Enterprise IT Security

The Ultimate Guide

SY N TA X .C O M
 Part 1

Are You Prepared for the Next

Generation of IT Security Threats?
Only three things are certain in life:
Death, taxes, and data breaches.
Businesses face more security risks and threats
than ever before.
The average breach
As companies expand their IT environments
across both clouds and legacy systems, their
costs $8.2 million
attack surface has expanded significantly. and takes 279 days to
Meanwhile, the proliferation of mobile and detect and contain.
Internet of Things (IoT) devices has provided
cyber criminals with new entrance points.

Since everything is interconnected, an attack Ponemon Institute1

on one device can quickly impact your entire
company.

It’s no longer a matter of “if” you will experience a breach, but “how
often” and “how severe.”

This guide outlines the steps you must take to protect your company from today’s ever-
evolving risks and threats.

In this guide, you’ll learn:

• The top IT security threats you should keep on your radar
• Why protecting your data requires you to get comfortable with being uncomfortable
• How to get buy-in for IT security
• The layers of a comprehensive IT security strategy
• If a lack of cybersecurity talent puts you at risk
• Critical questions you should ask before hiring a managed security services provider

With the right IT security strategy and partner, you can protect your company without
investing in data centers, equipment, and additional in-house staff.

Read on for best practices on how to minimize your security risks while freeing your
internal team to focus on innovation—not IT admin and help desk support.

2
 Part 2

Top IT Security Threats You

Should Keep on Your Radar
The IT security landscape is evolving rapidly. Here’s
what you can expect to see this year and beyond.

Hackers are moving far beyond phishing to

stage sophisticated attacks against mission-
critical assets. 51% of
From your mission-critical enterprise resource organizations do
planning (ERP) applications such as Oracle and not believe they are
SAP to your industrial control systems, nothing
is off-limits. ready for or would
respond well to a
Meanwhile, governments, such as the
European Union and the state of California, are security breach.3
implementing strict data privacy regulations.
This new legislation puts increased pressure on
companies to safeguard their IT systems and
ensure the privacy of customer, employee, and
vendor data.

Failure to comply can result in penalties that have a significant impact on your business.
For example, GDPR fines can amount to €20 million or up to 4% of the annual worldwide
turnover of your preceding financial year, whichever is greater.2

Most enterprises feel unprepared to deal with these changes.

?
What is the difference A risk is something you are not
between a risk and doing. A threat is something
threat? that can exploit that risk.

3
As you plan your cybersecurity initiatives for the coming year, here are things to consider:

1.1 Threats against operational technology systems

Attacks on operational technology (OT)—the equipment that powers industrial control
systems—are on the rise. The State of Operational Technology and Cybersecurity Report4
revealed that 74% of OT organizations experienced a malware intrusion within the past 12
months.

Respondents to the survey cited many impacts from these breaches, including “a reduction
in safety, productivity, and revenue, the compromise of business-critical data, and damaged
brand reputation.” The primary driver for these attacks is a lack of visibility, as 78% of
respondents only have partial insight into the cybersecurity of their OT environments.

It is challenging for IT teams to gain a complete picture, as OT equipment—such as valves,

engines, and production systems—can fall outside of their traditional realm. These attacks are
becoming such a concern that a new organization, the Operational Technology Cyber Security
Alliance5, formed with a mission to “provide OT operators and suppliers with resources and
guidance to mitigate their cyber risk in a fast-evolving world.”

2.2 IoT vulnerabilities

Enterprise and automotive IoT devices range from robots on manufacturing floors to
connected microwaves in office kitchens. They also include personal devices such as fitness
trackers and smartwatches.

In fact, 30% of enterprises even reported that gaming consoles, such as Xbox or PlayStation,
connect to their networks.6 As IoT devices expand throughout organizations, IT teams are often
unaware of how many are accessing their networks and who is using them to do what.

All respondents found rogue IoT devices, and 90% saw previously undetected IoT wireless
networks that were separate from their enterprise infrastructure.7 Third-party IoT also poses a
risk, as IT teams often have little control over these devices.

A Ponemon Institute study found most organizations aren’t aware of every unsecured, third-
party IoT device or application on their network. The study revealed that 49% of enterprises
do not regularly scan for IoT devices in their workplace, while just 8% say that they scan in
real-time.8

With shadow IoT and limited visibility, it’s not surprising that 67% of enterprises have
experienced a security incident with managed IoT devices. In fact, 84% of IT leaders say that
their IoT devices are more vulnerable than their corporate-managed computers.

4
An attack against IoT devices can be far more hazardous than other types of data breaches.
Hackers target IoT devices at electricity generation stations, water processing plants, refineries,
and railroads. For this reason, IT World cites one of the biggest consequences of an IoT attack
as, “the financial costs to restore normal operations after a fire, explosion, or manufacturing
facility outage.”

2.3 Sophisticated ransomware

Ransomware attacks have increased sharply, according “IoT devices can be
to a Malwarebytes Labs report.10 The rate of detection particularly risky
in businesses rose more than 500% between 2018 and
2019. In 2020, more threat actors will launch two-stage
because they typically
ransomware campaigns against corporate networks to sit where the digital
exfiltrate sensitive data.11 world meets the
physical world. As a
If your company is hit with a ransomware attack, you
can face a number of consequences. Your risks include: result, hacking into
IoT devices can have
• Lost productivity and revenue if critical systems go dangerous real-world
down during an attack.
consequences.”
• Brand and reputational damage after you tell
customers that their data was compromised.
• High costs. The average ransomware payment costs
$84,116—up from $41,198 just one quarter ago.12 IT World

Many companies don’t have the right tools

and resources to block threats.

Experts believe that traditional anti-virus solutions

are no longer enough to protect you from attacks.
These old-school tools can’t keep pace, especially as
ransomware becomes harder to detect and the number
of users in your company increases dramatically.

A report from the SANS Institute13 stated that anti-virus

solutions only catch 47% of compromised endpoints.
To protect your data, look for an endpoint protection
solution that covers all areas of your network and
identifies threats in real-time.

5
4.4 ERP security threats
Did you know that 64% of SAP and Oracle
E-Business Suite (EBS) deployments experienced
breaches14 in the past 24 months? “93% of companies
that lost their data
The information compromised during these
breaches includes sales data, human resources center for 10 days or
data, customer personally identifiable more due to a disaster,
information, intellectual property, and financial filed for bankruptcy
data. The theft of your company’s most sensitive
data can lead to dire consequences—from
within one year of
compliance violations to financial loss to the disaster. 50% of
bankruptcy. businesses that found
themselves without
However, many companies are not prepared for
an ERP breach. For example, they may run their data management for
ERP systems on dated legacy technologies that this same time period
aren’t secure. In fact, 82% of executives said that filed for bankruptcy
legacy technology supports critical parts of their
business and integrates with their core systems,
immediately.
according to a recent survey.16

National Archives and

Unlike a good whiskey or wine, Records Administration15
technology doesn’t improve with age.

The longer you rely on legacy systems, the more

risks you face. Most legacy technologies are so old
that the manufacturer no longer supports them.
They also aren’t updated or patched regularly.
This neglect creates security gaps that can expose
your sensitive, ERP data to cybercriminals.

6
5.5 Cloud insecurity
Every year, more companies move their mission-critical workloads to the cloud and grapple
with the new security challenges that come with it.

19% of enterprises have experienced a cloud breach in the previous year—an increase of
7% since 2017, according to the SANS Institute.17

A Cloud Security Report18 found that enterprises’ top five cloud security threats include:

• Unauthorized access
• Insecure interfaces and application programming interfaces (APIs)
• Misconfiguration of the cloud platform
• The hijacking of accounts or servers
• External sharing of data

The consequences of a cloud data breach vary, depending on the type and amount of data
that hackers steal. However, it can include the publication of employee, customer, and
proprietary data on the dark web. Once your data escapes your control, you must react
quickly to limit your brand and financial damage.

