{"id":4917,"date":"2019-11-19T01:44:22","date_gmt":"2019-11-19T01:44:22","guid":{"rendered":"https:\/\/cio-leaders.com\/?p=4917"},"modified":"2022-06-23T11:23:21","modified_gmt":"2022-06-23T01:23:21","slug":"how-do-you-know-you-are-okay","status":"publish","type":"post","link":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/","title":{"rendered":"How do you know you are okay?"},"content":{"rendered":"

How do you know you are okay?<\/span><\/strong><\/span><\/h2>\n

When it comes to cyber security issues, the question CEOs and their boards need to ask is not, \u2018are we okay?\u2019 But, \u2018how do we know we are okay?\u2019<\/span><\/h2>\n

Article from New Zealand Management Mag<\/a> by Annie Gray.<\/span><\/h2>\n

\"\"<\/a><\/span><\/p>\n

 <\/p>\n

While there is definitely an increase in awareness of cyber security risk at an executive and board level, the Government Communications Security Bureau\u2019s experience over the past few years shows there still needs to be greater understanding of how leaders can best drive cyber security risk management, says the GSCB\u2019s Director-General, Andrew Hampton.<\/span><\/p>\n

He says the GCSB\u2019s National Cyber Security Centre\u2019s survey of cyber security resilience, based on face-to-face interviews with security professionals from more than 250 organisations, suggested that while most organisations are heading in the right direction, more work needs to be done to improve cyber resilience.<\/span><\/p>\n

And he pointed towards four areas \u2013 governance, investment, readiness and supply chain.<\/span><\/p>\n

Hampton, whose bureau contributes to New Zealand\u2019s national security by providing information assurance and cyber security to the Government and critical infrastructure organisations, told\u00a0Management<\/i>, in reply to written questions, that a key challenge for leaders is knowing the right questions to ask.<\/span><\/p>\n

\u201cOne of the key things is that leadership must recognise that effective cyber security risk management is not just an IT thing \u2013 it requires a whole of business approach.<\/span><\/p>\n

\u201cThere are a range of questions that boards and executive teams should be asking as part of their risk assurance and management processes.<\/span><\/p>\n

\u201cThey are in four key areas; knowledge of information assets, the potential impact of a cyber event, understanding your vulnerabilities and preparedness to respond.\u201d<\/span><\/p>\n

\u2022 Information assets: What are our most important information assets? How are we protecting these assets? Are we managing the risk to an acceptable level in accordance with our business objectives and do we have a security framework in place?<\/span><\/p>\n

\u2022 Impact: What would be the impact of a cyber-attack? What are the cyber security risks to the organisation? What is the potential cost of a cyber-attack and the damage to our brand?<\/span><\/p>\n

\u2022 Vulnerabilities: How well do we know the vulnerabilities of our systems processes and data? Do we have inventories of all of our IT systems? Are we following best-practice advice and do we conduct regular audits and security risk assessments?<\/span><\/p>\n

\u2022 Response: What is our plan for dealing with a cyber security incident?\u00a0 Do we have an incident response plan and if so, how often is it tested?\u00a0 As part of response planning what is our communication strategy for dealing with a cyber incident?<\/span><\/p>\n

In essence, Hampton says the question boards and CEOs need to ask is not, \u201care we okay?\u201d but \u201chow do we know we are okay?\u201d<\/span><\/p>\n

Hampton says there are many measures and frameworks for ensuring resilience.<\/span><\/p>\n

\u201cAt a governance level it is not necessary to fully understand these frameworks but it is important to understand how an organisation measures up in terms of their compliance with them.<\/span><\/p>\n

\u201cIn order to measure boards must first understand what normal looks like for their organisation. They should establish a baseline for security assessment of the organisation\u2019s cyber security.\u201d\u00a0 This includes:<\/span><\/p>\n

\u2022 Understanding what your most important information assets are;<\/span>
\n\u2022 Prioritising security risk based on knowledge of your sector and systems;<\/span>
\n\u2022 Identifying critical assets that are key to delivery of your business objectives; and<\/span>
\n\u2022 Understanding how the organisation identifies and keeps track of what is happening to its systems and data.<\/span><\/p>\n

\u201cIn March our United Kingdom counterparts, the UK National Cyber Security Centre published a cyber security guide for boards. This is a really useful resource that sets out how boards can get the information they need to make well informed decisions on cyber security risk, understand and prioritise risk, then take the necessary steps to manage those risks.\u00a0 It is well worth checking out.\u201d See\u00a0https:\/\/www.ncsc.gov.uk\/collection\/board-toolkit<\/a>.<\/span><\/p>\n

So, if CEOs and board members could concentrate on just one or two areas, what does Hampton think it should be?<\/span><\/p>\n

You need to \u201cthink ahead and be prepared\u201d.<\/span><\/p>\n

\u2022 Understand where your most important information is and ensure it is protected;<\/span>
\n\u2022 Foster a strong security culture; and<\/span>
\n\u2022 Understand the threats you are facing.<\/span><\/p>\n

