You’ve made the decision to bring your organization to a more cyber-secure place.
Maybe you’re doing this proactively – to guard your company from a cyber attack. Or
perhaps you’re required to do it to achieve legal, regulatory or industry compliance. Or,
worst case: you’ve been the target of a compromising cyber event.
Making your organization more cyber-secure is smart business, regardless of the
reasons. But because the cybersecurity landscape is continually changing, it’s not
uncommon for many in the executive wing to be a little hazy on how to get to a more
secure place.
Take a breath.
The first thing we tell our clients: Don’t panic. Even if your company has been
subjected to an attack, there are practical, effective steps you cake to mitigate the
damage and become more cyber-secure.
Wanting a “quick fix” after a cyber attack is understandable. But every organization’s
cybersecurity needs are different, just as every cyber attack has its own “signature” and
is designed to attack specific vulnerabilities. There’s no such thing as off-the-shelf,
plug-and-play, one-size-fits-all in this game. Cybersecurity is a commitment requiring
new strategies, policies investments…and crucially, action.
Step 1: Strategic Planning
You wouldn’t build a new facility or expand into a new market without a sound plan in
place. Cybersecurity requires the same due diligence.
The more you understand your organization’s place in the world, the more this become
apparent. Directly and indirectly, you interact with customers, suppliers, partners,
employees, distributors…investors, financial institutions, regulatory bodies,
government entities…competitors, industry groups, the media, and more. Security
breaches – malicious or otherwise – can come from any interaction and can cause
irreparable harm to your business.
Let’s review a few basics.
What is a Cybersecurity Plan?
A Cybersecurity Plan is a set of policies, standards, procedures and guidelines.
These identify what your organization’s cybersecurity requirements are, the protective
mechanisms you’ll need, how each should work, and who is responsible for each
function. The cybersecurity plan also provides for continual monitoring and regular
review to determine if your organization is properly defended against new cyber
threats.
Policies describe the “rules of the road” for everyone in your organization to follow:
Who needs to be involved? What needs to be done, and when? Which policies effect
all employees, and which are geared for management or the response team? What is
needed to maintain or restore a secure “status quo”? What happens after security is
restored to prevent another breach?
A very simple example of a policy: “All employees must enter a valid user ID and
password to log in to the company network.”
Standards specify the particulars of each policy – what one must do to fulfill each
requirement. Collectively, standards establish a baseline for employee behavior, i.e.,
what is proper security conduct and what is not.
Following our above example: “Each password must be 8-16 characters long, have at
least one capital letter, one number, and one special character, and cannot contain the
employee’s name or more than two (2) repeat characters in a row.”
Procedures are detailed instructions – precise directions needed to conform to any
policy or standard. Keep them simple enough that a trained professional can follow
them – you do not need to list every mouse click or keyboard entry.
Continuing with our above example:
To enter a new password, at the password screen press ctrl+alt+delete and then click
“Change Password.”
Finally, a guideline is a helpful way to do something (or not to do something).
“Don’t use your name, birthday or the word ‘password’ in your password.”
Cybersecurity Program Management
As with any top-line business program, you need a means of effectively monitor your
cybersecurity strategy to ensure it is operating as intended. That’s where
Cybersecurity Program Management comes in:
Component Identification – A cybersecurity plan has many individual components
that vary according to an organization’s size, operations, regulatory obligations,
business objectives, and potential cybersecurity threat. Knowing what you need (and
don’t need) is essential.
Information Architecture – What specific policies, standards, procedures and
guidelines will you need? What should each contain? Who will write them? Whose
input should you get, and whose should you discount? How and when should each be
reviewed and updated?
Testing – You can be sure that cyber criminals will be testing your defenses, so you
need to do it before they do. Stress-testing of your cybersecurity program can
include:
Investigations – A fundamental aspect of any cybersecurity program is limiting and
managing variables. In particular, you need to know the people who come in and out
of your organization’s scope. Investigations may entail:
Monitoring and Reporting – A cybersecurity program is not a “document” or
“policy”; it’s a functioning system operating in real time. As such, it must continually
monitored to make sure it is performing as designed.
Roles and Responsibilities – Who does what, and when? Who enforces policies and
procedures? Who is allowed to modify those policies and procedures, and under what
circumstances? Who is accountable?
Reviews – Technology changes. Laws and regulations change. Your business and your
customers change. The sophistication of cyber attacks change. Who initiates the
necessary changes to the cybersecurity plan? Who approves them?
If all this seems overwhelming…
Admittedly, there’s a lot to consider when tackling cybersecurity…which is why,
before you do anything, talk to a qualified cybersecurity expert.
Well, OK…but how can you tell the experts from the not-so-expert? Here’s how:
