5 Steps to Reducing Cyber Security Risk

​​Your oil and gas business can’t afford cyber vulnerabilities. Reduce your risk with these practical steps.​​​

5 Steps to Reducing Cyber Security Risk

By Danny Timmins, National Leader, Cyber Security

​​Cyber security is a growing concern for companies in every industry. As giant security breaches are exposed almost every week, most businesses are increasingly aware that they may be easy targets for attack. Many companies have already experienced the sting of a hack. A recent MNP sponsored survey found that “Half of Canadian C-suite executives and nearly a quarter of entrepreneurs said their businesses' cybersecurity was breached in the past year.”

The challenge is finding the right solutions to protect valuable company data and assets. A single security breach can wipe out years of hard earned trust and destroy a company’s reputation. The need for effective security is more important than ever before.

What Works?

An executive’s first instinct may be to demand a review of policies as way to shore up security. However, this step alone has little effect to keep hackers at bay. Tools such as firewalls, antivirus and intrusion detection software, and leakage protection are vitally important, but they don’t go far enough.

A cyber security framework can offer practical approaches to deal with current and emerging threats and prepare companies for the new ones that may be just around the corner.

The Center for Internet Security (CIS) provides a framework of 20 practices which are proven to reduce threats for the vast majority of businesses. In fact, simply implementing the top five recommendations cuts the likelihood for breaches by a startling 85 percent.

Start With an Inventory

Steps one and two, which involve creating an inventory of authorized and unauthorized devices and an inventory of authorized and unauthorized software, are closely related and provide a starting point for any organization.

Having an inventory of these assets won’t prevent a breach, but they will provide an important overview of the entire system. Knowing what should and should not be on the system is the first step to recognizing if hardware or software suddenly and inexplicably appears.

Security Configurations for Hardware and Software

In the security business, limiting security configurations for hardware and software is also known as “hardening your boxes”. New technology and software is built for efficiency. It’s built for functionality, ease of use or getting work done faster. It’s very rarely built for security.

While some manufacturers have improved in deploying technology with sufficient security, it’s a rare occurrence.

To overcome this shortcoming, businesses should focus on configuring equipment or software to only have what it needs to perform the specific function it’s intended for. For example, a server that will only act as a web server should only have web server functionality.

Another common vulnerability comes in the form of default passwords. These passwords are often provided for an easy out-of-the-box experience; however, they are often easy to look up online, potentially leaving entire system open to hackers. To combat this practice, enact processes to change these passwords immediately.

Another way to reduce vulnerability is to watch for features that, when turned on, leave systems open to attack. Turn off any feature that is not needed. If a possibly risky feature is needed, look for other methods for securing the system.

Continual Vulnerability Assessment Remediation

Software code is complex and difficult to create. Unfortunately, complexity is the enemy of security. Bugs in the software can easily cause security issues.

While tools for identifying bugs are not perfect, they do provide a worthwhile level of protection. Far too many companies fail to scan systems to look for and fix bugs. These valuable scans can reveal vulnerabilities which can be readily fixed by simple software patches.

Regularly scanning the entire inventory of hardware and software is an excellent practice for finding problems, developing an action plan and fixing the vulnerabilities as soon as possible.

PCI Security Standards Council recommends scanning systems every 90 days. Monthly scans are ideal for most organizations and can coincide with when vendors normally release their patches. Continually scanning, which very few companies perform, is the most advanced form of monitoring. It requires tools which run continuous scans for systems and hardware. These scans provide a running inventory of vulnerabilities, with bugs added and removed as they appear or are fixed. This approach provides an overall picture of an entire system and how it’s evolving over time.

Controlled Use of Admin Privileges

Admin privileges have the highest access to any system. Sometimes known as “God level privilege”, when changes are made to a system by someone with admin access, few questions are asked.

Access that carries this amount of power should be carefully controlled. While only 20 percent of breaches are committed by employees acting maliciously, controlling access will make it much more difficult for an admin to “go rogue”.

Control can be enacted by only giving access when it’s needed. This can be done by providing a regular account for system admins and an on-request account that used only when admin level privileges are required.

This practice also protects admins from attackers who may use phishing techniques to steal credentials. These attackers are extremely skilled in their abilities and, unfortunately, humans are easily fooled. By only giving them access to the admin account when needed, it becomes impossible for them to accidentally share the credentials.

Support With Effective Employee Training

According to the 2017 Cyberthreat Defense Report by CyberEdge Group, a lack of security awareness among employees is “the greatest inhibitor to defending against cyber threats.” By implementing an engaging and effective training program, employees can be deployed as the best defense against cyber attacks. It requires a shift in thinking to move away from punishing employees who don’t learn and make mistakes, to encouraging employees to report security breaches, without fear of reprisal.

While implementing these steps will take time, resources and budget allocation, the risk reduction results are well worth the effort. Find out where your company stands by completing MNP’s free Cyber Health Assessment Tool.

​ ​

Contact Patrick Wigmore, Vice President, Oil and Gas, at 403.346.8878 or ​[email protected]​