For more information see
\nhttps:\/\/www.ncsc.govt.nz\/newsroom\/nationally-significant-organisations-c…<\/a><\/b><\/span><\/p>\n

 <\/p>\n

CYBER SECURITY: DON\u2019T FORGET THE HUMBLE PHOTOCOPIER<\/span><\/p>\n

For all the focus on securing the desktop and network, it\u2019s easy to overlook office multifunction devices as an IT asset that merits equal scrutiny for the security team. Yet, there\u2019s just as much, or more, business critical information passing through and stored on these devices as the desktop.<\/span><\/p>\n

Every page that\u2019s scanned, printed or copied gets stored to a hard drive, and if not properly protected or securely deleted, is potentially vulnerable to exploitation, says Ross Wilkinson, a network and document security expert from Fuji Xerox New Zealand.<\/span><\/p>\n

\u201cSince these devices are connected to the network there\u2019s a potential route of access available to external parties that needs to be protected,\u201d he says.<\/span><\/p>\n

Wilkinson points to Faxploit, a vulnerability that was discovered in mid-2018 that affected all-in-one printers and multifunction devices around the world.<\/span><\/p>\n

\u201cAt a basic level, if hackers had the fax number for one of these machines, they could remotely connect and deploy malware that would compromise its security and give the hackers access to the device at an admin level, which could then in turn grant them access to the entire network.<\/span><\/p>\n

\u201cIn the hacking game access is key, and once they\u2019re in, the only limits are the hackers\u2019 imagination. Because there are so many of these devices around the world, it served as a real wake-up call to many IT experts and vendors.\u201d<\/span><\/p>\n

He says that in response a number of manufacturers have issued software patches and updates to their devices. Many organisations are also looking at the fax function of their devices and determining if this is really still necessary.<\/span><\/p>\n

\u201cHowever for some organisations, the rather antiquated fax machine isn\u2019t going away anytime soon. There\u2019s still a surprisingly large amount of fax traffic worldwide, particularly in highly regulated industries like legal firms, pharmaceuticals and healthcare and government bodies where only a hard copy of a document is legally recognised. Until the rules and regulations governing those industries change to reflect advances in technology, the fax machine will be here to stay.<\/span><\/p>\n

\u201cThanks to a quick response from most print providers the threat from Faxploit has tapered off, but as always in security it\u2019s a cat-and-mouse game.\u201d<\/span><\/p>\n

Wilkinson says there are seven avenues hackers could use to access an office multifunction device:<\/span><\/p>\n

1. Unauthorised use (i.e., logging in as someone else).<\/span>
\n2. Eavesdropping or tampering with network traffic to, or from, the device.<\/span>
\n3. Tampering with admin settings to open vulnerabilities.<\/span>
\n4. Software tampering to revise the software running the machines.<\/span>
\n5. Audit log tampering.<\/span>
\n6. Stealing document data stored on the device.<\/span>
\n7. Data breach through accidental misuse.<\/span><\/p>\n

As to what organisations can do to better protect their data Wilkinson points to:<\/span><\/p>\n

\u2022 Create unique user IDs for each person using the device: This makes all print jobs and actions accountable to a specific user and helps to prevent unauthorised access \u2013 both on-site and remotely.<\/span><\/p>\n

\u2022 Restrict USB keys and portable memory devices: While these can be convenient for scanning and printing, they\u2019re also well-known vehicles for deploying viruses and malware. Newer MFDs now include a number of features for better data portability, so instead of a USB you can print directly from your phone or scan directly to OneDrive or SharePoint from the machine\u2019s touchscreen.<\/span><\/p>\n

\u2022 Implement image overwrite (if not already configured): This is an admin setting on most MFDs where after every print job the image is overwritten (digitally \u2018shredded\u2019) on the device hard drive, ensuring it cannot be easily recovered or exploited if anyone were to access the device\u2019s memory.<\/span><\/p>\n

\u2022 Change the default admin credentials: You would do this on any other device on your network, so treat your MFD the same way.<\/span><\/p>\n

\u2022 Disable functions and services you don\u2019t use: Most MFD models come with an array of possible functions, features and ports that are mostly enabled by default. If you\u2019re not using them, just turn them off.<\/span><\/p>\n

\u2022 Implement a follow-me type print solution. This means that a print job is only released when a user is at the printer, ready to collect it. Also ensure that this solution (there are many available) uses modern encryption standards to encrypt your print data, and that it is kept in sync with your computer access directory, so that users who are no longer with the organisation lose any access to the MFDs.<\/span><\/p>\n

 <\/p>\n

Publishing Information<\/span><\/p>\n

\n

NZ Management Magazine Issue:<\/span><\/p>\n

Management June 2019<\/a><\/span><\/div>\n<\/div>\n
Page Number: <\/span>9<\/span><\/div>\n

 <\/p>\n

If you would like the opportunity to have your articles published on our website and included in the industry insights weekly newsletter, submit your content to stacey@focusnetwork.co for consideration.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

