PCI DSS and I
Your company obtained PCI compliance. It could have been a journey which ended with a QSA audit, a self-assessment; or, as I saw in some cases, forsaken the PCI crown and decided to “eat” the risk.
So, What now?
Small and large organizations with PCI obligations have more than a Cardholder Data Environment (CDE) to worry about. There are always cyber security concerns involving systems availability, reputation, and also sensitive data concerns around Personally Identifiable Information (PII), healthcare related data, Intellectual Property (IP), regulatory requirements etc.
PCI DSS ignores most of your assets, it focuses on what poses a risk to your CDE, and even if it has been completed correctly, PCI DSS does not mean you are secure across your entire organization. It only means your CDE is secure. What about the other 70%-80% (example) of your on premise and cloud systems and networks?
I need to think
Understandably to this point if you have not experienced a breach or loss of data, you count your blessings and ignore what is behind the big ugly door of cybercrime. You might have read a few cyber related headlines, Googled some terms, and decided that your organization has an A-Team IT department who obviously know what they are doing, why should you add cyber defense to your plate?
The reason is simple - ignoring what is coming is not going to stop the bad guys when your time comes, and it is coming. It could be in the form of ransomware, which will cost you in many work hours and money, as well as a bruised ego for those of us with principals or it might be a more sophisticated attack which will obtain your sensitive data and expose you to fines and embarrassment. Or even worse – a direct attack targeting your employees, intellectual property, or even your banking transactions. There are also internal threat actor concerns involving your employees or your employees’ personal devices to consider.
For example - external attackers scan all publicly available networks for open ports and look for vulnerabilities they can exploit to get in to your networks. The number of new vulnerabilities found each month is in the hundreds, while old vulnerabilities do get fixed by vendors, those fixes can be slow, and it is not guaranteed they will be included in your patching process.
The potential for trouble lurks all around, how should you plan and prepare?
Give me a list, I’ll do it
- Ownership. To start a Cyber Defense program in your organization you should first own it. Management sponsorship of such projects is an essential first step. If you are an IT professional identifying this need, you should get management’s attention as it will accelerate and enhance your ability to manage such a tricky project. The human resource element is extremely important since having a day job comes first to IT and cyber defense is not inherently built into the long list of daily tasks IT must perform.
- Risk. Risk is at the heart of any cyber defense analysis. Different organizations care about different aspects of their business and although there are some overlaps, you must assign priorities to your most important assets. Those can be data assets residing in a database server, the availability of a CRM system, intellectual property or your company reputation etc.
- Technology. Each unique asset has an underlying technology backbone which supports it, those software, hardware, and cloud assets must be included in a thorough review and analysis. Picking a framework or even a basic list to identify gaps for high risk assets will allow you to divide and conquer.
- Defense. The next step is simple – just fix it! You may find remediation of your gaps to be as simple as patching devices, upgrading laptops and operating systems, or as complex as changing business processes and the culture of how your staff performs its duties.
- Process. Keep in mind that the journey of remediation rarely ends. At best you will reach a maturity point of your technology backbone which satisfies your risk appetite levels. However, since new vulnerabilities emerge, applications change, business needs shift, and staff join and leave, there must be a firm process in place. Once defined, an update in policies and procedures is needed which will allow this ongoing process of renewal and updating to effectively keep your risk levels down.
Actually, show me how
Some of the concepts here are ambiguous sounding. It is fair to be a little lost, after all, your expertise is in supporting your organization’s business capabilities not specifically cyber defenses. Reach out to a professional firm, share your history, your current status, and fears – known and unknown. You will find that many organizations have gone through the same process and help can be visualized and customized to your specific requirements.
Experienced and certified cyber companies such as Nettitude have advised on these various topics for years and are at the leading edge of cyber defense. Reach out for a free phone or in person consultation – your peace of mind is our job.