Cloud services are often safer than legacy systems. However, you can’t rely on your provider
to handle every aspect of your security out-of-the-box. You also can’t trust your legacy
security tools to work in the cloud.

The Cloud Security Report states:

“Many legacy security tools are not designed for the dynamic,
distributed, virtual environments of the cloud.”

Two-thirds of respondents said that their traditional security solutions either don’t work at
all in cloud environments or have limited functionality.

7
 6 Understand the cloud security shared responsibility
model
Many organizations that migrate their onsite data storage facilities to the cloud quickly fall
prey to the age-old adage “out of sight, out of mind.”

While cloud providers certainly bear the brunt of infrastructure security responsibility,
they’re not responsible for protecting data within the cloud. This may sound illogical to
the companies using cloud providers, but the cloud shared responsibility model clearly
delineates security obligations between both parties.

When maintained correctly, this model should keep companies more secure than ever.

Why does it seem like a new data

breach captures headlines every
other day?

A fundamental misunderstanding of
security responsibilities — and how
to manage them — leaves companies How will you address
vulnerable to cyber threats. these threats?

In this model, cloud providers are

responsible for securing cloud Most organizations are
infrastructure, including hardware, software, drastically unprepared for
networking and facilities. Cloud customers, cyberattacks, which are
on the other hand, are responsible for
only increasing in scale
securing the data they put in the cloud,
which includes endpoints, accounts and and sophistication.
access management.
As you move forward with
Think of the cloud shared responsibility
model like sending your kid to school. your IT security strategy,
The school system, representing the cloud consider whether it will
provider, is responsible for securing and protect you from the
maintaining the building your child attends.
threats mentioned above.
But as the parent (the cloud customer),
you’re still ultimately responsible for If not, you may need to
caring for your child. If your kid (the data), put additional resources
misbehaves or contracts a virus, it’s your
in place to safeguard your
duty to tend to them. When we all do our
part, the system works smoothly and all company.
sides benefit.

8
7.7 Shirking data responsibilities
Organizations think cloud service providers are the ones responsible for securing their data in
the cloud. This misunderstanding has critical repercussions.

The Equifax data breach19 exposed the personal information of around 150 million
Americans, or nearly half the nation’s population. In this case, Equifax ignored warnings from
the Department of Homeland Security that its database was vulnerable to attack. Poor data
governance practices, including an encryption certificate renewal lapse, password storage in
plain text and a failure to patch a known vulnerability, all contributed to the breach.

Take ownership of your data

Once you understand the cloud shared responsibility model — and your role in it — you can
take the necessary steps to better protect your company’s data.

• Establish strong vendor relationships: Even though your data is ultimately your
responsibility, you don’t have to navigate the complexities of cybersecurity alone. Poor
communication is likely a major contributor to the misunderstandings surrounding the
cloud shared responsibility model. A good cloud partner should be open, communicative
and responsive. If you weren’t already aware of your data responsibilities, you likely don’t
have a strong relationship with your cloud provider.

• Prioritize compliance: Likewise, look for a trusted, industry-vetted cloud provider. Only
16% of cloud services have one or more third-party certifications20, like HIPAA, PCI, SOC2,
SOC3, PCI DSS or SSAE16. These certifications indicate how seriously cloud providers take
security and compliance on behalf of their customers.

• Staff up: Even though many C-suite information security leaders know data protection
is their responsibility, 30% of companies lack the staff21 needed to secure their SaaS
applications. Other organizations are entirely unaware of their security duties — and
the required staff and resources to manage them. Round out your IT department with
network and security managers to ensure your data is protected.

• Educate employees: One in five network security managers22 think cloud providers are
responsible for securing their organization’s data. And those are the employees whose
job description involves information management. Employees in other departments
frequently open up back doors for hackers by engaging in shadow IT practices, a massive
security risk for companies. Instead of banning the applications employees commonly use
to collaborate better and work more efficiently, work with IT staff to safely integrate them
into official processes.

• Offload more of the burden: In addition to taking on cloud infrastructure security, many
cloud providers offer other security services for greater protection. Look for partners with
data monitoring, management and recovery services to reallocate some of your enterprise
security responsibilities.

9
 Part 3

Why Protecting Your Data

Requires You to Get Comfortable
with Being Uncomfortable
The best IT security teams don’t operate quietly in
the background: They cause conflict.

If you don’t hear about any problems from your

security team, it’s not because you don’t face threats.
It’s likely because they haven’t identified your “It’s critical to
vulnerabilities.
remember that
When it comes to security, many—if not most—
no news is not good news. breaches disclosed
in recent years
Your security group can’t just maintain the status quo occurred at compliant
or “check the boxes” to ensure you pass audits.
businesses. This means
that PCI compliance,
Compliance doesn’t equal security.
for example, has been
The drive to match up cyber plans with common unable to prevent
security control catalogues is more often driven by numerous retailers,
a desire to obtain and maintain compliance with
industry specific certifications. Certifications have
financial services
become the key for businesses to trust businesses institutions, and web
that have obtained a desired certification, thereby hosting providers from
indicating that the company’s information security/
being breached.”
cyber plans are established, tested, and effective.

Third-party audit organizations such as Price-

Waterhouse, Ernest & Young, and Deloitte can be Security Week23
an expensive engagement and demonstrates a
company’s commitment to achieve compliance
certification. They are performed to provide detailed
reviews of a company’s cybersecurity programs in
hopes to obtain various certification signoffs.

10
Do these third-party audits truly provide insight into a company’s
ability to implement their cyber plan and perform incident response
when needed?
Unlike government implemented processes, the methods in which these third-party
organizations employ to perform their audits can see dramatically different results. For
auditors that rely on partial sampling of auditable materials from within each of the
various control families, gaps in security controls can go undetected and be masked by the
presentation of large volumes of verbose policies and procedures.

The risk is that they merely validate that, what is prescribed as a standard exists in the
company’s policies and procedures.

It is certainly not a real test of a company’s effectiveness to protect itself.

Checking all the required boxes on an auditor’s compliance matrix

doesn’t ensure a company is secure.
Compliance has become an exercise to help company executives sleep better at night.

There must be a balance between compliance and security.

The pursuit of compliance is a noble cause. However, if your security team only focuses on
compliance, your organization will face increased risks. Compliance-focused requirements are
static while a security model today is usually dynamic. The speed at which technology and
cybercrime changes makes it very difficult for current regulations to drive best practices in
security.

Companies must abandon the least-effort, box-ticking approach to compliance in favor

of a goal-driven mindset that focuses on protecting customer data rather than filling out
compliance forms. Therefore, a company must take a comprehensive approach to IT security
that protects all your information and assets, including your mobile devices and users.

One key area to address is your risk tolerance for each system or device, as they require
different levels of protection. For example, not patching the receptionist’s laptop isn’t as
important as not patching your ERP. Your team should review the criticality of each system
and decide which security measures to put into place.

Your team also must suggest aggressive measures to protect your data—even if their
recommendations provoke disagreements. The most successful IT security groups start
challenging conversations that cause conflicts amongst stakeholders.

11
To gain an accurate understanding of your security risks, you must get
comfortable with these uncomfortable conversations.
For example, many managers view patching as disruptive and don’t want to take the time
to do it. Your security team must show them why patching is important and the risks of not
keeping your company’s devices up to date.

• What would happen if a hacker broke into your smartphones or tablets?

• What information could they steal and make public?
• How would this put your company’s finances or reputation at risk?

Your security team should make leaders at your company uncomfortable for a short time
while they update your patches, as the business benefits outweigh any immediate, short-
term hassles.

Your security team must manage any conflicts that arise when they identify threats and
suggest measures to keep your data safe. These discussions won’t always be easy, but they
are critical to successful a security strategy.

12
 Part 4

How to Get Buy-In for IT Security

Many business leaders aren’t fully aware of how
IT security can impact their operations and bottom
line. To get buy-in for your security initiatives, you
must show the financial impact.

