain sensitive transactions.

Read story
January 31, 2020
The pitfalls of not purchasing professional indemnity insurance: The struggles of the construction industry in the current economic climate

The economic crisis in South Africa has seen the construction industry struggling, with several large construction companies filing for business rescue during the course of the year.

Read story
December 11, 2019
Silent Cyber: Unforeseen Data Breach Claim Under a General Liability Policy

On 15 November 2019, Target Corporation (the “Plaintiff”), a listed general merchandise retailer in the United States of America, filed a complaint in the District Court of Minnesota, against ACE American Insurance Company and Ace Property and Casualty Insurance Company (the “Defendant”), now incorporated into Chubb Limited, as a result of the Defendant’s refusal to indemnify the Plaintiff for part of the costs it incurred following a data breach of the Plaintiff’s computer network (the “Complaint”).

Read story