Gaining investment from business leaders to create a mature cybersecurity program and fund initiatives is an imperative for success in enterprise risk mitigation. All too often, security and IT organizations struggle to capture the attention of executives needed to advance their priorities and build even basic cybersecurity capabilities.

Year after year, important initiatives get deprioritized for other business initiatives, pushing out the adoption of important technologies or funding of headcount to manage critical processes. The result is an organization with increasing exposure to risk and unwanted cybersecurity challenges. Fundamental capabilities for effective security operations that improve visibility, such as a SIEM, are deemed too expensive.

What strategies can cybersecurity staff use to cut through the noise of competing business initiatives and get the focus and investment they need to achieve their objectives? Or to properly fund the adoption of a new technology or capability? 

One way is to build a reporting system that speaks executive language and abstracts difficult to understand technology into business concepts: risk, reward, performance objectives, metrics, and success. Simply establishing what the basic priorities of a cybersecurity program are and then formally reporting out on key performance indicators on a regular basis can have a profound impact. What an organization chooses to pay attention naturally grows. 

What is reported can vary from organization to organization, depending on the operating environment, the type of data transmitted and stored, and regulatory and compliance standards in play, to name a few. A guiding principle should be simplicity; too many data points create noise and inaction. At a minimum, many organizations will look at the attack surface, vulnerabilities and exposures, incidents, and employee training as a good starting point. 

Asset management

Asset management is at the core of every program. It’s impossible to guard what you don’t know or see, and yet most organizations fail to have a full grasp of their basic IT footprint. Every piece of hardware and software owned by an organization must be accounted for and every connection to its networks and infrastructure from ancillary systems monitored.

Shadow IT, Bring Your Own Device, and Work from Anywhere have exacerbated these challenges as traditional network edges evaporate and the flow of corporate data across untrusted networks and devices has become increasingly common. This complicated patch work is the corporation’s attack surface. Reporting the scope of that footprint, at the very least, demonstrates awareness of what matters to the organization.

Surprisingly, many organizations can’t easily quantify how many servers they own, the type of operating systems they run, the number of workstations and mobile devices they have, or even where their assets are at any given point in time. This knowledge is fundamental and reporting it regularly to executives ensures that they appreciate the scope of the program while also establishing a priority to keep data fresh and consistently update to date. 

Vulnerabilities and patch management

This is perhaps one of the most impactful KPIs, not only because it’s so important in protecting the enterprise, but because it’s a constantly moving target (NIST’s National Vulnerability Database boasts greater than 17,000 submitted CVEs just this year). The vast majority of data breaches (upwards of 90%) leverage exploitation of a known vulnerability.

An effective vulnerability management program should involve scanning to identify new vulnerabilities in their infrastructure on a regular basis. KPIs around this can include the number of existing vulnerabilities discovered in the organization over the reporting period, categorization by CVE, how quickly they are patched after discovery, and graphs that linearly show reduction in vulnerabilities over time.

Cyber incidents

A risk register that tracks every incident in the organization, its severity, the resolution, and lessons learned is a must. Raising awareness to incident quantity, associated impacts to the business, efforts to determine root cause, and mitigations are essential.

Many organizations lack even a fundamental classification system that is well understood across the company. Socializing with executives the incidents from the last reporting period reinforces a shared understanding of what constitutes a Level 1 versus a Level 4 incident, the organization’s expected response, who should be notified, etc. A KPI review keeps these classification systems top of mind and also improves overall organizational readiness when new incidents occur.

Employee training

Performance metrics can include the progress of employee training and awareness campaigns, structured training (online and in-person), initiatives that focus on core concepts (such as thinking before clicking, or how a clean desk is a cybersecurity priority), or the lessons learned from a recent tabletop exercise.

All make for great topics of discussion with executive stakeholders. Many organizations get fun and creative in this area, coming up with security mascots or even inter-business unit competitions.

Getting started

For organizations that are early in the KPI development journey, a great launch point is a Balanced Scorecard. This innovative approach to change management helps:

clarify vision, mission, and strategic themes
gain alignment and buy-in
break through organizational silos
define key objectives, initiatives, and success metrics
inform dashboard content

Initially designed by Dr. Robert Kaplan and Dr. David Norton for performance management, this framework can be valuable tool for a security team to organize their strategy and distill out simple measures of success. 

Cultivate curiosity 

Perhaps the best value of a KPI review is the simple act of cultivating curiosity. KPI reviews are an opportunity for executives to question the what and the why; to inquire more deeply. Provoking curiosity inherently creates focus, attention, and concern. Cultivating it is one of the powerful catalysts a security team can use in maturing cybersecurity program.

Many technologists, buried in complexities of engineering solutions and securing bits and bytes, underutilize this simple strategy to keep their priorities top of mind with business leaders. Cultivate curiosity, generate questions, and watch investment in your ideas and programs grow.

Read More

The IT systems of KP Snacks have been hit by ransomware. And it might well impact the British public’s waistlines as well as the company’s profits:

Read More

Every year we can count on new technology to make our lives easier. Right? As beneficial and convenient as tech can be, it can also pose risks to our online safety and privacy—risks that we should be prepared to handle. Increasingly, we’re seeing governments around the world implementing stricter privacy laws. And even major players like Google are phasing out invasive tracking technology like cookies. However, when it comes to activities like banking, shopping, taxes, and more, the need for broader online privacy protection has never been greater. Let’s take a look at some prominent trends in the way we now live online and how we can protect our data.  