Leadership teams often have a false sense of security. They think: “it won’t
happen to us” or “only the most sophisticated hackers can breach our defenses.”

However, almost 80% of IT decision-makers said that they had experienced

at least one incident over the past 12 months that was so severe it required a
corporate level or board of directors meeting after.24

Many of these attacks occurred as a result of basic security vulnerabilities that

made it easy for cybercriminals to stage an attack. For example, hackers who lack
technical know-how can find someone’s login information or purchase stolen
credentials. Once they have this information, they can extract data from your
network.

Just because you have a security product that is in the top

right of a Gartner quadrant doesn’t mean you are safe. That is
a false sense of security.
Make sure you keep your tools tuned and you stay up to date with the latest
best practices. You don’t want to say: “I didn’t know this security tool was
running in the background.”

Don’t set it and forget it. That will result in big consequences.

Since every organization is at risk, it’s vital to have IT security conversations in

the boardroom before an attack instead of waiting until after one occurs. The
board must fully understand your risks and the steps you can take to avoid a
breach.

13
How to Develop a Culture of IT Security
Here are three ways you can create a culture of IT security, starting in your boardroom:

1.1 Show the consequences

in hard numbers
Many leadership teams think cybersecurity is
something the chief information officer (CIO) or
chief information security officer (CISO) should
handle.

Only 36% of IT leaders said that other executives

see cybersecurity as a strategic priority, which
impacts their investment in technology and 68% of IT leaders
personnel.26
said their boards
However, the entire company owns the risk and of directors are not
will face the consequences in the event of a data
breach. For example, losing customers’ trust after
briefed on what
their data is compromised impacts the entire their organizations
business—not just IT.
are doing to prevent
This makes cybersecurity a business or mitigate the
issue—not just a technical problem. consequences of a
If you want to get buy-in for your security
cyberattack.
initiatives, you must explain its business
impacts. Show the board how ignoring
security will impact your bottom line. If you’ve Ponemon Institute25
tracked any previous attacks, discuss how they
originated, which areas of the business they
affected, and what they cost you.

In addition to outlining the hard expenses, such

as legal fees and technical mitigation, be sure
to discuss the costs of brand damage and other
intangibles.

Your board may not be aware of the frequency,

scope, and financial impact of a data breach.
Showing them real numbers can motivate them
to invest more in your security initiatives.

14
2.2 Build a risk profile
In the past, corporate boards would rely on management to mitigate risks.
After the 2008 financial crisis, boards became more accountable for preserving
a company’s bottom line.

An IT security risk profile can help your leadership team stay informed and
accountable When you create a risk profile, be sure to address the following
areas:

• IT infrastructure, including hardware, software,

mobile devices, and IoT devices
• ERP system risks, such as unplanned downtime that
leads to productivity and financial damage
• Connections to your partners, vendors, and
customers that may expose sensitive data
• Privacy risks and potential regulatory
violations that may lead to hefty fines
• People’s actions and awareness
when interacting with systems
• Too many definitions of what risk means

When you look at each item, give it a security score that you based on industry
best practices and data.

Then, rank it in terms order of priority so that you know which items to
address first.

Present this information to your board in a visual manner, such as with

dashboards. This will help others see your risks and quickly assess your most
vulnerable areas.

Then, as you take steps to improve your security posture, you can show the
board how your dashboards compare quarterly, at a minimum face to face,
and when you are initially rolling out your security program, it should be a
monthly communications with your board of directors.

15
3.3 Speak their language
Most business leaders don’t get excited “There’s not a ‘one
about the latest security technology and best and done’ solution
practices. If you focus your presentation on
for cybersecurity, no
the technical aspects of IT security, leadership
may tune out. silver bullet as we
like to call it. With
Instead, they want to know: cyber, there needs to
be continuous caring
• What the security problems are
and feeding of the
• How will those problems program. It’s a program
impact the company in financial that requires ongoing
terms improvement. And
that’s something very
• What types of actions are
important to explain to
needed to minimize risks from
the board.”
these problems
• The costs associated with fixing
the problems Zaki Abbas
VP and CISO at Brookfield
Asset Management27
Addressing these topics will give your
leadership team the information they need
to make informed decisions. After you share
this information, the board can decide if they
want to accept your current security risks or
take steps to mitigate them.

Keep the Security Conversation Going

The IT security conversation isn’t over once you get buy-in. Leadership will need regular
updates on new risks, concerns, and regulations. Keep the board of directors informed on
how your efforts are impacting the business and your bottom line.

Just saying the right thing to do is never enough.

Business leaders are always looking for return on investment, which includes not just
tools but as best practices.

16
 Part 5

The Key Layers of a Comprehensive

IT Security Strategy
A comprehensive security strategy requires multiple
layers—each one removing risk and slowing the
flow of a potential attack.

Think of your security strategy like a colander. When you pour water into a
colander, it rushes through it.

However, if you stack several on top of each other, you will block the holes.
Eventually, just a few drops of water will escape through the bottom.
While you will never be 100% secure, you can fill most of your security
gaps and be more protected.

Think like a hacker – from outside in.

Once you get past the user endpoint, you go inside to the network.
Then, you go to the box and, ultimately, the application. The layers of a
comprehensive security strategy include the following:

4 Pillars for a Minimum Security Posture

Endpoint Perimeter Security Vulnerability Security Information

Protection Firewall & IDS/IPS Assessment & & Event Management
Management (SIEM)

Business Continuity & Disaster Recovery

17
Endpoint protection
The average company experiences a malware infection rate of 1 to 3% per month. However,
26% of respondents to an IDG survey reported an infection rate higher than 3%.28

Enterprises often invest in rigid technology that fails to protect them from the latest threats.
For example, many enterprises think IDPS will block malicious content. But firewalls and IDPS
only secure the perimeter of your network.

To stop threats, you must cut them off at your endpoints. Look for an endpoint protection
solution that blocks threats in real-time across all areas of your network – including your ERP
infrastructure, the domain name system (DNS) level, and your mobile devices.

Here are five more ways to protect your endpoints from attacks:

1. 1 Invest in behavior-based analysis

Legacy antivirus solutions are signature-based and only protect against known threats. As a
result, they only detect a fraction of your cybersecurity risks.

Security solutions with intelligent sandboxing provide higher levels of protection. They do
this by carrying out static and dynamic analyses of files based on behavioral indicators.

They ask, “What type of behavior is typical for users, devices, and systems? And what
constitutes a deviation?” Using these solutions, companies have reported reducing false-
positive indications from 500 to just 2 or 3 actual threat indications.

2.2 Block threats in real-time

A security solution that includes big data analyses and machine learning can help you detect
harmful software before it infects your systems. These technologies determine whether
abnormal behavior represents a threat based on previous analysis, without the need for
security experts to define elaborate rules beforehand.

3.3 Train employees on how to spot threats

(and validate their vigilance)
77% of breaches start with a malicious email, according to Cisco.29 To prevent employees
from opening these emails and downloading viruses, you must heighten their awareness of
current threats. Trained employees will also immediately alert you if they sense a dangerous
situation so that you can quickly respond and contain the risk. In addition to training, you
should test them to make sure they really care and are doing it on a daily basis.

18
4.4 Patch your mobile devices
Many devices, especially Androids, are released with operating systems that are already a year
old. Meanwhile, these devices are rarely patched, making them an easy target for hackers.

71% of all Android users on the five major U.S. carriers run security patches that are at least
two months old, according to a Symantec study.30

Meanwhile, Google revealed that half of the Android devices in use had not received a
platform security update in the previous year.31 With so little protection out-of-the-box, you
must find other ways to protect your enterprise’s mobile devices.

Here are five steps you can take to keep your mobile devices secure:

• Ban the use of mobile devices that you can’t patch.

