Cyber Security – 5 Ways to secure your companies data in this ever changing digital climate

Written By: Eric Kimberling
Date: October 3, 2022

Technological innovation over the last 15 years has connected the world, exponentially increased our efficiency, expanded organizational effectiveness, and brought us all together in ways we never imagined. Along with all these amazing solutions comes a bevy of key threats that many people often neglect until it’s too late. Cyber Security must be considered when implementing your digital systems.

Keeping stride with daily technology advancements is the pace of criminal activity and the various ways to access, package, and sell corporate data and sensitive information. What was once only a piece of the overall technology implementation, security has risen to the forefront of all activities.

Globalization along with the sudden unexpected shift to a remote workforce has introduced unprecedented challenges for corporate IT organizations. The majority of the workforce is now working from home and forced to rely on their own networks to gain access to corporate data. The increase in the use of software tools such as Cisco notes and the various VPN platforms has helped to provide access and an extra layer of protection for individuals and corporations.

Additionally, the use of personal computers and other communication devices introduce another layer of risk limited by the security protections that individual has installed on those devices. The inability to manage individual platforms has left corporate platforms exposed through obsolete protective software, utilizing outdated versions of protective software, and exposure from employee personal transactions.

Shifting to Cloud ERP, CRM (Customer Relationship Management), HCM, and other platforms has introduced a new level of complexity and a need for increased focus on cybersecurity for IT organizations. While Cloud technology has introduced major advancements in security, the security landscape has changed and added new challenges for IT to address. As Cloud ERP software vendors from Oracle to Odoo, migrate toward the cloud, it’s important to recognize and address the new risks that are inherent with implementing a cloud-based ERP rather than an on-premise counterpart.

As companies continue to implement cloud-based ERP solutions as part of their overall digital transformation, it’s important to clearly define and understand who owns and is ultimately responsible for data. Corporations must realize that the security responsibility falls on them and it is their responsibility to protect their data from internal and external cyber threats.

Failing to properly address the ever-changing and increasing security risks exposed corporations to outside threats. As a starting point, corporations should follow the following steps below to kick-start their cybersecurity efforts.

Third Stage Consulting CEO Eric Kimberling discusses the future of ERP Security Systems

YouTube player

Cyber Security Steps - Assess, Clean, and Protect

Step 1. Assess

How to perform a cybersecurity risk assessment

A cybersecurity risk assessment can be split into many parts, but the five main steps are scope, risk identification, risk analysis, risk evaluation and documentation.

Determine the scope of the risk assessment

A risk assessment is a key component of any effective security program. By identifying potential risks and vulnerabilities, organizations can develop mitigation strategies to reduce the likelihood and impact of an incident. But before an organization can begin assessing risk, they must first decide what is in scope. This could be the entire organization, but more often it is a specific business unit, location or process. It is essential to have the full support of all stakeholders when conducting a risk assessment, as their input will be essential to understanding which assets and processes are the most important, identifying risks, assessing impacts and defining risk tolerance levels. A third-party specializing in risk assessments may be needed to help them through what is a resource-intensive exercise. By taking the time to properly assess risk, organizations can develop more effective security programs and avoid costly incidents.

Organizations face information security risks from a variety of sources, such as cyber attacks, data breaches, and system failures. Conducting a risk assessment is an important step in protecting your organization's information assets. However, before you can assess the risks, you need to understand the terminology. Likelihood refers to the probability that a particular threat will exploit a particular vulnerability. Impact is the potential adverse effect that could result from an incident, such as loss of data, damage to reputation, or financial loss. It is important that everyone involved in the risk assessment process understands these terms so that the assessment can be conducted in a consistent manner. Reviewing standards and frameworks like ISO/IEC 27001 and NIST SP 800-37 can help ensure that your risk assessment is comprehensive and effective.

Various standards and laws such as HIPAA, Sarbanes-Oxley, and PCI DSS require organizations to complete a formalized risk assessment and often provide guidelines and recommendations on how to complete them. However, avoid a compliance-oriented, checklist approach when undertaking an assessment, as simply fulfilling compliance requirements doesn't necessarily mean an organization is not exposed to any risks.

