There’s a monumental cybersecurity shift happening in organizations across the country. Every day, companies are transforming their operations, adopting new technologies and pushing the boundaries of what’s possible with technology to keep up in a highly competitive digital landscape.
And with that change comes risk.
There’s danger involved in dealing with data and peril in opening systems to the world. Access is risky too and everyday seems to bring more news of some kind of cyberattack. Implementing a cybersecurity program in your organization is an important first step in not only staying competitive but also combating cybersecurity threats, securing your organization’s data, and protecting profits.
According to the 2020 IDG Security Priorities Study, 49% of participants indicated that improving the protection of confidential and sensitive data was their top priority. While it’s encouraging to see organizations put security at the forefront, it’s vital that these efforts are not wasted.
So how can you ensure the program you are developing is effective? Let’s consider five tips and their related activities you can use to strengthen your cybersecurity program and improve its effectiveness.
Performing an initial assessment of the current state of your cybersecurity program will help guide your gap remediation activities and inform your baseline. Your initial assessment should take a look at your programmatic, or policy and documentation endeavors, as well the technical practices you currently have in place.
If your organization has never created a comprehensive cybersecurity program plan, it can be beneficial to partner with an experienced cybersecurity firm to perform an initial assessment and make recommendations based on the findings.
Whether you perform the assessment yourself or you hire an experienced third-party assessor, be sure you’re asking the right questions, interviewing the correct personnel, and reviewing the relevant documents in order to gain a good understanding of your security strengths and weaknesses.
A cybersecurity baseline is a set of minimum security controls for your organization. The baseline you implement for your organization should reflect your business goals, your compliance requirements, and your accepted risk.
Your cybersecurity baseline should consider what assets you have identified as critical. These assets may be proprietary data, protected client information, critical business systems, or other assets that would cause significant impact to your organization if they were compromised or disrupted. The baseline controls should protect those assets and any connected pathways leading to those critical components.
When establishing baseline controls, it is also important to identify the roles specifically responsible for various portions of your cybersecurity program. Generally, the Chief Information Security Officer (CISO) is responsible for the cybersecurity program. Depending on the size of your organization, you may have different roles overseeing different portions, or a handful of roles splitting up the duties.
No matter how you assign responsibilities within your organization, ensure that your employees are properly trained and supported as they implement the baseline controls.
Most compliance standards that organizations deal with today have guidelines about what information should be documented and how those documents should be maintained. Frameworks such as NIST require auditors to examine documentation, conduct interviews, and test controls.
If your organization is not subject to such a compliance standard or is not using a standard industry framework, it is still important to document. Stanford University researchers and cybersecurity firm Tessian reported that 88% of all data breaches are a result of human error. Documenting your policies and procedures can help improve organizational security awareness, demonstrate organizational accountability, and reduce cost and risks associated with new employee onboarding.
The documents your organization can most benefit from will depend on your industry, your business goals, and the type of data you handle. Some common and impactful documents to develop and maintain include:
- Acceptable Use Policy
- Interconnection Agreements
- Disaster Recovery Plan
- Internet Usage Policy
- Secure Password Policy
- Remote Access Policy
- Asset Configuration Documentation
- Asset Inventory
- Network Diagrams
- Incident Logs
Proper documentation can provide internal and external auditors with important information about your security posture. It can also provide your teams with a clear reference for what policies are in place, what procedures have worked or failed in the past, what training is required of them, and what assets are available to them.
The cybersecurity landscape is constantly evolving as new technologies and methodologies develop. An effective cybersecurity program strives for continuous improvement to combat the new challenges they face.
Continuous improvement has tremendous benefits for your organization’s security, but it does require a commitment of support from management and decision makers. Here are some of the key continuous improvement activities that can benefit your organization.
Security training is becoming readily available as cybersecurity efforts are more widely recognized and supported. Training sessions are available as remote courses, hands-on classes, talks, seminars, conferences, and more, and cover a wide range of topics. Some describe how to configure and use security tools, how to combat common attacks, and how to write effective policies and procedures, while others may provide hands-on practice in simulated environments. The type of training you make available to your security team can depend on your organizational maturity, budget, goals, and data.
