Intro to Cybersecurity for US & Canadian Businesses
The Baseline for Foundational Security Has Changed What Business Leaders Need to Know
If every cyberattack that happened in the United States and Canada were in the news headlines each day, there wouldn’t be room for anything else to be covered. We only hear about the really big data breaches that take place, but cyberattacks happen every day, every hour, every minute, to organizations large and small.
Here’s what the headlines would look like if cyberattacks were all reported and published:
- School district refuses to pay ransom to cyber criminals and personal data of students and staff is exposed on the web
- 100+ businesses down for 45 days after cloud provider encrypts all their files
- Employee pays $3,000 out of his own pocket to buy gift cards for hacker
- Manufacturing company spends $250,000 to remediate ransomware attack
- Accounting clerk tricked into sending more than $150,000 to criminal’s bank
You get the idea.
We created this guide to help executives like you understand the need for business cybersecurity, the risks that are associated with running a business today, and what you need to do to effectively manage those risks.
If you’ve been in business for a while, you might think that you’ve learned everything that you need to know about cybersecurity for executives. But in our experience in talking with hundreds of business leaders, we’ve learned that for many, there’s a false sense of security that makes their organizations easy targets for cyber criminals.
We wouldn’t wish a cyberattack on anyone. It’s our sincere desire to help you to avoid becoming a victim by giving you information about cyber risks and how best to manage cybersecurity.
If there’s only one thing you get from the information we’re sharing, please let it be this:
The cybersecurity baseline has moved.
Basic security standards aren’t enough to protect you.
Act now before you become a victim.
How the Cyber Landscape has Changed
More Targets, More Endpoints, More Accountability
Hackers are Opportunistic
In some ways, the tactics that cyber criminals are using to kidnap, steal, and exploit data and networks are the same ones they’ve been using since predators first started stalking on the internet. These tactics have always been focused on finding opportunities to sneak into networks unnoticed and trying to manipulate and trick people into letting them bypass security measures to gain access.
Cyber Criminal Tactics Have Evolved with Artificial Intelligence
Despite reliance on tried-and-true techniques, cyber criminal tactics have changed in some very important ways. The software tools they’re using have evolved and they’re using the power of Artificial Intelligence (AI) to make their actions more automated and targeted.
Every Business Is a Target
Cyber criminals have increasingly turned their attention to small- and medium-sized businesses. One reason for this is because lax security has made smaller businesses easy targets. A second reason is because cyber criminals have found that they can get access to bigger targets through the network connections of small businesses.
Number of Internet of Things (IoT) Has Exploded
The Internet of Things (IoT) has exploded the number of devices connected to a network and the security of these devices is too often unknown (or nonexistent). If they aren’t secured, IoT devices (like AV equipment, security cameras, smart thermometers, etc.) can create gaps in the technical perimeter that you’ve set up around your network, making your firewalls and antivirus inadequate at keeping out all predators.
More Employees Are Working From Home
Because of COVID-19, many companies have more people working remotely, which creates the same kind of security considerations as if you had a multi-location business. Remote employees are connecting to your network through their home networks, and sometimes using their personal devices to do so. Assuring security while working from home means equipping employees with the tools and habits they need to make their home office as safe as your physical office for your data.
Accountability for Data Privacy Is Increasing
Before we talk more about the risks, there’s one more thing that’s changed in the cyber landscape – an increasing obligation toward accountability. Organizations are increasingly accountable to protect the data that they gather and store. Industries like healthcare and financial services have needed to comply with regulations for maintaining confidentiality for quite a long time. Similar regulations are working their way into many other industries as well, which means that companies should expect this accountability for data protection to impact them very soon (if it hasn’t already).
The Business Case for Cybersecurity
What Would Happen to Your Business If You Lost Access to Your Data and Network?
The first step to becoming better at managing cyber risk and security is to consider what’s at stake.
- What assets are you protecting?
- What’s the value of your assets?
- What would be the impact on the organization and its people if these assets were stolen, damaged, or exposed?
Then ask yourself: How much risk am I willing to accept?
Data as a Business Asset
If you made a list of all of the data that you gather and store, you could probably categorize it by importance.
Some data has value because it’s essential for your daily operations. Other files are important because they document your trade secrets and intellectual property. The information that you keep in employee records is valuable to the individuals involved as well as your organization. Some files that you store might already be publicly available like the content that’s published on your website. Do you store any information about your customers? Consider what that data is worth to them.
