Define the Risks
Defend the Assets

Enterprise Strategy
Operational Focus
Right-sized Solutions

LeveL5Cyber’s repository of our posts that cover a wide range of relevant topics within the cybersecurity realm. Our team weighs in on evolving risks and the importance of outpacing threat actors as your business grows. Learn about current events that could impact your organization and how LeveL5Cyber’s team of experts can help to strengthen your cybersecurity posture with our customized solutions.

Recent Posts

Scroll down to explore all our posts...

Building an Adaptable Security Strategy

22 October 2021

Come see one of our industry veterans and Cyber Risk experts as he presents at the Secure Delaware cybersecurity workshop on October 28th!

Anthony Morrone will be presenting on “Building an Adaptable Security Strategy” followed by advice on applying that methodology to your Third-Party Risk Management (TPRM) strategy.
This hybrid event (in-person and live streamed) will take place in Wilmington, DE at the Chase Center on the Riverfront. If you haven’t already registered for the event, get registered now at the link below!
Members of the L5C team will also be in attendance and we look forward to seeing all of you that can make this exciting event!

https://digiknow.dti.delaware.gov/…/2021/secureDelaware/

#level5cyber #SecureDelaware #cybersecurity

The LeveL5Cyber team has 116+ years of hands-on experience in Fortune 500 companies (including DuPont and Lockheed Martin), the military, complex manufacturing environments and more. We bring to your business the expertise to identify gaps in your data protection strategy and help create a roadmap to a more secure future. 

Connect with the LeveL5Cyber team and learn how we can tailor an assessment program specific to the business needs of your company.

Building an Adaptable Security Strategy...

Air gapping the OT network is no longer a realistic option

09 October 2021

With another slew of recent industrial control system (ICS) advisories released by Siemens and Schneider Electric last month, most organizations can not immediately apply the released patches. While patching is essential to reduce risk, it is one of the many mitigation efforts that can be applied.

For most, immediate patching of OT assets is not feasible. As a result, a layered defense is even more important, and starts with the OT architecture. As industrial IoT becomes increasingly prevalent, air gapping the OT network is no longer a realistic option in many cases. Network segmentation, if done properly, provides a stop gap measure to reduce risk while the organization takes the necessary steps to get patches before applying them.

Network design will vary by industry and organization, but there are best practices and frameworks that can be followed to prioritize safety and availability. Talk with one of our experts today to find out how our decades of experience can help reduce risk to your organization!

#networksegmentation #level5cyber #cybersecurity

The LeveL5Cyber team has 116+ years of hands-on experience in Fortune 500 companies (including DuPont and Lockheed Martin), the military, complex manufacturing environments and more. We bring to your business the expertise to identify gaps in your data protection strategy and help create a roadmap to a more secure future. 

Connect with the LeveL5Cyber team and learn how we can tailor an assessment program specific to the business needs of your company.

Immediate patching of OT assets is not feasible...

Operational Technology (OT) is a prime target for Nation-States and cybercriminals

01 October 2021

Operational Technology (OT) is a prime target for Nation-States and cybercriminals given its criticality and potential for significant collateral damage. As a result, there are three core risk impact areas that are affected with IOT devices, further compounding the issues. These risk areas include:

Operational Disruption: Financial Impact
Operational Disruption: Physical Damage
Health and Safety: Employees and the Community at Large

Industry research is clear; Attacks on OT systems are increasing, the economic impacts too the company are growing, and the severity of the attacks are impacting the health and safety of employees and the communities they serve.

With the efficiencies that IoT brings and the introduction of leveraged vendor support for OT systems, the business value is here to stay. That means the risk landscape has become significantly more complex and security leaders must enable the business as a partner through the digital transformation age.

Three questions all business leaders should be asking:
• What is your organization’s confidence in its ability to respond to a malware attack on the OT network?
• Are you confident your firewall policies can prevent the spread of malware to your OT network?
• Do you have an inventory of third-party vendors with remote access to your OT networks?

The LeveL5Cyber team has 116+ years of hands-on experience in Fortune 500 companies (including DuPont and Lockheed Martin), the military, complex manufacturing environments and more. We bring to your business the expertise to identify gaps in your data protection strategy and help create a roadmap to a more secure future. 

Connect with the LeveL5Cyber team and learn how we can tailor an assessment program specific to the business needs of your company.

OT Cyber Risk, Operational Efficiencies, Business Continuity...

Developing an Effective Security Strategy

13 August 2021

When developing a security strategy, understanding threats, capabilities, controls and risks are all critical to a successful plan. A leader may choose from many standards to help them on this journey; but where do they begin? A mature, industry-accepted framework is a good place to start, and the NIST Cybersecurity Framework (CSF) meets those requirements. The good news is that many of the standards bodies are cross referenced, so mapping to another standard is possible. The NIST CSF standard provides a seven-step process which addresses: defining the scope, control maturity, assessing risks and developing a plan of actions. Keep in mind that defining the right scope is integral to successful and meaningful results. If this is the first time executing a NIST CSF, start small and meaningful, possibly with a finance system or company website. Far too often, security leaders are pressured into expansive scopes for their first alignment efforts, which tends to lead to unexpected hurdles.