• You may face pushback, as employees often have strong feelings about mobile device
brands. But you can’t allow unpatched and uncontrolled equipment on your network.
Create a company policy that requires employees to use secure devices for work.

• Mandate patching.
• Your mobile device management platform should allow you to create consequences
for employees who don’t patch their phones. For example, if employees fail to install
the latest patches, you can lock them out of their email accounts on their insecure
devices.

• Use an intrusion detection system to identify compromised

devices and get alerts about potential threats.
• Run a daily scan of your network to locate vulnerable devices.

• Check your inventory regularly to see if employees are using

rogue devices.
• That way, you can proactively address problems before hackers break into your
network via an employee’s insecure mobile device. You can also monitor dangerous
behavior, such as when employees try to install unauthorized apps on their phones.

• Enforce the mandate.

• Make sure the patching is being perform, use a VPN so you can validate a minimum-
security profile such as Windows firewall is enabled, running the latest approved
security patches for operating systems. The required security endpoint solution is
installed and enabled.

19
5.5 Partner with a managed security
services provider (MSSP).
Companies that outsource their anti-malware and endpoint protection have lower malware
infec¬tion rates, according to a study by IDG.32 Among companies using MSSPs, 81% reported
infection rates of 3% or less, compared to 69% of companies using a coordinating response
team, 65% of companies using distributed incident response teams, and 63% using a Cyber
Incident Response Team (CIRT).

Moreover, only 19% of companies using MSPs experienced an infection rate over 3%,
compared to 32% of companies with a coordinating response team, 35% of those with
distributed incident response teams, and 30% of those with a CIRT.

Working with an MSSP also allows you to implement endpoint protection faster—while
minimizing your need to recruit, hire, and train qualified security staff.

Protection from phishing

The starting point for many attacks is phishing
or social engineering.
More than 80
More than 80 percent of reported security
incidents are phishing, according to CSO percent of reported
Magazine.33 security incidents
For example, an employee will click a phishing are phishing.
link in an email or open a malicious attachment.

You can prevent many attacks by educating staff

CSO Magazine33
on how to spot and avoid traps.

At Syntax, we send employees our own

phishing emails to see who falls prey to them.
If someone clicks a link in one of these emails,
they will receive an automatic notification that
tells them to take a data security class We also
require employees to take an annual refresher
course to keep IT security top-of-mind.

20
How Hackers Access Your Network
Cybercriminals have moved beyond stealing credentials by email. They now target
data across numerous fronts, including via insecure applications. Here are just a few
of the techniques that hackers can use to gain access to your network:

• Spear phishing
• This is the most common type of phishing – accounting for 95%
of all attacks on enterprise networks.34 In a spear phishing attack,
hackers collect personal information about their targets to boost
their odds of success. For example, they might send you an email
that looks like it comes from a business partner.

• Whaling
• Cybercriminals use this technique to go after executives (the big
whales). Whaling emails often look like they come from a trusted
source and contain personalized information that motivates
executives to click malicious links.

• Clone phishing
• In this type of attack, a cybercriminal clones a legitimate email
and replaces the link or attachment with a malicious version.
Cloned emails are difficult to detect and can quickly spread –
giving hackers access to multiple people in your company.

• Business email compromise (BEC)

• Cybercriminals begin a BEC attack by breaking into the email
account of a CEO or other executive. Then, they send fraudulent
emails from that person’s account. The emails may ask finance
employees to make urgent payments. Since these messages
appear to come from senior leadership, employees are more likely
to comply. The FBI reported that BEC scams have caused U.S.
organizations to lose almost $1.6 billion in the past three years.35

• Vishing (voice phishing)

• Cybercriminals phone victims and ask them to dial a specific
number, usually their bank. Once they have a victim on the
phone, they attempt to get their account info.

• Smishing (SMS phishing)

• Hackers attempt to extract corporate information via links in a text
message.

21
Many enterprises still rely on anti-virus software to protect themselves from phishing
attempts. However, these tools only address known attacks. With almost 1.5 million phishing
sites created each month, your anti-virus software may not spot new, unknown attacks. In
addition to anti-virus protection, be sure to employ next-generation phishing defense. These
tools can include:

• Reputation-based filtering to block suspicious uniform resource

locators (URLs)
• Endpoint detection and response software to validate all files and
emails that access your machines
• An intrusion detection system to monitor your network for threats
• Intrusion protection to prevent your endpoints from reaching out to
phishing sites
• Domain name system (DNS) protection to cut off attacks before they
blossom by preventing phishing emails and dropper viruses from
pulling down their guts from their servers
• Sender Proxy Frameworks (SPFs) that keep malicious content out
of your inbox by validating that incoming emails come from an
authorized host.

22
Intrusion detection and prevention systems (IDPS)
Intrusion detection and prevention systems (IDPS) include a combination of hardware
appliances and software that you install on a server or firewall. They monitor your network
and look for anomalous activity patterns that may indicate an attack.

Meanwhile, prevention systems automatically block potential threats. An IDPS can block
traffic based on content from a malicious internet protocol (IP) address and alert you of the
activity. For example, HTTPS traffic is allowed but the IDPS will see if a SQL injection attack is
embedded in the HTTPS request. Not only will an IDPS minimize your risk of a data breach,
but it also gives you greater visibility into your systems.

But installing IDPS technology doesn’t mean you are protected. Companies often invest
millions in an IDPS only to find out—months or even years later—that it’s not working.

Here are 10 questions that will help you determine if your IDPS is
functioning:

1.1 How often do you check your IDPS?

An IDPS isn’t set-it-and-forget-it. You must check it daily and continually fine-tune it to
ensure that it monitors your systems. If you fail to perform these labor-intensive activities,
you may waste money on a system that is doing nothing to protect your business.

When was the last time you looked at your IDPS? How often do you test it to verify that it is
protecting your business?

2.2 How many intrusion events have you had in the past
30 days?
Check your IDPS to see how many events it has driven off your network in the past quarter. If
you have more than 300 employees, you should find at least one event per quarter.

If you don’t see anything, you likely have a misconfiguration.

3.3 How often is your IDPS updated, and how do you pull
your definitions?
Your IDPS may show that it is “up-to-date within 24 hours.” But this doesn’t mean anything if
it re-applies definitions that are years old.

Check your IDPS to see if it is pulling the latest definitions.

23
4.4 Do you decrypt traffic for inspection?
You can inspect traffic through SSL encryption. The firewall decrypts using the SSL encryption
key and looks at the content. If the content is allowed, it opens the gate and allows the
encrypted packet to its destination.

5.5 Do you have the proper licenses?

IDPS licenses are complicated and can mislead you into thinking that you are covered when
you’re not. When you purchase and IDPS, you need to license specific functionality such as
URL filtering, IDPS signatures, and DNS signatures.

Check your IDPS to ensure you have the proper licenses and that your system is performing
inspections.

6.6 What is the current throughput of your IDPS?

Monitoring your IDPS throughput keeps you informed about the health of your systems and
network. When you track this number, you will see if you’ve had a recent uptick in threats.

Your security team should have a general idea of your throughput and how it has trended
over the past quarter.

If your number is zero, your IDPS isn’t working.

7.7 Are your IDPS policies canceling each other out?

If the policies that you apply to your IDPS devices overlap, they may cancel each other out.

For example, if you re-define a pre-filter object, it may bypass all of your existing policies.
Then, your devices won’t run.

Test every policy to make sure that they don’t overlap and prevent their functionality.

8.8 Is your IDPS solution at the top of the Gartner

Magic Quadrant or verified by analysts?
Choose a top-tier IDPS that has been verified by analysts. If you need to defend your
intrusion detection strategy in court, you must prove that you use one of the leading IDPS
solutions and are making the best efforts to protect your customers’ data.

It’s hard to defend yourself if you’ve bought unproven or discount technology.

24
9.9 Who is accountable for your IDPS?
Many CIOs don’t have a dedicated security team, so they ask a network administrator or
junior engineer to set up their IDPS and then look after it.