Where your mind goes when you consider these categories of data could be the first indicator of their importance to you. You have to think of what would happen if you lost access to all this information.
- We’ll be shut down
- We’ll be out of compliance
- Our customers will be upset and may leave
- Our employees will be upset and may leave
- We’ll be sued
- Our reputation will be dirt
- Damage control will be costly
- Our competitors will beat us
Network Connections as a Business Asset
Not only does your data have value but your network connections do too. The big Target cyberattack in 2013 that exposed 41 million accounts happened because the hackers got to the Target network through their HVAC company’s network. This was big news then, but it’s extremely common now and there’s a name for it – island hopping.
Add to that the fact that it can take as long as six months or more for a network intruder to be discovered, and you’ve got a situation where you could be responsible for data breaches that happen not just to you but to your customers and vendors.
Business Impact of a Cyberattack
Just the thought of having to deal with the impact of a cyberattack should be enough to make your heart race and put a rock in the pit of your stomach. Let’s go a step further and challenge you to see if you can quantify the pain that you’ll experience if your network gets breached.
- What if your employees couldn’t access your network for a day? What would that cost?
- What would happen if you lost your biggest customer because they became a victim of a cyberattack through your network? What kind of a hit would that be to your revenue?
- What if the social security numbers of your employees were exposed? How much would it cost to provide them with an identity management solution? How much would it cost to rehire and train the people who leave because they don’t trust you anymore?
- What if you violated confidentiality regulations? Give your best guess as to what penalties and legal fees might cost.
- What if you didn’t get paid by your customers because their payments had been diverted to a cyber criminal’s bank? How big of a cash flow hit can you handle?
- What if your reputation as a trusted supplier and employer was damaged? How much do you think it would cost to hire a professional communications company to do damage control? How much more resources will you have to put toward sales and marketing to attract new customers?
How Much Risk Are You Willing to Accept?
If you have a cyberattack, there will be costs. The question is, are you willing to pay that cost after the fact or would you rather use those same resources on prevention?
If you are one of 76% of businesses that has had to deal with the fallout of a cyber incident, then you know that even if the dollars are about the same, it’s much better for everyone involved if you spend the money on being proactive instead of reactive.
Being proactive about cybersecurity means that you must have a strategy.
Security Includes Everyone And It Starts at the Top
Security isn’t just the IT department’s job. If it were, then all you’d have to do is make sure you have the right firewalls and software tools to make cyberattackers bounce away.
That isn’t realistic.
The best cybersecurity strategy consists of layers that include technical, administrative, and physical tactics, plus cyber insurance.
If you’re in an industry that has compliance regulations, these will play a factor in your security strategy. Compliance is all about being accountable for the safekeeping of information. Just because you’re not in the healthcare or banking industry doesn’t mean that you won’t need to have the same level of accountability for data storage and use.
If you haven’t already experienced it, greater accountability is coming for everyone.
Who Owns the Cybersecurity Strategy
You, or you and your management team, are responsible for your cybersecurity strategy if it’s going to stick. If there isn’t buy-in at the top, then you’re setting your organization up to fail because security will feel like enforcement instead of responsibility.
Additionally, if you’re the one who’s responsible for managing risk, you can't exclude cyber risk in your list of business risks.
Your goal in owning, creating, and implementing a security strategy isn’t meant to keep everything on your shoulders alone. You need to create a culture of security.
What a Culture of Security Looks Like
While management is responsible for creating cybersecurity and compliance strategy, it’s everyone’s responsibility to implement that strategy within their role. It would be great if you could just tell people that corporate data is valuable and then they’d automatically treat it like the crown jewels, but that’s not realistic.
Helping employees understand the value of their organization’s information starts with teaching people about how information will be accessed, and by whom, with acceptable use policies. How you support those policies with training and enforcement will send a clear message to employees about the respect that your whole organization places on handling information.
Another way to grow a culture of security is to tie in the value of information with the value that the employees see themselves bringing to the organization. When you help people gain a sense of ownership of the impact that their work has on the organization, you can communicate to them that the role they play in handling information is important.
It all comes down to trust. You ultimately have to trust your employees to do the right thing. They have to trust that if they make a mistake or have an error in judgement that they can report it without fear of reprimand.
Trust comes from consistency and in clarity about expectations.
