In over a decade watching cybersecurity threats evolve and organizations respond, it strikes me that every organization has to start from the basics and is challenged to retain that core focus, no matter how expansive their security programs get. That’s why this first post in a series exploring the fundamentals of security preparedness will focus on the basics. Let’s discuss practical steps that turn cybersecurity preparedness into more than just a risk avoidance cost center.
If you’ve avoided implementing a holistic cybersecurity program or if you think you’ve got the basics and are ready for the next step but would like to confirm that you’re on the right track, this post is for you.
Who Should Implement a Cybersecurity Program?
Everyone – even if your company wasn’t “born in the cloud.” All companies are now cloud companies. Internet connectivity comes with inherent risks which can be managed, but never eliminated. Security is diametrically opposed to ease of use and modern commerce demands you provide customers with the easiest means of purchasing and using goods and services.
What Are the Basics?
Privacy. If you are storing, using, or gathering any information that can be used to identify an individual (and you probably are, even if it’s not your core business model), you’ve got a lot to deal with! While compliance with international privacy laws like the GDPR gets a lot of coverage, be sure you cover the basics.
Start by figuring out what information you’ll be gathering, where it will come from, where it will be stored, where it will go, how it will be used, and why. Poorly written privacy policies don’t just get you in legal trouble, they frustrate and irritate customers. While properly documented privacy practices save you money and become a competitive advantage.
Governance/Compliance. Sure compliance can seem costly and dry, but if you’ve got great security practices and don’t have them documented, you can’t tout them to your customers, use them as a shield against regulators, or make sure they are being followed as your company grows. Customers care about security. Governance is a way to demonstrate your organization is serious about it.
Develop & Document your security practices. Don’t worry about getting overly granular at first. But consider an ISO standard or SIG-Lite so that you can set yourself up to be audited by a third party later as you grow. Prepare your governance so it will readily align to other audit standards (NIST, HIPAA, FISMA etc.) so you can avoid sinking funds into repeating this exercise by addressing overlapping requirements the first time.
Be sure that your practices are written with your operational teams, not in spite of them: hypothetical best practices documented but not followed are downright dangerous. Are your practices simple but correct? Document those. Don’t invent standards you don’t currently meet. Strive for better practices, but don’t commit your organization to practices you can’t readily adopt.
Security. Even if it’s not your core focus, security is a critical part of your business. But you can maintain a robust security infrastructure and limit your costs.
Use vendors for whom security is a key service, don’t do it yourself and become a security company on the side. Advanced security solutions (like high-end IPS/IDS and DDOS mitigation hardware) are only reasonably priced at an economy of scale level. Many vendors do security all day long and benefit from seeing security issues across a variety of platforms, not just yours. Use them.
Decide how you are going to handle BYOD right now. Insider threats, accidental or intentional, are still one of the greatest security risks. If you are going to allow BYOD, how are you going to create a barrier between employee personal devices and your critical systems? How will you prevent customer data from being stored unencrypted on an employee laptop? Will your customers trust your BYOD policies to be sufficient?
Incident Response. What will you do when you experience a compromise or data breach? Are you prepared to face down an Advanced Persistent Threat like a nation-state backed squad of professional hackers? Maybe not, but you need to be prepared to marshal the resources who can while continuing to run your business.
Response is the most critical aspect of cybersecurity preparedness. You won’t know exactly what you are dealing with during at least the first 48 hours. Quickly gaining a meaningful field of view into an incident, evaluating impact, complying with obligations to notify , and repairing and re-securing your systems is essential – but also incredibly distracting to your ordinary business operations.
Build a clear response plan: identify a core team who will be part of any response and those team members who will be added to the incident as needed. Have a template for the incident response to help guide you. Practice a tabletop data breach scenario relevant to your business. While you can rarely prepare for an event with specificity, you can’t afford to waste time getting a response team together.
What if I Already Have Those Covered?
These are just some of the fundamentals. Build detail and resiliency into your organization to help ensure you have a more granular understanding of your systems & data and that your organization can maintain a response while continuing business operations. If you have a response team identified: prepare the back-up team to eliminate single-points of failure in your personnel. Personnel silos are one of the most common risks. Do you have a common set of practices any employee can follow?
Where Do I Start If I Don’t?
Start with response. It is the backstop to failures in any of the other areas and will help you to build a collaborative team which can address the other organizational challenges in a way that brings value to the company.