However, if the person who configures your IDPS is the same person who monitors it,
you won’t have the checks and balances that are important for your ongoing security and
compliance. Companies have to show the segregation of duty between network and security,
as part of a Sarbanes Oxley (SOX) audit.

Meanwhile, your network administrator may not receive alerts from the IDPS. Since
everything is quiet, they may assume that your IDPS is running smoothly.

No news is not good news. If no one is receiving alerts, your IDPS isn’t working.

10
10. Do you have a dedicated team assigned to your IDPS?
Sophisticated security technology—such as an IDPS—requires an experienced and devoted
team. If your in-house staff lacks IDPS experience, it can take months to set up your
configurations and test your policies.

When you partner with an IDPS expert, they can configure your system in about 10 hours
and complete your testing in weeks—not months. Your IDPS partner will also ensure that
your critical system is monitored 24/7, continuously updated, and always functional.

25
Security information event management (SIEM)
Not all threats should be treated equally.

Most cybersecurity attacks come in the form of the deployment of malware such as
ransomware or unauthorized accessing (hacking) of a digital system or network.

The intent of the cyberattack is not always the same.

However, the attack or threat vectors are the same. Threat vectors are pathways or methods
that are utilized to implement an attack.

There are two common types of threat vectors:

A B
Type A Threat Vectors Type B Threat Vectors

• Social Engineering Attacks • Network (hardwire)

• Vulnerability Exploitation • Wireless
• Denial of Service (DOS) • Portable Media/Mobile Devices
• Distributed Denial of (PMMD)
Service (DDOS) • Supply Chain
• Physical Access

Type A Type B
Type A threat vectors represent Type B threat vectors represent
methodologies of attack such as avenues by which an attacker could
flooding a transmission control deliver a payload, gain access to
protocol (TCP) or internet protocol a system, cypher information, or
(IP) network with so many make data unavailable. Regardless
requests that the system becomes of method or avenue, an attack
unresponsive, a DOS attack. Absent plays out virtually the same.
from this list are methods such as
phishing to gain access credentials
and ransomware attacks.

26
Prioritize your threats with SIEM
SIEM gives you a real-time analysis of the
security alerts generated by applications and
network hardware. It stores this data in a “For it is no longer a
single, central location—making it easy for you
to identify threats and analyze their severity.
question of ‘if ’, but
That way, you can prioritize your daily threats ‘when’ and ‘how often’.
and take immediate action to protect yourself I am convinced that
from the most critical ones.
there are only two
If it takes you too long to identify a breach, you types of companies:
won’t be able to recover. those that have been
hacked and those
Companies that don’t detect threats that will be. And even
within days have a higher risk of they are converging
going bankrupt. into one category:
companies that have
“More than 40% of businesses will been hacked and will
never reopen after a major natural be hacked again.”
disaster” – Gartner37
Robert S. Mueller, III
A SIEM system gives you immediate insights Former director of FBI
into threats so you can recover quickly. (RSA Cyber Security Conference,
January 2012)36
You can choose from three SIEM models,
depending on how many internal resources
you can devote to it:

• Deployed SIEM is ideal if you want to buy a SIEM solution and

manage it yourself on-site.
• Co-Managed SIEM lets you purchase a SIEM solution and get
help from a managed security services provider to support it.
• As-a-Service SIEM is a full operational expenditure (OPEX) model
for your SIEM and operations.
If you lack the internal resources to manage a SIEM deployment and perform real-time
alert monitoring, the as-a-Service model can give you around the clock security coverage
and help you meet your requirements for threat management and compliance.

27
ERP application security
Your ERP houses sensitive data from every area of your business—making it a prime target
for hackers.

89% of security professionals predict that attacks on SAP systems will increase, according to
an ERP Cybersecurity Survey.38 An SAP breach costs companies an average of $5 million, but
the impact can be far greater when you factor in a decrease in customer and stakeholder
confidence.

Working with a managed security provider can help you protect your company’s most
sensitive data. Look for a partner who offers a three-tiered security approach:

1 • Physical security via best-in-class data centers

2 • Logical security with multi-factor authentication, identity

federation, and military-grade encryption

3 • Data sovereignty that gives you full visibility

into and control over your environment

It is important that organizations take a

role-based access and determine what
security access your job should have:
where can someone go and what can that
89% of security
person do? By thinking about physical professionals
and logical security the same way, you
can determine from a security perspective,
predict that attacks
who can go where and who can do what. on SAP systems will
Since ERP security is not a “one and done,”
increase.
your partner should run continuous
scans against your systems and provide
data about your vulnerabilities and ERP Cybersecurity Survey38
recommendations on how to better
protect your enterprise.

28
Look for a partner who offers the following security services:

• An endpoint protection solution that blocks threats in real-time. It should cover all areas
of your network—from your ERP infrastructure to the domain name system (DNS) level to
your mobile devices.

• Next-generation monitoring and alerting. Work with a managed security provider

who offers 24/7 proactive monitoring and alerting with tools that were custom-built
for your ERP. Your partner should monitor every aspect of your system and provide
alerts on the following:

• Databases, including logs and backups

• Data quality

• Business function performance

• End-user activity, including changes in user behavior that can put you at risk

• Logs such as access control (physical and logical), critical activities that result in
re-configuration, access to critical or sensitive data, and un-authorized/unusual
activities

• Any area where you want custom monitoring and alerting

• A security platform where you can definite custom monitoring to respond to emerging
threats to your ERP environment.

It is important when a security

vulnerability arises, you have
the tools to look at the problem, Heartbleed is a good example.
understand the threat, and build Heartbleed was a vulnerability that
monitoring capabilities to see what came to light in April of 2014. This
systems need to be patched and vulnerability allowed attackers to
what priority should be given to access sensitive information, and
each system. was found on thousands of web
servers, including those running major
Your organization can build websites such as Yahoo. Heartbleed
the solution if you have the
was caused by a flaw in OpenSSL,
capabilities to identify and prevent
an open source code library that
vulnerabilities that need remediation
implemented the Transport Layer
within the platform. If you don’t
have the tool, you don’t know where Security (TLS) and Secure Sockets
the problem is and how to quickly Layer (SSL) protocols.39 A hacker could
and strategically fix it. trick a vulnerable web server into
sending sensitive information to them,
including usernames and passwords.

29
Security in the public cloud
Enterprises face significant challenges when they integrate cloud systems into their business
environments, specifically around security and compliance. If you fail to take the right security
measures, you will experience a breach.

To avoid breaches, you must assess the security of each cloud service, along with the hosted
application that it uses. Then, you must close any security gaps between your applications
and clouds. Here’s how:

• Don’t assume that your public cloud services are secure

out-of-the-box.
• Your provider will expect you to take steps to protect your data in the cloud.

• Ensure that your systems in the public cloud have at least the same
level of security and compliance as your private cloud and legacy
solutions.
• Since the public cloud is in a public space, you will quickly see if you haven’t fully
implemented your security requirements in the cloud. Mistakes made in the cloud
have greater exposure and opportunity for exploitation by hackers. For example, a
misconfigured IP address would not be internet routable on an internal network. In a
public cloud, however, it’s only two clicks away from open access and possible reportable
data disclosure to the public.

• Enhance ongoing monitoring and configuration validations for all

cloud assets.
• Exposures often occur due to human error.

• Control administrative access to your public cloud accounts.

• If the wrong person accesses these accounts, they could destroy your entire business in
a couple of hours. Alternatively, they could use them to mine cryptocurrency at a cost to
your company of thousands, or even millions, of dollars.

• Tie identity and access management (IAM) services to logins from

each device with different access privileges for employees.
• Then, create detailed records for compliance and security audits, especially around who
accesses information and how they are using it.

30
Data privacy
New information privacy and data protection laws
prohibit the disclosure or misuse of information
about individuals. More than 80 countries and
independent territories—including Canada and
many countries in Europe, Latin America, Asia,
and Africa—have adopted comprehensive data
protection laws.