Resilience = Goal of Cybersecurity Strategy
If you’ve been thinking about cybersecurity like a project – building walls and barriers – it’s time to change your thinking. Cybersecurity is an ongoing process that needs to be managed. Not only do you have to make sure that the technical walls and barriers don’t crumble, you must think ahead and decide how you’re going to respond when an attack does happen.
When you start thinking about security as a process that includes detection and recovery, a whole different set of questions pops up. Answering these questions proactively will be essential to build your ability to bounce back after a cyberattack.
- What are the most likely threat scenarios that could happen?
- What do we want employees to do if they suspect a cyber intruder or breach?
- What protocols do we want in place to guide our response to a cyberattack?
- How long can we afford to be without our IT systems?
- How are we going to operate if our systems are down?
- Have we prioritized our systems based on their importance to daily operations?
- How will we determine the extent of the damage and which data was compromised?
- What will we do in the event of permanent data loss?
- How are we going to restore our systems so we can get up and running again?
- How are we going to use communications to maintain confidence and uphold our reputation during damage control?
As you go through these questions, it’s clear that you’re going to have unexpected costs to deal with if you have a cyberattack. Cyber insurance is how you can get help to handle both the costs (and sometimes even get the expertise needed) to navigate through a data breach incident.
Enable Resilience with Cyber Liability Insurance
No one can guarantee that you’ll never be the victim of a cyberattack, even if you’re diligently keeping up with security. You need cyber liability insurance in your security strategy to help you deal with the risks that you can’t avoid. Some cyber specialists refer to the day of a cyberattack as a “cold dark day,” and if (or when) one happens to you, you’ll be glad that you have access to the resources that cyber insurance provides.
Don’t assume that your general business policy will cover cyber incidents. It usually won’t because the types of incidents and the fallout are so different from the events that are traditionally covered in a general policy.
What Does Cyber Insurance Cover?
Just like any other insurance, coverage depends on your specific carrier and policy, and the type and amount of data that you gather and store, but here’s what you’ll generally get:
Data Breach Response – Communications to affected organizations and individuals, along with follow-up activities such as identity theft protection and legal fees.
Cyber Extortion – Covers the cost of paying a ransom, as well as expert services to deal with the cyber criminal and bringing the event to an end.
Legal Fees and Regulatory Fines – Relief for costs associated with legal proceedings and regulatory fines.
Business Interruption Reimbursement – Relief for loss of income and increased costs of doing business after a cyberattack.
Forensic Support – Covers costs for investigating the extent of the data breach and how the incident happened.
Damages to a Third Party System – Covers costs that arise when your email or IT systems were used by a cyber criminal to gain entry or cause damage to another organization’s IT system.
Application Process and Costs for Cyber Insurance
The information that your cyber insurance application gathers is used to determine your risk level. Your risk level is determined by a variety of factors related to your industry, the size of your business, your history of cyberattacks (if any), and the combination of tactics you’re using in your cybersecurity strategy.
Basically, the more sophisticated your strategy, the less vulnerable you are to cyber threats. Expect to get some help from your IT team when you’re filling out your application because you’ll need to know if you do or do not have the technologies that are listed. When it comes to evaluating your security technologies, outsourcing IT and cybersecurity to professionals will be a plus.
It’s hard to gauge a ballpark premium price. Pricing (like coverage) depends on the amount and type of information you store, and the level at which you manage cyber risks. A small business like a construction contractor may be able to spend less than $4,000 a year on coverage, but a medical research company may have to pay over $200,000 a year.
Your cyber insurance policy and pricing is going to be unique to your organization and your situation. The bottom line is that cyber insurance is just as much a must have layer of security as the technical, administrative, and physical layers that are detailed here.
Before we get deeper into the tactics that should be a part of your cybersecurity strategy, we need to address cybersecurity compliance. If your organization needs to follow regulatory guidelines for the safekeeping of information, that should be addressed in your cybersecurity strategy.
Accountability for the Confidentiality, Integrity, and Availability of Data
The goal of compliance isn’t that different from the foundational goal of any cybersecurity strategy, which is to control access to information.
What’s different is that accountability for meeting this goal needs to be documented and verified. In other words, compliance doesn’t just mean “keep this data safe.” It means, “Prove how you’re keeping this data safe.”
Certain industries have had compliance requirements for a long time. For example, the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. Banks and financial institutions have been required to follow Payment Card Industry (PCI) standards since 2006.