How to identify cybersecurity risks

A.1 Identify assets

When it comes to cybersecurity, one of the most important things an enterprise can do is to take inventory of its physical and logical assets. This includes not only identifying the crown jewels--the assets critical to the business--but also those assets that attackers would want to take control over in order to pivot their attack. Once all assets have been identified, it is important to create a network architecture diagram that visualizes the interconnectivity and communication paths between assets and processes, as well as entry points into the network. This will provide a clear picture of the organization's cybersecurity posture and help to identify any potential vulnerabilities. By taking these steps, organizations can better protect themselves against cyberattacks.

A.2 Identify threats

Any organization that relies on computer systems to conduct business is vulnerable to cyberattacks. To help identify potential threats, security experts often use a threat library like the MITRE Attack Knowledge Base. This library catalogues the tactics, techniques, and methods used by threat actors, as well as the potential harm that each one can cause. Another tool that can be used to identify threats is the Lockheed Martin cyber kill chain. This maps out the stages and objectives of a typical real-world attack, from initial reconnaissance to final exfiltration of data. By understanding where each asset sits in the cyber kill chain, it is possible to determine the types of protection that are needed. In this way, organizations can develop comprehensive defenses against the ever-evolving threat landscape.

A.3 Identify what could go wrong

Thoroughly understanding the possible consequences of a threat exploiting a vulnerability is crucial for the infrastructure any organization. By identifying potential consequences in advance, security teams can put measures in place to mitigate the risks. In the case of an SQL injection on an unpatched web server, for example, the consequences could include the theft of customers' private data. By being aware of this possibility, companies can take steps to protect their customers' information. Furthermore, identifying the consequences of a threat ahead of time allows organizations to better allocate their resources and prioritize their security efforts. Consequently, specifying the consequences of an identified threat is a vital part of any security strategy.

Analyze risks and determine potential impact

In a cybersecurity risk assessment, risk likelihood should be determined based on the discoverability, exploitability and reproducibility of threats and vulnerabilities rather than historical occurrences. This is because the dynamic nature of cybersecurity threats means likelihood is not so closely linked to the frequency of past occurrences. For example, a threat that is highly discovered but has low exploitability and is not reproducible poses a lower risk likelihood than a threat that is only moderately discovered but has high exploitability and is reproducible. In order to accurately determine risk likelihood, organizations should consider all three factors when conducting a cybersecurity risk assessment.

Ranking likelihood on a scale of 1: Rare to 5: "Highly Likely," and impact on a scale of 1: Negligible to 5: "Very Severe," makes it straightforward.

The impact on confidentiality, integrity and availability should be assessed in each scenario with the highest impact used as the final score. This aspect of the assessment is subjective in nature, which is why input from stakeholders and security experts is so important. Taking the SQL injection, the impact rating on confidentiality would probably be ranked as "Very Severe."

Determine and prioritize risks

Any scenario that is above the agreed-upon tolerance level should be prioritized for treatment to bring it within the organization's risk tolerance level. There are three ways of doing this:

  1. Avoid. If the risk outweighs the benefits, discontinuing an activity may be the best course of action if it means no longer being exposed to it.
  2. Transfer. Share a portion of the risk with other parties through cyber insurance or outsourcing certain operations to third parties.
  3. Mitigate. Deploy security controls and other measures to reduce the Likelihood and/or Impact and therefore the risk level.

However, no system or environment can be made 100% secure, so there is always some risk left over. This is called residual risk and must be formally accepted by senior stakeholders as part of the organization's risk management strategy. By definition, residual risk is the risk that remains after mitigations have been put in place and accepted by decision-makers. Although it can never be completely eliminated, residual risk can be managed through continuous monitoring and improvement of security controls. With an understanding of these risks, senior leaders can make informed decisions about how to allocate resources and respond to incidents.

Document all risks

Organizations today face an ever-growing number of potential cybersecurity threats. As a result, it is essential to have a clear and up-to-date picture of the risks that the company is facing.

One way to do this is to maintain a risk register. This should include all identified risk scenarios, as well as the date of identification, existing security controls, current risk level, and treatment plan. The treatment plan should outline the planned activities and timeline for bringing the risk within an acceptable tolerance level, and the progress status should provide information on the current state of implementation.