The United States is notable for not having a

comprehensive information privacy law for the
country, but instead having limited sectoral laws. “More than 80
For example, California’s Privacy Act requires
businesses with more than a specified user and/or
percent of the largest
revenue threshold to disclose what personal data firms in the United
they collect. States are totally or
heavily dependent on
It’s important to understand whose technology and, on
data you have and how you are storing average, a company
and sharing this information. would lose 25 percent
New information privacy and data protection laws of its daily revenue
prohibit the disclosure or misuse of information after the sixth day of
about individuals. More than 80 countries and its system breakdown.”
independent territories—including Canada and
many countries in Europe, Latin America, Asia,
and Africa—have adopted comprehensive data
protection laws. University of Delaware
Disaster Research
The United States is notable for not having a
Center Report40
comprehensive information privacy law for the
country, but instead having limited sectoral laws.
For example, California’s Privacy Act requires
businesses with more than a specified user and/or
revenue threshold to disclose what personal data
they collect.

It’s important to understand whose data you

have and how you are storing and sharing this
information.

Compliance with privacy laws is paramount.

31
There are some common-sense
approaches to handling sensitive data.
“A data breach is about
• Define the terms sensitive, private, both privacy and
or protected in easily understood security. And security
terms becomes very, very
important because
Employees, contractors, vendors, and customers
you can’t have privacy
need to understand what constitutes private data,
so they can handle with sensitivity, comply with unless you have
processes, and feel confident that information is good security. And if
protected. Some customers may have proprietary someone tries to say
or unique definitions for protected data, so be
sure to clarify.
otherwise, they are
crazy people!”
• Identify and communicate
proper methods of storage and
transmission Dr. Larry Ponemon
Founder and Chairman
Email, attachments to ticketing systems, and of Ponemon Institute41
internet facing sites should not be considered
secure for transmission and storage. Ensure that
the approved, secure methods of storage and
transmission are accessible to those who need
them. Schedule short trainings or create how to
information docs on accessing and using secure
tools.

• Document expiration dates, timing, and procedures for deletion

Develop processes around retention of protected data, and when the time comes to
destroy the data, determine a secure methodology for that process.

• Review additional security and encryption options periodically,

especially for sensitive or private data
Schedule periodic reviews of security, to identify changes or new capabilities that may
exist. Consider encryption options and other emerging methods to further protect
sensitive data.

32
Vulnerability assessment and management
Security is no longer something that businesses can consider as an option. What was
once regarded as a low-priority part of IT, information security is now a high priority.
When security is put aside, it can be devastating to a company – ask Ashley Madison,
the IRS, Target, Sony, eBay, and Evernote, to name a few.

All these companies have had millions of user records compromised in a data
breach, and they’re not alone. Other companies find themselves dealing with
Cryptowall or CryptoLocker, a Trojan virus that encrypts data and then holds the
decryption key for ransom.

What are some common misconceptions?

The biggest misconception for any company is that vulnerability assessments and
security aren’t necessary. They think they aren’t (or won’t be) a target. The fact is that
any company can be a target, big or small.

Hackers want data. Your company is but a task on a hacker’s to-do list, to vacuum up
as much information as possible to then turn around and sell on the black market.
Nothing personal. It’s just business to them. Another misconception is that the
network is safe because a penetration test and audit have already been done.

Every day new threats are released. They may be new viruses or variants of the
same ones that hit companies in the past. This means what may have been safe last
year is not necessarily protected today. Penetration testing, vulnerability assessment
and audits are continual, regularly scheduled efforts. It can’t guarantee 100%
protection. However, it can stop attacks that would otherwise be successful.

The first benefit of a vulnerability assessment can identify resources at risk. You
should hire a professional to identify each vulnerable resource regardless of how
innocuous they may seem. Once vulnerable resources are assessed, each of them
can be prioritized and a value placed on the resource and the cost it would take to
defend the resource.

The most valuable part of a vulnerability assessment is the strategy to defend your
networks. Make sure you’re using a defense-in-depth strategy to protect your assets.
A vulnerability assessment helps to identify current risks to your infrastructure and
then proposes industry approved steps to remediate any issues to reduce your threat
footprint.

33
Even if defenses can’t be 100%
effective, they can minimize the
consequences. “60% of data
breaches are caused
Minimizing security risk is a complicated task
that requires consistent monitoring, patching, by a failure to patch.
and upgrading. Don’t wait for your data to be If you correct that,
compromised, hire a professional for a complete
vulnerability assessment of your networks. you’ve eliminated
60% of breaches.
For secure organizations, patching devices isn’t
optional. You can improve your devices’ security And I didn’t even
by mandating that employees install patches. have to say AI or
You can force employees to patch their desktops Blockchain! See
and mobile phones. For example, if they don’t how that works?”
patch their phones, they won’t be able to access
their email accounts.

Ricardo Lafosse
What layers are missing from your IT
CISO of Morningstar42
security strategy?
Taking a comprehensive, multi-layered approach
to IT security is key to protecting your enterprise
from threats.

Most companies don’t recognize the value in risk assessments and impact assessments
since they are long and tedious, but they are well worth it.

You can’t rely on technology alone to solve your security challenges.

With the right strategy and plan—and the right people—you can prevent intrusions and
keep your enterprise secure.

34
 Part 6

A Lack of Cybersecurity
Talent Puts You at Risk
Despite the increase in threats, many
enterprises don’t have the internal skills or
resources to defend themselves against attacks.

IT leaders don’t have enough staff or budget to defend adequately against the
threats mentioned on the previous pages, according to a Black Hat report.43

Black Hat’s findings are in line with other reports. For example, 68% of security
professionals said a cybersecurity skills shortage is impacting their ability to stay
on top of vulnerabilities.44

This shortage is affecting them in the following areas:

• 60% said it harmed their incident detection and response.

• 53% said it resulted in insecure configurations.
• 42% said they were unable to translate security data into
intelligence.

The cybersecurity skills shortage particularly impacts small-to-medium

businesses that don’t have the budgets to pay top salaries. They often struggle
to maintain even small security teams of just one or two people. These teams
are overworked and stressed.

In fact, Black Hat found that 40% of security professionals consider themselves
burnt out. Meanwhile, 54% believe that the levels of anxiety, depression, and
addiction are higher among security pros than they are among the general U.S.
population.

35
How to overcome the cybersecurity skills gap
Unfortunately, the cybersecurity skills shortage will only get worse. Analysts predict
that 3.5 million global cybersecurity jobs will go unfilled by 2021, up from 1 million
vacant positions in 2014.45

Even if you find cybersecurity experts, there’s no guarantee that they will stay with
your company. ESG research46 revealed that 49% of cybersecurity professionals
receive job solicitations at least once per week. This news is excellent for people who
want a career in cybersecurity, but it’s a problem for CIOs that need to retain skilled
professionals at a reasonable salary.

There are ways to improve your security without hiring new

employees or placing additional burdens on your in-house team.
Many CIOs are turning to managed security
service providers (MSSPs) to overcome their
internal skills gap.

Working with an MSSP allows you to boost Enterprises that

your security without increasing the burden
on your internal staff. With the right partner,
outsource their
you can see quick ROI while you free your anti-malware and
internal team to focus on innovation—not
routine maintenance.
endpoint protection
have lower infection
In fact, 81% of enterprises that use managed
security service providers have infection rates
rates than those
of 3% or less. Meanwhile, just 63 to 65% of who manage these
companies that use other security methods—
such as a coordinating response team or
items in-house.
distributed incident response team—have
incident response rates of 3% or less.
IDG Survey47
It important to understand what your
core business is and have security experts
in-house who can take advantage of
the experience, experience, and talent at
managed security service providers.