Security Standards Pushed Down the Supply Chain
More recently, NIST compliance has become mandatory for companies who contract with the federal government. If the Department of Defense (DOD) is your customer (or your customer’s customer), then you need to follow the Cybersecurity Maturity Model Certification (CMMC).
Increased accountability for companies that gather and store information about consumers is no doubt in the future, led by General Data Protection Regulation (GDPR) in the European Union, and in California with the California Consumer Privacy Act (CCPA) regulation that went into effect in January 2020.
Interpreting Regulations into Security Controls
If you’re not familiar with regulations for network security compliance, then you might imagine that all you have to do is implement a list of security measures and you’re good to go – but it’s not that simple. Most organizations need help interpreting regulations into the security controls that will meet compliance objectives, and then to maintain and manage the security process. It’s typically a specialized skill set.
While this guide doesn’t go into detail about how you should go about achieving compliance with specific regulations, our message that the baseline for foundational security has changed is relevant for you. Keep reading and you’ll be more informed when you have conversations about compliance, especially when it comes to the advanced tools that are included in the Security Controls section.
Threats and Vulnerabilities
Difference Between Threats and Vulnerabilities
Think about a threat as a bad thing that could happen. Cyber threats include ransomware, viruses, phishing, business email compromise, denial of service attacks, bot nets, and more. The list of cyber threats is always increasing because the technology that the bad guys use is evolving just as fast as the technology that the good guys use.
Vulnerabilities are potential weak spots that threats can exploit.
Your cybersecurity strategy needs to include multiple layers of controls that are designed to address vulnerabilities so that you can either avoid the threat altogether, or enable detection and response to stop a threat in its tracks if it gets through.
In the following section, we’re going to present threats and vulnerabilities together so that you can start to connect them with the security controls that are used to manage vulnerabilities.
How Cyber Threats Exploit Vulnerabilities
Email Phishing and Spear Phishing
Phishing involves sending out emails that look like they are from a trusted person or organization with the purpose of getting the recipient to click on a link or open an attachment that will unload malware. Some phishing schemes ask the recipient to transfer money or give the sender access to other financial resources. The source of the email can appear to be from an organization or a specific person that you know.
- Minimal email spam filtering
- Inadequate password and identity management
- Employees don’t know how to recognize phishing
- Lack of business policies for verifying financial actions
Malware, Spyware, and Ransomware
Malware is any piece of software that is intended to do harm. Malware is delivered in many ways including clicking links, opening attachments, downloading software, and browsing a compromised website on the internet. There are many kinds of malware, but we want to draw your attention to two types because they are especially prevalent right now.
Ransomware is a type of malware that you’ve probably heard of. In the past, having a good backup was considered insurance against ransomware. The rationale was that you could refuse to pay the ransom and just restore from a backup. Unfortunately, ransomware heists are now threatening to expose data if a ransom is not paid, instead of holding it until you pay.
Spyware is exactly what it sounds like. It’s a program that lets a bad guy see everything that you’re doing on your network. They’re not only looking for account access and your weaknesses but they’re also observing your email communications so they can impersonate your people in phishing schemes.
- Out-of-date and unpatched software
- Email impersonated from a look-alike domain
- Unmanaged endpoints
- Unrestricted access to the internet
When people are tricked and manipulated into doing an action they wouldn’t otherwise do, that’s social engineering. These ploys often use authority and urgency to coerce a person to provide login credentials, change banking information, purchase gift cards, or click a link or attachment in an email.
The entry way for a social engineering trick may come in through a phone call or text, as well as an email or online message. The goal of this irritating tactic is to get a person to either give up information or to persuade the person on the line into taking an action that will give the hacker access to their computer or network.
Phone scams can be very targeted with their attack, with the bad guy possessing information about the recipient that leads them to believe that they can be trusted.
- Basic email and spam filters
- Inadequate password and identity management
- Lack of knowledge about social engineering
- Inadequate business processes for verifying certain actions
If you have remote workers, you’re a multi-location business. The laptops and PCs that your people connect to your network are all considered endpoints. You probably have more vulnerable endpoints than you realize because anything connected to your network – anything – should be protected. That goes for your heating and cooling system, security cameras, and other IoT devices as much as it does for your computers and tablets.
