Cybersecurity is on everyone’s mind and in everyone’s Twitter feed. Every week, we see troublesome news stories about the latest vulnerability, malicious hack, or data breach. Companies are looking to their CIO, with the expectation that we will protect their assets, unlike those “other” victims, who have lost millions and scarred their reputations. While larger organizations may have a team of expert security analysts and sophisticated tools, smaller firms have very few internal security resources. It’s tempting to jump on every new “silver bullet” security product, in an effort to outwit the latest threat actors, but is this your best strategy?
Let’s assume that you are already doing the basics. You already are backing up your data, patching software, running antivirus, and enforcing strong passwords. You already have an enterprise-grade firewall, a basic Intrusion Protection system, require employee awareness training, and hire an auditor for the requisite annual penetration test. How do you move up to the next level of risk reduction? How can you improve your level of Cyber Security maturity? With limited resources, where should you focus your energy?
"The best cyber insurance carriers can help you build, communicate, and test your plan, so that you all can be prepared for execution if necessary"
The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) provides a vocabulary and a framework for classifying computer security risks. It is a great starting point, it’s widely accepted, and it’s free, but it can be a bit overwhelming. For all its strengths, NIST CSF currently lacks practical, actionable recommendations to reduce your risk. Having worked extensively with the NIST Framework, including its five functions, 22 categories, and 96 standards, I’ve extracted eight improvements–high-value/low-effort actions you can take now to improve your organization’s cyber security risk profile. If you haven’t already implemented these, today is the day to start.
1. Assign Security Roles and Responsibilities. Clearly define cybersecurity roles and responsibilities, assigning them to capable people. Gain Senior Management approval to develop and implement policies to ensure understanding and compliance for all employees and contractors.
2. Identify and Document Asset Vulnerabilities. Based on a documented inventory of current hardware, software, and data assets, identifies which are at risk due to age, value to outside parties, frequency of problems, and lack of protections. Do not hide vulnerabilities.
3. Determine Organizational Risk Tolerance. Meet with Senior Management quarterly to describe current risks, limits of protection technologies, company’s risk tolerance, and efforts to reduce risks to key assets. Push for improvements to mitigate high-risk exposures.
4. Manage End-user Identities and Access Credentials. Work with Human Resources to create, document, and follow a standard process for adding, modifying, and removing user credentials. Employ a policy of “least privilege,” where employees only have enough access to perform their current job function, and lose unnecessary access as their roles change.
5. Manage Privileged Users. Identify and document all who have administrator access to systems. Trim that list to be as small as possible. Administrators should have one user ID to perform admin functions and another for their non-admin functions. Admin user IDs should identify the administrator’s name (e.g. Admin Bob), so that activity can be tracked back to the individual.
6. Create a Culture of Security Awareness. Security training should be a part of employee on boarding, annual employee HR compliance refresher training, and should be a frequent topic of employee communications. Raise awareness of the impact of cyber threats on your company’s profitability and possible existence. Describe how employee actions are the most common entry point for security problems. Highlight the exposure to each employee’s personal and financial life. Include security topics in a monthly IT newsletter, at all company meetings, in frequent Intranet reminders. Send broadcast communications to all when there is an emerging public threat, or an actual company security incident in progress.
7. Maintain an Incident Response and Business Continuity Plan. Based on your documented cybersecurity strategy, ensure that your plan defines your process for detecting a security incident, responding to it decisively, and recovering from it quickly to minimize your loss. Include IT, Senior Management, Finance, and Operations in quarterly rehearsals. The best cyber insurance carriers can help you build, communicate, and test your plan, so that you all can be prepared for execution if necessary.
8. Monitor Computing Environment to Detect Potential Cybersecurity Events. Implement an activity monitoring and logging process that alerts security personnel when employees or processes are behaving outside of expected parameters. This requires both a technical solution and a person to respond to the alerts.
Senior Management is being bombarded with anecdotal information about daily cyber incidents, but does not have solid information about the relevance to their business or appropriate risk reduction strategies. Our companies are looking to us as the experts. We need to do more than hope and pray that we don’t become the next victims. We need to take the above recommendations seriously, as our careers and our company’s livelihood is on the line.