Finally, the residual risk indicates the risk level after the treatment plan has been executed, and the risk owner is responsible for ensuring that this remains within acceptable levels. By document risks in this way, organizations can ensure that they are always aware of their cybersecurity posture and can take appropriate steps to mitigate risks.

Step 2. Clean

The 6 Stages of Data cleansing

As corporations experience a slowdown in the global economy, it’s a great time to begin cleansing data. Identifying idle data points, removing unnecessary data, and outlining a plan for cleansing data in the future will not only improve your processes and accuracy in reporting, but you will stage your company for success as you move into the data transformation engagements in the future.

Data cleansing tools can automate many of the tedious and time-consuming aspects of data cleansing, but it is only one part of the puzzle. To ensure that your data is clean and usable, you'll need to take a holistic approach that includes regular maintenance and oversight. One of the most important steps is to establish clear guidelines for data entry and storage. This will help to minimize errors and ensure that your team is using a consistent format. You should also periodically review your data to look for any signs of corruption or decay. If you find any problems, you'll need to determine the cause and put in place safeguards to prevent it from happening again. With a little effort, you can keep your data clean and ensure that it meets your business needs.

A. Identify the Critical Data Fields

The first step in data cleansing is to determine which types of data or data fields are critical for a given project or process. Once you have identified the critical data fields, you can begin to cleanse the data by identifying and correcting errors. Data cleansing can be a time-consuming process, but it is essential for ensuring accuracy and completeness of your data.

B. Collect the Data

After the relevant data fields are identified, the data they contain is collected, sorted and organized.

C. Remove Duplicate Values

After the data has been collected, the process of resolving inaccuracies begins. Duplicate values are identified and removed.

D. Resolve Empty Values

Data cleansing tools search each field for missing values, and can then fill in those values to create a complete data set and avoid gaps in information.

E. Standardize the Cleansing Process

Standardizing your data cleansing process is key to making it effective, it should be a part of your standard business processes. When you have a set way of doing things, it makes it much easier to replicate the process and thus achieve consistency. But before you can standardize, you need to take a step back and figure out which data is most important and used most often. This will help you determine when you need to scrub your data and how often. Then, you need to assign responsibility for maintaining the cleansing process. This ensures that there is someone accountable and that the process gets done regularly. Finally, establish how often you'll need to cleanse your data. Depending on your usage, daily, weekly, or monthly might be most appropriate. By following these steps, you can develop a standardized data cleansing process that is easy to replicate and maintain.

F. Review, Adapt, Repeat

Data cleansing is an essential part of any company's business processes. By reviewing the data cleansing process on a regular basis, companies can identify areas where improvements can be made. This also allows companies to spot any potential glitches or bugs in the data cleansing process. Including members of different teams who are affected by data cleansing in the review process helps to ensure that all perspectives are considered. This can help to create a more efficient and effective data cleansing process for your company.

Step 3 - Protect

5 Ways to protect your organization from attacks

Different cybersecurity strategies should be considered depending on the type of data you hold, the size of your organization, and the exposure to outside threats. Organizations who complete a comprehensive due diligence engagement will position themselves to better address threats to important user and financial data.

Learn how to detect a potential attack

As the world becomes increasingly digitized, so too do the methods that criminals use to perpetrate their crimes. Among the most dangerous and difficult to detect are social engineering attacks, which exploit human vulnerabilities to gain access to sensitive information or systems. Phishing, ransomware, pretexting, and tailgating are just a few of the many types of social engineering attacks that can cause serious damage to an organization. The best defense against such attacks is a workforce that is trained to spot them.

All it takes is one employee clicking on a malicious link or sending personal information to the wrong person for a social engineering attack to succeed. That’s why it’s so important for all members of an organization to learn how to detect potential attacks. Some red flags to watch out for include unexpected requests for personal or financial information, unusual login requests, and emails with suspicious attachments. By being aware of these and other warning signs, employees can help protect their organizations from costly data breaches.

Educate users on devices

Just as it is important to protect your physical belongings, it is also important to protect your digital belongings. User education on mobile devices is a straightforward, yet vital step in protecting them. It ensures that every member of your organization is aware of the best practices around protecting your organization data. While this begins at onboarding, educating your employees on how to secure their devices is an ongoing process.

Leaving mobile devices unlocked is like leaving your office or home unlocked - you are inviting others to come in and help themselves to your things. Whether it be for a 5-minute washroom break or a 10-minute chat with your co-worker, locking your devices before you leave your workstation is an essential starting point since your password acts as the first line of defense. Taking this simple step will help to protect your data and prevent unauthorized access to your device.

With so much of our work being done online, it's crucial that we take steps to protect ourselves from cyber attacks. One of the best solutions is to be careful about which third-party applications we use. Many apps haven't been fully vetted by security experts and could pose a risk to our data. By only using apps that have been approved by our IT departments, we can help to keep our data safe. Additionally, it's important to limit our use of personal devices for work. While it's convenient to be able to access our work from our personal laptops or phones, this also increases the chances of our data being compromised. By using the devices made available by our organizations, we can help reduce the risk of a cyber attack.

Implement multi-factor authentication and password management

Password management policies and multi-factor authentication (MFA) are essential when it comes to securing your devices. While a password’s role is straight forward, consistently rotating a strong and randomized password is just as crucial.

It’s important to change all default passwords on your devices, as this is a vulnerability often exploited by threat actors. And of course, never share your passwords — with anyone.

MFA is also key to securing your systems, as it forces the user to confirm their credentials through a secure, secondary application every time a device is used.

Keep up with software and hardware best practices

Software and hardware physical security best practices help to ensure that you’re doing all you can to secure your organization, whether it be choosing systems with built-in defense functions or regularly updating your software and hardware.

Choosing systems with built-in layers of defense strengthens your organization’s cybersecurity the minute they’re up and running. With many solutions containing built-in security functions like data encryption and endpoint protection, these obstacles make it harder for threat actors to penetrate your systems.

When it comes to software updates, many overlook the important role that they play in helping to secure your organization. Prioritize updating the software and firmware on all your devices, as this allows them to function at their optimal level. Product updates often provide critical fixes for newfound vulnerabilities.

Choose the right technology

Finding a technology provider that offers the solutions you need, all while operating with transparency, is not easy. While it may take time to decide which vendor is the right fit for your organization, it’s an important step towards shaping your ideal security solution.

Most vendors offer their customers hardening guides — guides that provide tips on how to keep your system secure — so ask the right questions to ensure you receive your vendors’ relevant data and privacy protection policies.

Choosing the right technologies is central to a strong cybersecurity strategy, as operating with transparency and maintaining clear communication around vulnerabilities allows your organization to create an optimal cybersecurity strategy.

Third Stage Consulting CEO Eric Kimberling and LAE Software's Chad Baker discuss an overview of cybersecurity considerations in the 2020's.

YouTube player

Maintaining your cybersecurity is an ongoing process

They say knowledge is power, and it is especially true when it comes to cybersecurity. Organizations who take the time to train employees, increase awareness, and emphasize cybersecurity will stand a better chance of addressing critical threats when they arise.

If you have questions or would like to brainstorm on how you can best protect your company from cybersecurity critical threats, please feel free to contact me directly. I’m happy to offer my informal support as a sounding board @ ryan.glisan@thirdstage-consulting.com

I also highly recommend downloading our newly released 2023 Digital Transformation Report. It provides valuable insights into how businesses are using technology to drive growth and efficiency.

Author:
Eric Kimberling
Eric is known globally as a thought leader in the ERP consulting space. He has helped hundreds of high-profile enterprises worldwide with their technology initiatives, including Nucor Steel, Fisher and Paykel Healthcare, Kodak, Coors, Boeing, and Duke Energy. He has helped manage ERP implementations and reengineer global supply chains across the world.
Subscribe for updates
We never share data. We respect your privacy
Additional Blog Categories

Categories

Resources

Third Stage Consulting

Third Stage Consulting Group is a global thought leader in business transformation, ERP software systems, operational change management, and business advisory. Let us take your organization’s digital transformation to the Third Stage.
2022 - Copyright Third Stage Consulting Group LLC  |  All Rights Reserved  |  Website developed and maintained by Denver Web Design.
Privacy Notice  |  Terms of Use  |  Sitemap
crossmenuarrow-right