Smartphones are also connected devices, and they often control your other connected devices. There are some additional factors to consider with phones because they move around with the owner, and they may be owned by the employee and not your company.
- Unsecured network access
- Out-of-date hardware and software
- Easy passwords or no passwords
- Lack of Mobile Device Management (MDM)
Insider Threats and Physical Security
Hopefully, you can trust the people you hire and you’re assured that they wouldn’t do anything on purpose to steal, corrupt, or expose your data. Unfortunately, that’s not always the case.
It's nice to think that none of your employees would betray your trust, but things happen. Whether it’s a bribe from a competitor or the act of a disgruntled employee, you want to be aware of the actions that your people could take to compromise your business information and IT systems.
Don’t forget that cyber criminals don’t just operate online. They can walk through your front door. Maintaining the security of your office space includes limiting access to your server room, locking workstations when not in use, and never leaving post-its or other notes with login credentials where someone could easily find them (re: your desk drawer or stuck to your monitor).
While you might envision intruders sneaking their way into your facility, don’t discount potential threats from people who have a reason to be there – whether they’re visiting or are one of your employees.
- Uncontrolled access to your facility
- Uncontrolled access to servers
- Unhindered access to computers and servers
- Sharing account credentials between multiple people
Security Controls - Cyber Defenses with Layers
Prevent, Detect, and Respond
As you get ready to call it a night, the last thing you do before you head to bed is lock the doors, turn on the electronic alarm system, and give your German shepherd a pat on the head as he snoozes in his bed.
Now imagine that someone wants to break in. They’ll have to find a way to disable your alarm, get through the locked door, and maneuver past Fido in order to gain access to your valuables. These three layers of security act as barriers (locks and the dog), detect an intrusion (alarm and the dog), and attack the intruder (the dog).
An attacker could certainly find ways to circumvent all three of these security layers, but getting in and out for his mission will be more difficult and take longer than if he only had to deal with locked doors.
The concept is similar in a technology environment where the layers of security are designed to detect and thwart attacks before they can do any damage.
Three Types of Security Layers: Technical, Administrative, and Physical
Security controls aren’t just technical. They’re also administrative and physical. Your security strategy needs to include all three.
How you use hardware and software to deter, detect, and respond to cyber intruders.
What your people need to do to deter, recognize, and respond to cyber intruders.
How the physical environment is set up to promote security.
In our example, the actual doors and windows with their locks and the electronic alarm system would be like technical security controls. The administrative controls would include training people to get into the habit of locking the doors and turning on the alarm system, and teaching them what to do when the alarm or the dog gives an alert.
Let’s go through the list of security controls that you should be using. As you become familiar with the security tactics listed here, you’ll see some crossover because different tactics support and enhance others.
1. Basic Technical Controls
Antivirus, Antimalware, Firewalls, Patching / Updating Software, Network Design
Think of basic technical controls as the method you use to close and lock the doors to your data and IT systems. Keep in mind that older software and hardware don’t have the advanced capabilities that newer technologies include. Your network design should promote control access to data and minimize damage if/when a hacker does get through your defenses.
2. Advanced Security Tools
Threat Detection and Response, Artificial Intelligence, Email Security
The need for advanced security tools can’t be ignored when it can take more than six months for an intruder to be detected without them. That’s a lot of time for cyber criminals to plan out how they can get the biggest strike.
Advanced security tools use artificial intelligence to learn about your network traffic so that they can recognize activity that is not normal and act when something out of the ordinary occurs, which could be a sign of an intruder.
3. Endpoint Security Protection, Detection, and Response
Agent-Based Software on Connected Devices
Endpoint protection can be considered an advanced security tool, but it’s worth calling it out here because of the increasing number of devices that are connected to your network. Whether it’s your remote workers’ corporate or personal computers, your cloud services, or your smart devices, anything connected to your network is a potential access point for a cyberattack.
Endpoint security protection detects and responds to potential threats.
4. Mobile Device Management
Monitoring Software, Identity Management, Security Policies
Using smartphones makes it easy for employees to be in touch when they’re not in the office, but when you think of smartphones as doors to your network, then it’s scary to think of who could get access to your data if the phone is lost, stolen, or used by an unauthorized person.
Software can be used to control what employees can do on their phones. Teaching people how to use the security features that are available on their phones and providing training on acceptable use will help to instill in the employee their individual responsibility for using their smartphones with safety in mind.