Now that you have aligned on a framework, the next step is to determine what standard will be used to assess your environment. For example, if assessing Operational Technology (OT), ISA/IEC 62443 is an appropriate standard, whereas NIST SP 800-53 is suited for Information Technology (IT) environments. Each standard can be situationally applied to the environment being assessed. This step can be the most challenging for beginners, especially if this is a self-assessment. This step requires scheduling time with the various subject matter experts and the ability to properly interview the experts. Be honest when assessing a control, if it is “in the works,” this is not fully deployed in the scope of systems. Once completed, the security plan can be leveraged in other assessments.

Once the maturity of the controls is understood, how do you determine what to work on? To answer this, there needs to be a clear understanding of the risks facing the company and scope of systems assessed. This is the risk assessment step of the NIST CSF process, where the threats are analyzed for likelihood, probability, and impact. For example, the threats of a standalone scheduling application are different from an online banking application. As such, the risks and compensating controls are also different. Like the previous step, there are multiple standards and methods of performing a risk assessment. NIST SP 800-30 is one risk assessment methodology and Factor Analysis of Information Risk (FAIR) is another. FAIR has the benefit of communicating risk in financial terms and NIST SP 800-30 provides a straightforward process to quantify risk. Alternatively, adding financial impact to NIST SP 800-30 achieves both. Once the risks are assessed, there will be a clear picture of what threats may need to be addressed in adherence to the risk tolerance of the company. This list is the Plan of Actions and Milestones, or POAM. POAMs are a great way to formally track the aspects of correcting cybersecurity related issues, so that different levels of interested stakeholders can understand that there is a plan with identified actions to take and milestones with which to measure the progress.

Having a solid assessment framework, effective control standards, and a risk assessment methodology are all required to effectively develop a defensible security strategy. There are many other uses for these tools. A new security leader could use these methods to understand the capabilities of their new team, whereas a seasoned CISO may use the framework to objectively measure the progress towards execution of an existing strategy. It is also common for CISOs to use the framework to communicate cyber maturity to their Board of Directors. Taking the results of the assessment alone can be enlightening, but when compared to peers or other companies in the same vertical, they can be very useful for selling a message.

How else can your identified and selected frameworks and assessment methodologies be used to advance a security organization? The organizationally adopted frameworks and methodologies can be used in concert with other referenceable works, such as the MITRE ATT&CK framework, to better understand the ability of specific attacks. Additionally, they can be used to potentially answer the questions around ransomware readiness or even the development of a data protection strategy. Overall, these powerful enablers can assist the security leader in many different aspects of the organization and other lines of business.

The LeveL5Cyber team has 116+ years of hands-on experience in Fortune 500 companies (including DuPont and Lockheed Martin), the military, complex manufacturing environments and more. We bring to your business the expertise to identify gaps in your data protection strategy and help create a roadmap to a more secure future. 

Connect with the LeveL5Cyber team and learn how we can tailor an assessment program specific to the business needs of your company.

A mature, industry-accepted framework is a good place to start...

Mergers & Acquisitions: What’s the risk?

20 August 2021

The bottom line in business is change, and with that change comes new risks. One of the greatest catalysts of change are mergers and acquisitions. In one day, a company can double the number of users, computers, vendors, applications, and sites. The often-overlooked change is to a company’s threat landscape. While this sound daunting, mergers, acquisitions, divestitures and joint ventures are a critical part of many companies’ business strategies. There are several drivers to engage in portfolio changes, such as pressures from shareholders, changes in business strategies and the global market.

It is important to keep in mind that all portfolio changes present risks to each company. The unique threats introduced by a merger or acquisition, a divestiture, or a joint venture are all significant and impact a company’s threat landscape.

So, let us look at some of the challenges introduced by such activities. Not fully understanding the risk introduced with a new IT ecosystem post-merger/acquisition can lead to increased risk of malware attacks like ransomware, business email compromise and other cyber-attacks. One risk area often overlooked is Data Loss. Change can be stressful to employees and may lead to intentional and accidental data loss. Not to mention, acquisitions often include intellectual property (IP), which may have driven a premium in the cost. Misunderstanding and not addressing the risks to the IP could lead to significant and rapid loss of value in the acquisition. A comprehensive understanding what IP exists and the controls in place are critical to a successful acquisition. One of the common understated risks of acquisitions is the potential for technical debt in the acquired company. An early and extensive understanding of the IT landscape will allow for appropriate funding and staffing expectations to mitigate the risk of unmanageable systems. If all this was not enough, mergers and acquisitions often come with an expectation to shareholders that significant cost savings and synergies can be achieved. This can drive an acceptance of risk which could have been avoided.