It shouldn’t be a surprise that implementing a cybersecurity program has some upfront costs, but organizations often drastically reduce the security budget once the program is up and running. When considering how to allocate your funds, remember that the rapidly changing technology landscape means your team may need ongoing training, additional tools, external audits, compliance certifications, or extra personnel, even in a mature program. Those costs may seem well worth it when you consider the $3.86 million dollar worldwide average cost of a data breach, or the $8.64 million dollar cost for US-based companies.
All the hard work you and your team put into your cybersecurity program can mean nothing if the processes are not repeatable. When an employee leaves the organization, takes time off, is promoted or transferred away from the site, or is otherwise separated from the security team, other employees should be poised to step into the role and carry on their tasks. If a repeatable process has not been developed, your team could lose valuable time recreating the tasks previously performed. Additionally, when ad hoc methods are employed the organization is often operating from a reactive position where a breach has already occurred. Developing a repeatable process helps the organization stay proactive, or to shift left of bang.
Regular audits of your program can go a long way in ensuring that your program is efficient and effective. Audit frequency can depend on your organization and framework, or may be specified by compliance standards.
To get the most comprehensive picture of your program’s effectiveness, take a holistic look at both your policies and your technical implementations. Don’t just take the policies at face value; interview your personnel to ensure daily activities match up with what your policies and approved procedures stipulate. Make note of any deviations so you can identify the cause and find a solution that fits your security goals as well as the flow of your daily operations.
The Verizon 2021 Data Breach Investigations Report (DBIR) found that of the small businesses who experienced breaches, 57% faced external threat actors and 44% faced internal threat actors. When testing your technical control implementations, it’s important to simulate both types of potential threats. Ensure your internal controls can protect your critical assets from accidental or intentional compromise.
You may choose to have your own security team audit your program, or you may opt for a trusted cybersecurity partner to take the lead. Either way, document the findings and any remediation strategies that can guide your program to a more secure posture.
When we think of cybersecurity responsibilities within an organization, we often think of the security team, the SOC, or the IT department. Realistically however, effective security programs are an organizational effort with support across departments.
Who you involve in your efforts may depend on the size and structure of your organization, but common examples of interdepartmental contributions include:
Legal teams can offer support by reviewing cybersecurity policies, interconnection agreements, and can, in some cases, offer insight into compliance requirements.
HR and security teams can coordinate on secure employee onboarding and termination procedures, policy enforcement, and cybersecurity training efforts.
This collaboration can help reduce insider threats, improve security awareness, and ensure policy compliance. Human resources employees are also a common target for phishing and information gathering efforts from malicious actors, so a close relationship with the security team can lead to quick identification and thwarting such attempts.
Most cybersecurity consulting services know that physical access is king, and even the most secure network cannot protect data from unauthorized access on the physical level. A well trained physical security team can help identify and address malicious actors attempting to tailgate, impersonate, or otherwise bypass security measures in order to gain physical access to your data and systems.
Senior management’s attitude about security and the need to support security efforts can have a strong influence on the overall effectiveness of a cybersecurity program. When senior management budgets for continual training and effective tools, acknowledges legitimate concerns, and generally supports the security team, the program has a higher chance of success.
Senior management is also at a high risk for spear phishing attacks from malicious actors. They should abide by the same security policies as other employees, and report any suspicious emails, phone calls, or texts.
All other departments: Every department can contribute to cybersecurity efforts. Employees across the organization should be familiar with the policies in place for securing the sensitive systems and data they utilize, reporting procedures for communicating suspicious activity, and training activities to improve their cybersecurity awareness.
Establishing a cybersecurity program takes hard work and organizational support. While there is no one size fits all solution, the tips discussed in this article can help you build and maintain a robust, holistic, and effective cybersecurity program.
This post originally appeared on our blog and was written by Jeremy Dodson, CISO at NextLink Labs. Jeremy writes about cybersecurity and cybersecurity consulting services for NextLink Labs.