5. Advanced Email Security
Spam Filters, Encryption, Identity Management, Cybersecurity Awareness Training
Phishing continues to be a preferred cyber criminal tactic because it works. The bad guys use tricks to impersonate companies and people whom your people trust to get them to do something that they wouldn’t otherwise do.
If your email software is up to date, you probably already have advanced security tools available but they may not be activated. This could be for many reasons, but it’s usually because your IT team doesn’t know about them or your leadership team has declined to use them due to the potential impact on workflow.
Cybersecurity Awareness Training (discussed below) and Identity Management are essential parts of email security.
6. Identity and Asset Management
Password Management, Multi-Factor Authentication, Biometrics
Identity and Asset Management (IAM) is like the set of keys that allow your people to access their accounts, your network, and your information. Cyber criminals want to get those keys because it’s a lot easier for them to unlock your doors than to figure out a way around or through them.
The biggest problem with identity management is in getting people to take it seriously. Methods like multi-factor authentication (MFA) and biometrics have evolved so that you don’t have to rely on password management and human behavior alone to keep accounts safe. But they still require training. If a user will click on a pop-up to authenticate even when they weren’t the one who initiated it, then the cyber criminals will still be able to get in.
7. Secure Network Access for Remote Workers
Virtual Private Network (VPN)
Enabling your remote workers with security includes many components. VPN is the tool you need to let employees access your network securely.
A VPN opens a secure path through your firewall that requires any connections to be encrypted and authenticated. It’s essentially a tunnel that prevents outsiders from seeing the traffic that goes in and out of your network.
8. Securing Cloud Applications
Encryption, Data Backup, Identity Management, Email Security
Whether your whole infrastructure is in the cloud, or you have several departments using cloud services, you can’t leave security totally up to the cloud provider.
Before using cloud services, make sure that the service meets your parameters for security and compliance. (Get help with this technical discussion if you need it.) Make sure you backup your cloud data and secure the devices that are accessing your cloud services with Endpoint Protection and Identity Management.
9. Cyber Forensic Tools
Logging and Security Information and Event Management (SIEM) Software
Cyber forensics is what you need after you have a cyberattack so that you can prevent the same thing from happening again and to determine the extent of the data breach.
These tools must be in place before the incident takes place.
The ability to track down how an intruder gained access and then determine what damage was caused will be critical when it’s time to make an insurance claim or defend your organization in legal proceedings.
10. Security Policies
Documenting, Training, and Enforcing How to Access Information and Your IT Systems
Think of your security policies as the way you answer your employees’ questions about how they should access your network and data. It starts with “What data do I need to do my job?” and details how that data may or may not be shared.
Your policies set out your expectations for how employees should act in certain situations, like what to do when a vendor needs to access your network. The effectiveness of security policies is directly related to the level of training and enforcement that is present.
11. Cybersecurity Awareness Training
How to Recognize and Respond to Potential Cyberattacks
Although both are directed at employee behavior, cybersecurity awareness training is different from security policies.
Cybersecurity awareness training uses simulations, tests, and interactive instruction to teach employees to recognize potential cyberattacks. Much of this training is focused on social engineering and how it’s used in phishing and spear phishing attacks, because these are favorite cyber criminal tactics.
12. Physical Security
Restricting Access to Facilities and Devices
Whether at the office, out and about, or at home, physical security matters when it comes to keeping prying eyes and sticky fingers off your business data. Part of physical security has to do with limiting access to your facility, but EVERY employee must play their part too. This can be as simple as getting into the habit of locking their screen when they step away from their workstation or making sure that someone doesn’t enter a building behind them.
Incident Response Plan
Hope for the Best, Plan for the Worst
If you don’t prepare for the day when your organization does have a cyber incident, then your cybersecurity strategy is not complete. An Incident Response Plan (IRP) documents what you want employees to do ahead of time so that they have a path to follow in the heat of the moment.
Your IRP answers questions like:
What do I do if I think I did something that created an entry for a cyberattack? (click a link, open an attachment, respond to an email or phone call, etc.)
What do I do if I suspect we have a cyber intruder?
After the IT team, who should we notify?
Do we notify law enforcement? When?
What do we tell employees?
Who will lead communications?
What’s our plan to restore from backup?
What backup or alternate systems can we put in place to keep operations going until we can be fully restored?