LeveL5Cyber’s M&A Security Guidance and Risk assessment process provides security oversight throughout the acquisition lifecycle. This is accomplished through early engagement at the Valuation Analysis stage to understand the security profile of the company being acquired. The next phase of the assessment begins at Due Diligence, where an interview process is used to validate the security posture and gain deeper insight into potential synergy opportunities or technical debt issues. L5C will use these details to assist the acquirer in developing the Integration Strategy and potential cost to achieve the desired security posture. Once the deal is closed, L5C can perform a deeper interview and tool-based assessment to provide a comprehensive security risk assessment to further support the integration strategy. Our team’s experience with developing standardized architectures and controls used to support portfolio changes can be leveraged, resulting in a cost savings, improved efficiencies and potential reduction in resources and transition service agreements.

The LeveL5Cyber team has 116+ years of hands-on experience in Fortune 500 companies (including DuPont and Lockheed Martin), the military, complex manufacturing environments and more. We bring to your business the expertise to identify gaps in your data protection strategy and help create a roadmap to a more secure future. 

Connect with the LeveL5Cyber team and learn how we can tailor an assessment program specific to the business needs of your company.

MADJV, a critical part of many companies’ business strategies...

M&A Cybersecurity Risks

03 September 2021

What are some of the potential risks an enterprise takes on if it neglects to include cybersecurity in its MADJV vetting process? A rushed or limited cybersecurity vetting process may miss exposures and can lead to increased risk of malware attacks, intellectual property (IP) loss, business email compromise, critical data loss, and unforeseen costs.

• Is your organization aware of undisclosed prior data breaches?
• Is your organization aware of the inherited third-party relationships with service level expectations, customer privacy agreements and regulatory compliance requirements?
• Does your organization understand the differing technical capabilities between organizations which could lead to unexpected integration costs, increased support costs, or weak spots in the cybersecurity protection capabilities?

When a company embarks on a portfolio transition, cybersecurity risks must be considered. The LeveL5Cyber MADJV security guidance and risk assessment process provides security oversight throughout the lifecycle. We have a team of cyber experts from Fortune 500 companies and real-world critical manufacturing operations (chemical, manufacturing, and aerospace) ready to leverage their years of experience in a right-sized, results-driven model.

The LeveL5Cyber team has 116+ years of hands-on experience in Fortune 500 companies (including DuPont and Lockheed Martin), the military, complex manufacturing environments and more. We bring to your business the expertise to identify gaps in your data protection strategy and help create a roadmap to a more secure future. 

Connect with the LeveL5Cyber team and learn how we can tailor an assessment program specific to the business needs of your company.

How can cybersecurity risks threaten industry deals?...

Third-Party Risk Management

24 September 2021

Companies of all sizes use third-party vendors. These relationships can bring a host of benefits to an organization, but they also raise concerns, especially around data, risk, and security. Attacks originating from insecure third parties heighten security concerns, yet most companies fail to address this source of vulnerability.
What are some of the challenges that organizations face?

1. Data silos: Many corporate teams believe that Third-Party Risk Management and data security is the responsibility of the Information Security organization alone. Vendor risk impacts several functions across the organization, from procurement and legal to finance and executive management. With lingering data silos, it can be difficult to make progress towards a long-term Third-Party Risk Management strategy.
2. Shadow IT: Unknown vendors introduce multiple risks.
3. One size does not fit all when it comes to risk assessments. Assessments need to be scalable to meet varying degrees of risk.
4. Time management to sustain it: Addressing future risks takes less time and fewer resources.
5. On-going monitoring: Utilize continuous monitoring to assess third parties beyond point-in-time assessments.

During a time when third-party risks are at an increased level due to risk of exposure or loss resulting from a cyberattack, security breach, or other security incidents, having a well-planned Third-Party Risk Management program in place is crucial. Corporate leaders need to adopt new approaches to managing vendor risk in response to growing business, information security concerns, and new regulatory frameworks for managing risks related to third-party business relationships. A strong Third-Party Risk Management program should include a governance framework, a vendor selection and inventory process, due diligence and continued oversight, a vendor risk assessment and ongoing vendor monitoring.

Building these essential steps into your program can contribute significantly toward mitigating a cyberattack, security breach, or other security incidents associated with outsourcing tasks and services. It can also save thousands of dollars in fines and penalties.

The LeveL5Cyber team has 116+ years of hands-on experience in Fortune 500 companies (including DuPont and Lockheed Martin), the military, complex manufacturing environments and more. We bring to your business the expertise to identify gaps in your data protection strategy and help create a roadmap to a more secure future. 

Connect with the LeveL5Cyber team and learn how we can tailor an assessment program specific to the business needs of your company.

Let’s give Third-Party Risk Management the attention it deserves....