CYBER SECURITY

Cyber security consists of technologies, processes and controls designed to protect systems, networks
and data from cyber attacks. Effective cyber security reduces the risk of cyber attacks and protects
against the unauthorized exploitation of systems, networks and technologies.
In a computing context, security comprises cyber security and physical security -- both are used by
enterprises to protect against unauthorized access to data centers and other computerized systems.
Information security, which is designed to maintain the confidentiality, integrity and availability of data,
is a subset of cyber security.
Robust cyber security involves implementing controls based on three pillars: people, processes and
technology. This three-pronged approach helps organizations defend themselves from both organized
attacks and common internal threats, such as accidental breaches and human error.
A successful cyber security approach has multiple layers of protection spread across the computers,
networks, programs, or data that one intends to keep safe. In an organization, the people, processes,
and technology must all complement one another to create an effective defense from cyber attacks.
People
Every employee needs to be aware of their role in preventing and reducing cyber threats, and
specialized technical cyber security staff needs to stay fully up to date with the latest skills and
qualifications to mitigate and respond to cyber attacks.
Processes
Processes are crucial in defining how the organization’s activities, roles and documentation are used to
mitigate the risks to the organization’s information. Cyber threats change quickly, so processes need to
be continually reviewed to be able to adapt alongside them.
Technology
By identifying the cyber risks that your organization faces you can then start to look at what controls to
put in place, and what technologies you’ll need to do this. Technology can be deployed to prevent or
reduce the impact of cyber risks, depending on your risk assessment and what you deem an acceptable
level of risk.
TYPES OF CYBER SECURITY THREATS
Ransomware
Ransomware is a type of malicious software. It is designed to extort money by blocking access to files or
the computer system until the ransom is paid. Paying the ransom does not guarantee that the files will
be recovered or the system restored.
Malware
Malware is a type of software designed to gain unauthorized access or to cause damage to a computer.
Social engineering
Social engineering is a tactic that adversaries use to trick you into revealing sensitive information. They
can solicit a monetary payment or gain access to your confidential data. Social engineering can be
combined with any of the threats listed above to make you more likely to click on links, download
malware, or trust a malicious source.
Phishing
Phishing is the practice of sending fraudulent emails that resemble emails from reputable sources. The
aim is to steal sensitive data like credit card numbers and login information. It’s the most common type
of cyber attack. You can help protect yourself through education or a technology solution that filters
malicious emails.
Outdated software
The use of outdated (unpatched) software (e.g. Microsoft XP) opens up opportunities for criminal
hackers to take advantage of known vulnerabilities that can bring entire systems down.
Vulnerabilities in web applications and networks
Cyber criminals are constantly identifying new vulnerabilities in systems, networks or applications to
exploit. These activities are conducted via automated attacks and can affect anyone, anywhere

ELEMENTS OF CYBER SECURITY

Ensuring cyber security requires the coordination of efforts throughout an information system, which
includes:
Application security
Web application vulnerabilities are a common point of intrusion for cyber criminals. As applications play
an increasingly critical role in business, organizations urgently need to focus on web application security
to protect their customers, their interests and their assets.
Information security
Information is at the heart of any organization, whether it’s business records, personal data or
intellectual property. ISO/IEC 27001:2013 (ISO 27001) is the international standard that provides the
specification for a best-practice information security management system (ISMS).
Network security
Network security is the process of protecting the usability and integrity of your network and data. This is
usually achieved by conducting a network penetration test, which aims to assess your network for
vulnerabilities and security issues in servers, hosts, devices and network services.
Disaster recovery/business continuity planning
Business continuity planning (BCP) involves being prepared for disruption by identifying potential
threats to your organization early and analyzing how day-to-day operations may be affected.
Operational security
Operations security (OPSEC) protects your organization’s core functions by tracking critical information
and the assets that interact with it to identify vulnerabilities.
End-user education
Human error remains the leading cause of data breaches, and your cyber security strategy is only as
strong as your weakest link. Organizations need to make sure that every employee is aware of the
potential threats they face, whether it’s a phishing email, sharing passwords or using an insecure
network.
Leadership commitment
Leadership commitment is the key to the successful implementation of any cyber security project.
Without it, it is very difficult to establish, implement and maintain effective processes.
Top management must also be prepared to invest in cyber security measures. Cyber security should be
given appropriate priority by the board to support further investment in technology, resources and
skills.
CYBER SECURITY MANAGEMENT FRAMEWORKS
 PCI DSS
 ISO 27001/27002
 CIS Critical Security Controls
 NIST Framework for Improving Critical Infrastructure Security