How do you know you are okay? When it comes to cyber security issues, the question CEOs and their boards need to ask is not, \u2018are we okay?\u2019 But, […]<\/p>\n","protected":false},"author":106,"featured_media":4920,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-4917","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"yoast_head":"\nHow do you know you are okay? - CIO Singapore<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How do you know you are okay? - CIO Singapore\" \/>\n<meta property=\"og:description\" content=\"How do you know you are okay? When it comes to cyber security issues, the question CEOs and their boards need to ask is not, \u2018are we okay?\u2019 But, [...]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/\" \/>\n<meta property=\"og:site_name\" content=\"CIO Singapore\" \/>\n<meta property=\"article:published_time\" content=\"2019-11-19T01:44:22+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-06-23T01:23:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/09\/William-Chong-Headshot-Banner.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Events Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/09\/William-Chong-Headshot-Banner.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Events Team\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/\",\"url\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/\",\"name\":\"How do you know you are okay? - CIO Singapore\",\"isPartOf\":{\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/11\/Banner-2.png\",\"datePublished\":\"2019-11-19T01:44:22+00:00\",\"dateModified\":\"2022-06-23T01:23:21+00:00\",\"author\":{\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/#\/schema\/person\/9e81c3bd560c00a993b286645d0a2d10\"},\"breadcrumb\":{\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#primaryimage\",\"url\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/11\/Banner-2.png\",\"contentUrl\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/11\/Banner-2.png\",\"width\":525,\"height\":334},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How do you know you are okay?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/#website\",\"url\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/\",\"name\":\"CIO Singapore\",\"description\":\"Just another WordPress site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/#\/schema\/person\/9e81c3bd560c00a993b286645d0a2d10\",\"name\":\"Events Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/40e1719e418efb93a2ffabe69e553c32e23443654a4af8bb41d93890b4eb297a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/40e1719e418efb93a2ffabe69e553c32e23443654a4af8bb41d93890b4eb297a?s=96&d=mm&r=g\",\"caption\":\"Events Team\"},\"url\":\"https:\/\/focusnetwork.co\/cio-leaders.com\/author\/mediac0rp\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How do you know you are okay? - CIO Singapore","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/","og_locale":"en_US","og_type":"article","og_title":"How do you know you are okay? - CIO Singapore","og_description":"How do you know you are okay? When it comes to cyber security issues, the question CEOs and their boards need to ask is not, \u2018are we okay?\u2019 But, [...]","og_url":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/","og_site_name":"CIO Singapore","article_published_time":"2019-11-19T01:44:22+00:00","article_modified_time":"2022-06-23T01:23:21+00:00","og_image":[{"width":1024,"height":512,"url":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/09\/William-Chong-Headshot-Banner.png","type":"image\/png"}],"author":"Events Team","twitter_card":"summary_large_image","twitter_image":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/09\/William-Chong-Headshot-Banner.png","twitter_misc":{"Written by":"Events Team"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/","url":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/","name":"How do you know you are okay? - CIO Singapore","isPartOf":{"@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#primaryimage"},"image":{"@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#primaryimage"},"thumbnailUrl":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/11\/Banner-2.png","datePublished":"2019-11-19T01:44:22+00:00","dateModified":"2022-06-23T01:23:21+00:00","author":{"@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/#\/schema\/person\/9e81c3bd560c00a993b286645d0a2d10"},"breadcrumb":{"@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#primaryimage","url":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/11\/Banner-2.png","contentUrl":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-content\/uploads\/sites\/53\/2019\/11\/Banner-2.png","width":525,"height":334},{"@type":"BreadcrumbList","@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/how-do-you-know-you-are-okay\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/focusnetwork.co\/cio-leaders.com\/"},{"@type":"ListItem","position":2,"name":"How do you know you are okay?"}]},{"@type":"WebSite","@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/#website","url":"https:\/\/focusnetwork.co\/cio-leaders.com\/","name":"CIO Singapore","description":"Just another WordPress site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/focusnetwork.co\/cio-leaders.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/#\/schema\/person\/9e81c3bd560c00a993b286645d0a2d10","name":"Events Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/focusnetwork.co\/cio-leaders.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/40e1719e418efb93a2ffabe69e553c32e23443654a4af8bb41d93890b4eb297a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/40e1719e418efb93a2ffabe69e553c32e23443654a4af8bb41d93890b4eb297a?s=96&d=mm&r=g","caption":"Events Team"},"url":"https:\/\/focusnetwork.co\/cio-leaders.com\/author\/mediac0rp\/"}]}},"_links":{"self":[{"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/posts\/4917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/users\/106"}],"replies":[{"embeddable":true,"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/comments?post=4917"}],"version-history":[{"count":0,"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/posts\/4917\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/media\/4920"}],"wp:attachment":[{"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/media?parent=4917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/categories?post=4917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/focusnetwork.co\/cio-leaders.com\/wp-json\/wp\/v2\/tags?post=4917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}