Web3

Crypto, the blockchain, NFTs, tokens – all of these terms are considered part of what’s being termed Web3. Whereas Web 2.0 described an internet made up of large corporations hosting content and consumers, Web3 is governed by the blockchain. What this means is that applications use a decentralized online ledger to document transactions of all sorts. The most famous example is bitcoin, a blockchain that acts as a digital currency. Another example would be NFTs, which are digital works of art. Web3 may be in its infancy, but it’s important to consider what this means for privacy and data protection. Blockchain affords users anonymity in regards to currencies like bitcoin. Of course that means bitcoin also has a reputation as the currency of choice for money-launderers and other shady enterprises. Still, that means it’s good for privacy, right? Well, maybe. The EU’s GDPR rights to erase or amend data are at odds with transactions on a blockchain, which are essentially unchangeable. So if you’re buying cryptocurrency, NFTs, or interacting with blockchains in other ways, just understand your personal information might be hidden, but the record of your transactions is totally visible. 

Tip: If you’re keeping cryptocurrencies in an online wallet, you’ll want to use an identity protection service to monitor those account credentials so you can be warned of breaches and leaks onto the dark web. 

 Education

Student privacy is a top concern as households turn to remote learning. In a rush to optimize remote learning experiences in the face of a rapidly evolving digital landscape, many educators and remote learners may not realize the hazards that put student privacy at risk. 

Since 2020, schools have adopted a range of technologies to optimize the digital classroom, including virtual learning platforms, holistic learning solutions, and even social media applications. However, many of these digital platforms are not designed for child usage, nor do they have privacy policies in place to ensure that the student data gathered is protected. Many learning platforms may even treat student data as consumer data, raising more red flags regarding student data privacy and compliance. Online learning has also garnered the attention of cybercriminals looking to exploit student data, resulting in online bullying, identity theft, and more. 

For educators and parents alike, knowledge is the greatest asset to mitigating the risks of remote learning. IT teams and educators must understand the implications of the student data they collect, govern access to it, and control its usage to comply with child privacy regulations. Parents can take proper precautions by discussing the importance of privacy with their children. Keeping learning platforms up to date and monitoring their children to prevent them from downloading suspicious apps or straying to unknown websites are all ways to ensure safer remote learning environments. 

Tip: Getting a VPN for the family to use is a great way to safeguard your privacy while your kids are learning online. 

Work

Remote work has become commonplace nowadays as more companies permit their employees to work from home long-term and, for some, permanently. In a recent Fenwick poll among HR, privacy, and security professionals across industries, approximately 90% of employees now handle intellectual property, confidential, and personal information in their homes. Endpoint security, or the protection of end-user devices such as our laptops and mobile devices, poses more of a concern as employees trade in office networks for their in-home Wi-Fi. If these devices and networks are unsecured or if the data is not encrypted, employees run the risk of exposing sensitive information to hackers. Those of us working from home can help ensure the safety of our company’s confidential information by boosting our awareness of security threats and prevention measures via company-mandated security training.  

Tip: McAfee’s Protection Score is a great way to understand how protected you are online and what you can do to stay more secure 

The Metaverse

This buzzy term is being used to describe Meta’s (previously Facebook) vision for a fully connected future. Right now it exists as an AR/VR space accessible through Meta’s own VR hardware, Oculus. However, the terminology has caught on as a catch-all for platforms that may contain work, business, gaming, entertainment, social interactions, and more in one easily navigable, immersive online setting. Web3 features, like blockchain, NFTs, and cryptocurrencies are being touted as integral parts of the metaverse. As exciting and futuristic as this is, there are major privacy questions that will have to be answered. This means that as customers you’ll want to think hard about what you choose to share through the metaverse and look into the privacy settings a platform offers you.  

Tip: Use comprehensive online protection. McAfee Total Protection secures all aspects of your life online. From identity to online connections to antivirus, a full security suite like Total Protection keeps you and your family safer on all the devices you use and places you go online. 

 Personal Finances

Some of the platforms I use the most allow me to keep track of and manage my finances. Whether it’s my mobile banking app or taking advantage of online tax filing, there is such a convenience in having the ability to pay bills, deposit checks, and more, all with the devices I use every day. But many of us may not realize just how much trust we put into these platforms to protect our online privacy, especially when we don’t have a clear picture of who exactly is on the other end of our online transactions. 

While recognizing the signs of online banking and tax-related fraud helps ease the burdens associated with these schemes, there are multiple steps users can take to prevent becoming a victim of these scams in the first place.  

Tip: Full-featured identity protection will protect you financially. Services like McAfee Identity Protection Service include credit checks, identity theft restoration, and even stolen fund restoration as benefits. 

Digital devices are part of how we live our lives every day, whether we’re taking conference calls on our laptops, tracking the latest mile on our smartwatches, or banking on the go. Although our everyday digital devices make our lives that much more convenient, securing them makes our lives that much safer by minimizing online threats to ourselves and those around us. Safeguarding the digital platforms we use for work, school, finances, you name it, is the first step to ensuring our private information remains just that—private. 

The post Privacy in Practice: Securing Your Data in 2022 and Beyond appeared first on McAfee Blog.

Read More