Putting Your Incident Response Plan into Action
Your IT team should have documented procedures for their response to a cyber incident. They’ll need to confirm that an incident has taken place and stop the activity. Preparation for their response includes having all the resources that they might need in one spot – hardware, software, cables, chargers, communication protocols, etc. – so they can pick them up and go.
Preserving the Scene
The investment that you made in logging tools is going to pay off when it’s time to figure out what happened – but you have to balance your need for investigation with your desire to get back up and running.
Once you restore from backup, the data that you need for forensic analysis is gone. Let the cyber forensics experts do their postmortem to find out what happened, then restore.
One of the biggest impacts of a cyberattack is going to be on your reputation, so you’ll need a communications plan within your Incident Response Plan. Your reputation helps you keep trust with your customers, employees, vendors, and even your local and industry communities. Your skill in getting the right messages to the right people will help maintain your reputation and confidence in your ability to handle the incident.
Contacting Your Cyber Insurance Company
Getting in touch with your cyber insurance carrier should be a step in your communications plan. They should be able to provide guidance on the steps you need to take, even if you’re still in the process of containing the breach.
Testing and Managing Your Cybersecurity Process
If you want to be confident that your organization is doing what they’re supposed to be doing to manage cybersecurity, you need to test your processes from time to time. Ideally, this would be done by a third party. Some industries require third party verification for compliance.
Whether you do it quarterly, twice a year, or annually, get into the rhythm of performing a risk assessment and security review. Include employee training in your process so that people can learn what they need to do and keep security top of mind.
Your backup and disaster recovery plan should also be tested. Some companies also run simulations with different threat scenarios to more fully train people to respond when there’s a cyberattack.
Communicating Cybersecurity Accountability to Customers and Vendors
As cyber risks persist and continue to threaten organizations of all sizes, there is a growing demand for organizations to be accountable for keeping data safe. We already see this in regulated industries like healthcare and banking.
As mentioned, companies that are government contractors and subcontractors must now follow the Cybersecurity Maturity Model Certification (CMMC) and/or NIST cybersecurity standards. These standards don’t just address cybersecurity controls. They give organizations common language to use when communicating expectations.
Accountability for cybersecurity is also important if you want to get the best rates on cybersecurity insurance, provide evidence that you took all necessary precautions when it comes time to file a claim, or build your defense in legal proceedings.
Having a detailed cybersecurity plan may be all the documentation that you need to verify your level of cybersecurity. If you want to go up a level, the NIST cybersecurity framework can be used by any organization to demonstrate your level of cybersecurity readiness.
Working with a Managed Security Services Provider (MSSP)
If you’re relying on your in-house IT team to take care of everything that’s involved with support and security, you could be sacrificing some goals for others. There’s an inherent conflict between IT management and IT security. IT management focuses on ease of access, productivity, data integrity, etc. IT security focuses on layers to keep the bad guys out. A lot of times, those layers get in the way of efficiency. You need to take a high-level look at both areas to get the right blend.
Additionally, cybersecurity expertise cannot be achieved part-time. You really should think about what your cybersecurity department should look like because there are different roles that you need to fill to make sure that all the technical, administrative, and physical components of your security plan are working together to effectively manage risks.
Managed Security Services Providers (MSSPs) are a good option to pull in cybersecurity expertise and guidance without increasing your payroll. In addition to collaborating with you to create and implement a cybersecurity plan that’s appropriate for your level of risk, they can interpret compliance requirements and bring ideas for how you can develop a culture of security at your organization.
Achieving the Goal of Resilience
When you think about it, the ultimate goal of cybersecurity is survival.
Surviving so that you can do business another day is much easier when you can proactively meet the challenges that come your way. Whether it’s activating your response plan when an incident happens or preventing intrusions in the first place, investment on the front end is a much more elegant use of resources and a lot less painful for everyone involved.
Uncover Your Security Gaps
It’s your job to be informed about the risks that your business faces so that you can make good decisions about how to allocate resources for their management. Thinking about cybersecurity, however, can be overwhelming. It might seem like you need to be an IT expert in order to put together the pieces of an effective defense.
Get a Cybersecurity and Risk Assessment
Knowing where you need to go with cyber security is much easier when you have a clear picture of where you are right now. A cybersecurity and risk assessment gives you new understanding about your vulnerability, provides recommendations for improvement, and helps you close the gaps that are exposing your business to unnecessary risk.