Joemar Zayas Duran (UIN 01157876)

CYSE 200T (CRN 16378)

November 8, 2024

Background

Companies do not have unlimited funds for cybersecurity, therefore there needs to be assessments done to evaluate which things deserve fund priority to limit damages from cyber threats. A common issue that circumvents tight security measures is the misuse of information technology, also sometimes referred to as “Human-error”, which needs to be addressed with training and enforcement of policies. 

CyberSecurity

To sustain operations as a CISO, I would focus my funds on training employees as well as assessing the types of cyberattacks most commonly experienced and conduct a risk assessment of systems and current policy. With a risk assessment I can evaluate where resources need to be allocated to make the most out of my funds. Regardless, the main concern is user exploitation of systems through intentional or unintentional means such as negligence or phishing attacks which can circumvent even the tightest security policies (George, 2024)(Oroszi, 2021). Cybersecurity training can increase awareness over insider threats and common attacks, therefore annual or semi-annual retraining is critical. Training should also be catered to the appropriate positions, such as training in the IT department may be more in depth than that of a sales department due to the higher likelihood for targeted phishing attacks (elevated account privileges make it more enticing to  attack these accounts). Similar precautions can also be taken for branch chiefs and executives due to their higher likelihood of being spear phished. 

To limit the damages from attacks there needs to be common use of data backups to be able to continue operations even after total seizure from ransomware attacks or similar attacks. Implementation of power backups such as UPS systems is necessary especially if the company is situated in an area that experiences strong storms and power outages. 

Another relatively easy implementation is multi-factor authentication. This serves as an additional mitigation against credential theft. This can be also aided with new password resets every set number of weeks or months to help mitigate unauthorized access users. Both of these mitigations are relatively cheap when compared to availability systems such as backup networks incase of DDOS attacks. This can also be aided by the relatively easy implementation of forced updates on systems to avoid easy exploitation through zero-day exploits. 

Conclusion

When setting new cybersecurity measures there needs to be assessments on budget allotted as well as current security posture and effectiveness. After assessing, funds need to be allocated on training to mitigate cyberattacks caused by improper cybersafety procedures. It is the CISO’s responsibility to decide if information systems need most funds to stay up to date with current threats, or if human-error caused cyber attacks are a priority which entail need for cyber training and evaluation of cyber/security policies. The priority of funds can also vary between companies depending on each ones’ priorities, for example a law firm business will not have the same cybersecurity priorities as a cyber security advising business. 

References 

George, T. (2024, November 7). The biggest inhibitor of cybersecurity: The human element. 

SecurityWeek. https://www.securityweek.com/the-biggest-inhibitor-of-cybersecurity-the-human-element/

Oroszi, E. D. (2021, August 27). Exploitable traits as vulnerabilities: The human element in 

security.ISACA.https://www.isaca.org/resources/isaca-journal/issues/2021/volume-5/exploitable-traits-as-vulnerabilities