36
 Part 7

10 Critical Questions You

Should Ask Before Hiring a
Managed Security Services
Provider (MSSP)
An MSSP can shore up your cybersecurity while removing
burdens from your internal IT team. But to achieve these
results, you must find the right partner. Here are 10 things
you need to know before you choose an MSSP.

Choosing the right MSSP can be overwhelming. Many of them sound similar on paper,
which makes it hard to determine if they can meet your business and IT needs.

Here are 10 questions that will help you identify the right MSSP.

1.1 Do they have extensive experience

with your ERP system?
Your ERP houses your company’s most sensitive data and is a prime target for hackers.
Make sure that your MSSP has the right experience and tools to protect it from threats.

Choose an MSSP that is a certified SAP, Oracle, or JDE partner. Their team should also have
relevant technical certifications with your ERP provider.

In addition to technical expertise, look for an MSSP that offers the right tools. For example,
they should provide monitoring tools that were custom-built for your ERP. They should
proactively monitor your ERP environment and send you alerts of potential threats.

37
2. 2 How will they handle your data?
Get clear on your security goals and requirements before you speak with an MSSP. For
example, do you need to store any data on-premises? Does some of your data require
different levels of control and protection? Must you comply with GDRP?

Also, find out what will happen if your MSSP gets hacked. How will they respond? How
quickly will they notify you of the breach? What are their legal requirements?

3. 3 Do they offer database encryption?

Traditional disk and database-level encryption does not allow you to specify data classes
or specific user permissions, so access controls are an all or nothing proposition.

Your MSSP should offer modern encryption tools that support field-specific encryption
and granular user access control. Look for an MSSP that provides:

• Military-grade encryption for your ERP and other data

• Column-level transparent data encryption for all platforms supported by your ERP

• The ability to encrypt data at rest and in transit

• Fine-grained control over who has access to decrypt which fields and columns

5. 4 Can they share client success stories?

Does the MSSP have stories about how they’ve
helped customers that are like you? Find out
if they’ve worked with other companies in
your industry or ones that have similar IT
environments. Also, ask if they’ve helped CIOs
achieve the same results that you want to
achieve.

The stories can give you an idea of how well the

MSSP solves problems. For example, do they
only do the bare minimum, such as reporting a
breach? Or do they take steps to clean it up? Look
for an MSSP who will treat you like a partner—
not just another ticket that they need to close.

38
2. 5 What can the MSSP provide in terms
of credible, detailed references?
You may not be able to speak with a customer reference, as most enterprises won’t put
themselves at risk by discussing their security challenges or which MSSP they use.

But there are other ways to find out if your MSSP is credible. For example, they can
show you endorsements from leading IT vendors. They can also give you a list of their
certifications to prove that they keep their skills and technologies up to date.

Also, be sure to Google the name of your MSSP plus “breach” to find out if any of their
customers fell prey to a cyberattack or other form of data loss. A quick Google search can
pull up items that you don’t hear about in the news. After all, you don’t want to hire an
MSSP and later find out that they were involved with a major breach.

3. 6 Do their breach detection and remediation

processes analyze every trouble ticket?
Many MSSPs set up your breach detection and remediation processes and start billing for
a purely reactive (and not a proactive) service. For example, they may use tools to track
trends and only declare a problem after one impacts your environment.

Make sure that your MSSP automates their ticket generation and logs all their work.
This increases your accountability and ensures that your MSSP will declare issues on a
technical basis, not a subjective basis. That way, your MSSP can’t ignore problems until
they turn into a security incident.

4. 7 Does the MSSP use leading endpoint

protection technologies?
Your MSSP should not only offer the latest technologies but also use them internally. If
they rely on technologies that are three generations old, how can they provide you with
quality service?

Ask your MSSP what tools they use for their customers and IT environment. Also, ask
how they keep current with the latest security best practices.

For example, beware of a vendor that relies heavily on anti-virus tools, as they offer
little protection from today’s sophisticated threats. Instead, choose an MSSP that offers
advanced endpoint protection to keep malware from getting onto your enterprise’s
computers and devices.

In addition to endpoint technology, your MSSP should draw from a broad security toolkit.
Find out what tools your MSSP will use to mitigate your risks and resolve threats.

39
2. 8 Do they have experienced staff in your time
zone(s)?
Your security risks increase during the hours that your employees work. Choose an MSSP
who keeps similar office hours. That way, they will be available when you are at your
most vulnerable.

3. 9 Does your MSSP have qualified employees?

The IT skills shortage doesn’t just impact enterprises—it also impacts MSSPs. Many
vendors struggle to find qualified employees, so they hire whoever is available so that
they can get billable hours.

Make sure that your MSSP assigns skilled technicians to your account. If you use
technologies such as SAP or Oracle, look for an MSSP who is a certified partner. That way,
you can rest assured that your MSSP has people on staff who know how to implement
and run your core systems.

Your MSSP’s team should also keep their skills sharp. The cybersecurity world changes
rapidly, so your MSSP must stay on top of the latest trends. Ask your MSSP how they
expand their knowledge. For example, do they attend security conferences to learn about
the latest threats and best practices?

4.10 Does your MSSP standardize their offerings?

Look for an MSSP that offers packages with transparent rates. They should also explain
how your pricing will change as you add more services, or your IT environment expands.
Many MSSPs offer a low base price, but their fees quickly escalate as your environment
grows.

Get more value from your IT resources

The cybersecurity skills gap isn’t going to decrease any time
soon. Cybersecurity Ventures predicts a global shortage of 3.5
million qualified professionals by 2021.48

Working with an MSSP can help you keep your environment

secure—while you free your internal IT team for more strategic
projects. The right MSSP will enhance your internal expertise by
helping you identify gaps in your security and putting you on a
path that will minimize your risks.

40
 Part 8

Are You Ready for the Next

Generation of Cyber Threats?
Syntax endpoint security solutions prevent and
protect technologies targeted at 96% of your
company’s real risk. It prevents and identifies
malware, phishing, and hacking tools through
advanced detective technologies, including user
behavior analytics.

Syntax managed security services can be deployed from start to finish in just minutes/
hours. Get protection against billions of threats and bring control to your environment.
Our comprehensive security services include:

• Endpoint Security
Stop advanced attacks at your endpoints. Syntax offers 24/7/365 security coverage,
without the high costs of hiring full-time security professionals.

• ERP Security

Syntax offers a full suite of SAP, JD Edwards, and Oracle EBS migration, management,
and security services. We are an SAP Gold Certified Global Partner and an Oracle Platinum
Partner with more than 45 years of experience managing these complex systems.

• Intrusion Detection and Prevention Systems (IDPS)

Gain deeper insights into your network behavior so that you can fine-tune your security.
With Syntax, you can increase operational efficiency and reduce overhead by separating
actionable events from the noise, helping you better prioritize threats and improve your
security posture.

41
• Security Information and Event Management (SIEM)

Get real-time analysis of the security alerts generated by your applications and network
hardware. Syntax protects you from threats, improves your regulatory compliance, and
helps you avoid the capital expenses and operational complexity of an on-premise SIEM
solution.

• Vulnerability Management and Analysis

Syntax’s Security Assessment Services identify your vulnerabilities and trains you
in preventative measures—helping you safeguard your critical systems and data.
Your assessment will check both your internal and public-facing vulnerabilities,
as well as train your employees on security awareness so that they don’t make a
mistake that will put your business at risk.

• Fraud Detection (Fraud ID)

FraudID for JD Edwards EnterpriseOne, proactively detects and alerts for suspicious
transaction activity by closely monitoring production data in real-time.

• JD Edwards Encryption and Data security (EnCrypto)

EnCrypto delivers JD Edwards encryption capabilities with military-grade strength.

It is the only JDE application-level encryption solution on the market and offers
you fine-grained control over who has access to decrypt each field and column.

