Articles
>
Cybersecurity: what areas need protecting?

Cybersecurity: what areas need protecting?

Faced with the expansion and fragmentation of the information system, the CISO would love to have the gift of ubiquity, to see and protect everything, both within the company and beyond. In the absence of this ability, the only option is to remain vigilant in monitoring areas that are sometimes neglected, while carrying out meticulous mapping work. This pragmatic approach lays the foundations for a solid strategy, providing greater visibility to enable prioritization.

October 10, 2022
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

Areas that CISOs should be more wary of

Service providers, customers, central governance, SecOps, physical sites... in theory, all entry points into the IT system deserve to be examined! In practice, however, it seems that the threat looms particularly over certain areas.

Special attention should be paid to subsidiaries

Today, cybercriminals have understood the advantage of not targeting companies directly, but rather going through intermediate attack surfaces (subcontractors, service providers, etc.). The risk seems to have been well identified, with ANSSI currently working on a set of requirements applicable to PAMS (secure administration and maintenance providers).

On the other hand, there seems to be less vigilance when it comes to subsidiaries, even though they are just as likely to cause collateral damage. Often located far away, they are rarely visited and therefore easily forgotten, a phenomenon that is exacerbated in organizations where purchasing and reselling are significant activities. What should be done when a subsidiary appears to be particularly exposed to threats but no measures are in place to deal with them?

In our opinion, once the CISO has presented the situation to senior management, emphasizing the risk of a "stray bullet," they have only two options: request that technical links be severed to limit potential attacks, or request sufficient resources to bring the subsidiary up to a satisfactory level of security.

Alerts on jobs, projects, and applications

While managing cybersecurity through compliance is an excellent basis for protecting a company, this method has its limitations. Standards do not cover everything, particularly what makes a company unique, namely its business lines and how they operate.

However, this blind spot can be a cause for concern, as the risks associated with shadow IT are very often underestimated. In a tutorial on Cloud Discovery, Microsoft provides the following estimates.

  • When an IT administrator estimates that employees use around 30 or 40 different applications, there are actually 1,000 within the organization.
  • Of all the applications used, 80% have not been reviewed and may not comply with security policy.

These figures demonstrate that there is a real benefit in focusing not only on the business lines themselves, but also on the applications that support them. This is particularly true given that the consequences can be extremely serious, as illustrated by the ransomware attack suffered by Altran in January 2019. As CEO Dominique Cerruti explained, the attackers used a poorly configured web application with a default password as their entry point. This resulted in all emails, phone lines, and communication tools being blocked.

Mapping: the first step in any cybersecurity strategy

Regardless of how the organization he works for operates, the CISO can never be everywhere at once. Should this be a cause for concern for the company's security? Not necessarily, as long as he has an overview that allows him to allocate resources to the right places.

To each CISO their own framework

The Forrester study commissioned in August 2020 by Tenable (The Rise of Security Leaders Aligned with Business Goals) shows that CISOs still lack visibility into corporate assets.

When it comes to applications, data, information technology, and cloud platforms, 70% consider themselves to have "high or complete visibility." However, this figure drops to 60% for OT, IoT, and mobile devices, as well as for on-site employees. It then falls to just over 50% when it comes to remote employees, contractors, and third-party partners.

How can we understand the risks in these conditions as a whole? The only solution is to map the risks at the organizational level to get a macroscopic view. This is meticulous, even laborious work, but it is absolutely essential to ensure that nothing is overlooked and that areas are not treated in silos.

It is therefore up to each CISO to "map" their entire ecosystem and thus build their own framework. This overview will then serve as a basis for reflection on various issues.

  • What are the entry points into the information system?
  • What are the common needs across the different areas identified?
  • What are the specific needs?
  • What is shared externally (file data, applications, etc.) and with what level of security?

A genuine staff map

Because human and financial resources are limited, cybersecurity can only be based on a principle of heterogeneous protection of spaces. By taking a broad view, it becomes possible to identify the areas where the risk is greatest, either because it directly affects the company's business or because it concerns its creative potential (R&D).

In this respect, mapping allows you to build a meaningful cybersecurity strategy: the CISO identifies where efforts should be focused, but also where the risk can be considered acceptable. The exercise also has the advantage of facilitating communication with management. Unsurprisingly, it is much easier to gain their support (and budgets!) by presenting a clear overview of the highest-priority risks and the resources needed to address them.

How to improve your visibility

Tenacy is a SaaS solution, adaptable and collaborative, designed by CISOs for CISOs. It provides a 360° view, thanks to clear, operational, and strategic indicators. It also improves the daily lives of CISOs by saving them time on time-consuming and worthless tasks, while enabling the alignment of operations and objectives.

‍

Contact us
Other articles

You may be interested in

6 acronyms for cyber compliance
Life as a CISO
ISO 27001, NIS, LPM, NIST CSF, PCI-DSS, NC: compliance in 6 acronyms

The cybersecurity industry, and particularly the field of incident response, is an environment where all kinds of acronyms flourish. It's so easy to get lost. Standards, directives, laws, processes... Let's take a look at the definitions of six acronyms commonly used in compliance that no one should be unaware of.

November 15, 2022
SSI dashboards: should we abandon them? - Tenacy
Life as a CISO
SSI dashboards: should we abandon them?

From design to formatting, not to mention the thorny issue of data collection, SSI dashboards make life difficult for CISOs. A complex environment, difficulties in engaging contributors, unsuitable tools... there are many reasons for the time wasted and frustration generated, to the point that some CISOs are almost tempted to give up. They therefore sometimes turn to predefined, technical dashboards provided by the multitude of technological solutions available on corporate networks.

What if the solution was to continue creating dashboards, but in a different way?

November 3, 2020
The challenges of cyber awareness
Life as a CISO
Cyber awareness: how to rise to the challenge?

While the ANSSI hygiene guide recommends raising user awareness of basic IT security best practices, the reality is enough to make CISOs tremble. According to the CESIN cybersecurity barometer established in January 2020, employees remain difficult to mobilize. 45% of companies believe that their employees do not follow the recommendations! So what solutions are available to CISOs to raise awareness and engage teams?

October 27, 2020