We spoke with Chip Gibbons, CISO at managed services firm Thrive, to discover mitigation plans post-outage. Here are the highlights:
- Planning is imperative for companies of all sizes – Many businesses can leverage a comprehensive data backup and recovery plan with relative ease. Larger organizations might require more details to be addressed, specifically how systems are to be recovered, as well as applications and working conditions. However, certain aspects of data recovery always need to be addressed, such as understanding how a backup system works, who is in charge of it, what the responsible recovery point objective (RPO) is, and the amount of data you need to back up. This can dramatically reduce the time it takes to get back in business following a disaster to help you meet your specified recovery time objective (RTO).
- Routine testing of DR strategies – Testing is a must, but it can interfere with your business operations and potentially even cut into productivity. Whenever systems are tested, IT teams will be bound to find something wrong with the DR strategy and would have to adapt it over time as you address these issues. If these issues are appropriately addressed during the testing phase, organizations will have a better chance when they need to truly utilize a DR strategy.
- Remember that IT infrastructure is governed by people – So a DR strategy must take human behavior into account. For example, if a company’s location is compromised by a disaster, organizations need to check if they can get employees to access the data they need to effectively do their jobs.
Chip Gibbons, CISO at Thrive, sits down with Dave to talk about how to defend against social engineering attacks in banking. Dave starts us off this week with a story about Amazon opening up its selling market to Pakistani residents, and what consequences that led to for the organization’s business. Joe’s story follows a scam targeting soldiers in the Army. The Army warns against unknown individuals purporting to be noncommissioned officers that are calling said soldiers and asking them for money to fix a “pay problem” and, if questioned, threatening them with a punishment. Our catch of the day comes from listener Manie who writes in about a scam found when trying to download a HDRI (High Dynamic Range Image). The scam involves a fake ad asking for people’s cell phone numbers as soon as they click on a button that reads “download here”. Manie shares how after she clicked the ad, she realized the mistake and immediately researched more before proceeding further.
As zero-trust security gains traction, Thrive CTO Michael Gray underlined the importance of implementing multi-factor authentication (MFA) as one of the key zero-trust principles for CISOs and recommends starting the journey with asset identification and management.
Another priority should be understanding to whom the CISO reports: the CEO, the CFO, the CTO, or even the legal department. “[This] tells you a little bit about what they expect you to do,” says Chip Gibbons, CISO at Thrive.