• High Availability and Disaster Recovery

Syntax’s High Availability and Disaster Recovery solutions protect your systems
and your users from unexpected delays and downtime by depending on the best-
of-breed in replication technology. More importantly, our cloud-based solution
also offers guaranteed business continuity in the event of a disaster. We offer
some of the industry’s most aggressive Recovery Point Objectives (RPOs) and
Recovery Time Objectives (RTOs).

42
 Part 9

Next Steps
Want to learn more about how to protect and secure your company?

Check out our security resources, including reports and on-demand

webinars, at Syntax’s Resources page.

You can also find the latest security best practices on the Syntax blog.

Why Syntax?
• Providing comprehensive technology solutions since 1972
• 1,000+ customers
• Oracle Platinum Partner with 650+ Oracle ERP customers
• SAP Gold Certified Global Partner with 6,000+ SAP systems under management
• One of the first SAP customers globally (#7)
• One of the highest customer satisfaction rankings in the industry
• Recognized by Oracle as the #1 Cloud Provider for Oracle JD Edwards
• Winner of the Oracle JD Edwards Partner Excellence Award
• One of the first Oracle E-Business Suite Hosting Providers to provide managed services
• AWS Advanced Consulting Partner
• Microsoft Gold Partner
• A Cisco Select and Managed Security Services Partner
• IBM 2018 North America Excellence Award for Top Strategic Services Partner
• HPE 2019 North America Service Provider Award for Customer Excellence

Since 1972, Syntax has been providing comprehensive technology solutions to businesses of all
sizes with thousands of customers trusting Syntax with their IT services and ERP needs. Today,
Syntax is a leading Managed Cloud Provider for Mission Critical Enterprise Applications. Syntax has
undisputed strength to implement and manage ERP deployments (Oracle, SAP) in a secure and
resilient, private, public, or hybrid cloud. With strong technical and functional consulting services,
and world class monitoring and automation, Syntax serves corporations across a diverse range of
industries and markets. Syntax has offices worldwide, and partners with Oracle, SAP, AWS, Microsoft,
IBM, HPE, Cisco, and other global technology leaders. Learn more about Syntax at www.syntax.com.
References
1. Ponemon Institute: 2019 Cost of a Data Breach Study, 2019
2. Wikipedia: GDPR fines and notices
3. FireEye: Most organizations plan to increase their cybersecurity budgets in 2020, November 6, 2019
4. Fortinet: The State of Operational Technology and Cybersecurity Report, 2019
5. Operational Technology Cyber Security Alliance (OTCSA)
6. Infoblox: Infoblox research finds explosion of personal and IoT devices on enterprise networks introduces immense security risk, May 14, 2018
7. 802 Secure: 802 Secure Shares IoT Threat Research at Internet of Things World 2018, Santa Clara, May 16, 2018
8. The Santa Fe Group: Third Party IoT Risk: Companies Don’t Know What They Don’t Know, May 3, 2019
9. Forrester: The State of Enterprise IoT Security in North America, 2019
10. Malwarebytes Labs: Cybercrime Tactics and Techniques, 2019 State of Malware
11. McAfee: McAfee Labs 2020 Threats Predictions Report, December 4, 2019
12. Coveware: Ransomware Costs Double in Q4 as Ryuk, Sodinokibi Proliferate, January 22, 2020
13. SANS Analyst Program: Endpoint Protection and Response, a SANS Survey, June, 2018
14. BusinessWire: Independent Market Survey Reveals 64% of ERP Deployments Have Been Breached in the Last 24 Months, October 2, 2019
15. What Are the Consequences of Data Loss? By Mark Campbell https://www.unitrends.com/blog/what-are-the-consequences-of-data-loss
16. Accenture: From lead weight to launch pad: Realizing digital objectives while managing legacy optimization, 2016
17. CPO Magazine: 2019 Sans Institute Cloud Security Survey Reveals Top Threats, Which Surprisingly Are Not DDoS Attacks, May 28, 2019
18. Cybersecurity Insiders: 2019 Cloud Security Report, 2019
19. Wall Street Journal, Equifax Reaches $700 Million Settlement Over Data Beach https://www.wsj.com/articles/equifax-reaches-700-million-
settlement-over-data-breach-11563798429
20. McAfee RP Enterprise Supernova Data Dispersion https://www.mcafee.com/enterprise/en-us/assets/reports/restricted/rp-enterprise-
supernova-data-dispersion.pdf
21. McAfee RP Enterprise Supernova Data Dispersion https://www.mcafee.com/enterprise/en-us/assets/reports/restricted/rp-enterprise-
supernova-data-dispersion.pdf
22. McAfee RP Enterprise Supernova Data Dispersion https://www.mcafee.com/enterprise/en-us/assets/reports/restricted/rp-enterprise-
supernova-data-dispersion.pdf
23. Security Week: Compliance is Not Synonymous With Security, May 21, 2018
24. Iron Net: New Survey Finds Vast Majority of IT Security Pros Willing to Share Threat Intel to Improve Overall Collective Defense Efforts, May
15, 2019
25. Ponemon Institute: 2018 Study on Global Megatrends in Cybersecurity, 2018
26. Ponemon Institute: 2018 Study on Global Megatrends in Cybersecurity, 2018
27. 20 Top Cybersecurity Quotes for 2020 https://www.secureworldexpo.com/industry-news/20-top-cybersecurity-quotes-for-2020
28. IDG: Why and How to Block Security Breaches at the Endpoint
29. Cisco: Small and Mighty How Small and Midmarket Businesses Can Fortify Their Defenses Against Today’s Threats, 2018
30. Symantec: Mobile Threat Intelligence Report – 2016 in Review, March 23, 2017
31. Google: Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review, March 22, 2017
32. IDG: Why and How to Block Security Breaches at the Endpoint https://info.syntax.com/whitepapers/2/block-security-breaches-at-the-
endpoint
33. CSO Magazine: https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html
34. IDG: How to Blunt Spear Phishing Attacks
35. FBI: Business E-Mail Compromise E-Mail Account Compromise The 5 Billion Dollar Scam, May 4, 2017
36. How Secure is Your Firm’s Cyber Security Health? https://www.withum.com/resources/secure-firms-cyber-health/
37. Stress-Test Your Business Continuity Management, February 12, 2020 Contributor: Jordan Bryan https://www.gartner.com/smarterwithgartner/
stress-test-your-business-continuity-management/
38. ERPScan.com: ERP Cybersecurity Survey, 2017
39. What is the Heartbleed bug, how does it work and how was it fixed? CSO Magazine, https://www.csoonline.com/article/3223203/what-is-
the-heartbleed-bug-how-does-it-work-and-how-was-it-fixed.html
40. University of Delaware Disaster Research Center Preliminary Paper #256, FUTURE DISASTER TRENDS: IMPLICATIONS FOR PROGRAMS
AND POLICIES, E. L. Quarantelli, 1997 http://udspace.udel.edu/bitstream/handle/19716/199/PP256-%20Future%20Disaster%20Trends.
pdf;jsessionid=2954239C39CE0C82B82698E4D50C5E12?sequence=1
41. 20 Top Cybersecurity Quotes for 2020 https://www.secureworldexpo.com/industry-news/20-top-cybersecurity-quotes-for-2020
42. 20 Top Cybersecurity Quotes for 2020 https://www.secureworldexpo.com/industry-news/20-top-cybersecurity-quotes-for-2020
43. Black Hat USA: New Black Hat USA Research: Your Private Information Is Already Available to Criminals; U.S. Elections, Critical Infrastructure
Also at Risk, July 1, 2019
44. Tripwire: Cybersecurity Skills Gap Survey 2019
45. The New York Times: The Mad Dash to Find a Cybersecurity Force, November 7, 2018
46. ESG: The Life and Times of Cybersecurity Professionals, 2017
47. Block Security Breaches at the Endpoint Whitepaper https://info.syntax.com/whitepapers/2/block-security-breaches-at-the-endpoint
48. Cybersecurity Ventures: Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs Globally By 2021, October 24, 2019