<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=573132769549581&amp;ev=PageView&amp;noscript=1">

EXECUTIVE GUIDE TO CYBER SECURITY

The Baseline for Foundational Security Has Changed
What Business Leaders Need to Know

Cyber security Asset 2

If every cyber attack that happened in the United States were in the news headlines each day, there wouldn’t be room for anything else to be covered. We only hear of the really big data breaches that take place, but cyber attacks happen every day, every hour, every minute, to organizations large and small.

Here’s what the headlines would look like if cyber attacks were all reported and published:

  • School District refuses to pay ransom to cyber criminals and personal data of students and staff is exposed on the web
  • 100+ businesses down for 45 days after cloud provider encrypts all their files
  • Employee pays $3,000 out of his own pocket to buy gift cards for hacker
  • Manufacturing company spends $250,000 to remediate ransomware attack
  • Accounting clerk tricked into sending more than $150,000 to criminal’s bank

You get the idea.

We created this guide to help executives like you understand the need for business cyber security, the risks that are associated with running a business in 2021, and what you need to do to effectively manage those risks.

If you’ve been in business for a while, you might think that you’ve learned everything that you need to know about cyber security for executives. But in our experience in talking with hundreds of business leaders, we’ve learned that for many, there’s a false sense of security that makes their organizations easy targets for cyber criminals.

We wouldn’t wish a cyber attack on anyone and it’s our sincere desire to help you to avoid becoming a victim simply because you didn’t have enough information about cyber risks and how to best manage cyber security.

If there’s only one thing you get from the information we’re sharing, please let it be this –

The cyber security baseline has moved.
Basic security standards aren’t enough to protect you.
Act now before you become a victim.

1. How the Cyber Landscape
Has Changed

More Targets, More Endpoints,
More Accountability

Asset 5

Hackers are Opportunistic

In some ways, the tactics that cyber criminals are using to kidnap, steal and exploit data and networks are the same ones they’ve been using since predators first started stalking on the internet. These tactics have always been focused finding opportunities to sneak into networks unnoticed, and on trying to manipulate and trick people into letting them bypass security measures to gain access.

Asset 4

Cyber Criminal Tactics Have Evolved with Artificial Intelligence

Despite reliance on tried-and-true techniques, cyber criminal tactics have changed in some very important ways. The software tools they’re using have evolved and they’re using the power of Artificial Intelligence (AI) to make their actions more automated and targeted.

Asset 3

 

Every Business is a Target

Cyber criminals have increasingly turned their attention to small and medium sized businesses. One reason for this is because lax security has made smaller businesses easy targets. A second reason is because they’ve found that they can get access to bigger targets through the network connections of small businesses.

Asset 6

 

Number of Internet of Things (IoT) Has Exploded

The Internet of Things (IoT), has exploded the number of devices connected to a network and the security of these devices is too often unknown (or nonexistent). If they aren’t secured, IoT devices (like AV equipment, security cameras, smart thermometers, etc.) can create gaps in the technical perimeter that you’ve set up around your network, making your firewalls and antivirus inadequate at keeping out all predators.

Asset 8

More Employees Are Working From Home

Because of COVID-19, many companies have more people working remotely, which creates the same kind of security considerations as if you had a multi-location business. Remote employees are connecting to your network through their home networks, and sometimes using their personal devices to do so. Assuring security while working from home means equipping employees with the tools and habits they need to make their home office as safe as your physical office for your data.

Asset 7

Accountability for Data Privacy is Increasing

Before we talk more about the risks, there’s one more thing that’s changed in the cyber landscape – there’s an increasing obligation toward accountability. Organizations are increasingly accountable to protect the data that they gather and store. Industries like healthcare and financial services have needed to comply with regulations for maintaining confidentiality for quite a long time. Similar regulations are working their way into many other industries as well, which means that companies should expect this accountability for data protection to impact them very soon (if it hasn’t already).

 

Asset 9

2. The Business Case for
Cyber Security

What Would Happen to Your Business If You Lost Access to Your Data and Network?

The first step to becoming better at managing cyber risk and security, is to consider what’s at stake.

  • What assets are you protecting?
  • What’s the value of your assets?
  • What would be the impact on the organization and its people if these assets were stolen, damaged or exposed?

Then ask yourself: 

How much risk am I willing to accept?

Data as a Business Asset

If you made a list of all of the data that you gather and store, you could probably categorize it by importance.

Some data has value because it’s essential for your daily operations. Other files are important because they document your trade secrets and intellectual property. The information that you keep in employee records is valuable to the individuals involved as well as your organization. Some files that you store might already be publicly available like the content that’s published on your website. Do you store any information on your customers? Consider what that data is worth to them.

Where your mind goes when you consider these categories of data could be the first indicator of their importance to you. You have to think of what would happen if you lost access to all of this information.

  • We’ll be shut down
  • We’ll be out of compliance
  • Our customers will be upset and may leave
  • Our employees will be upset and may leave
  • We’ll be sued
  • Our reputation will be dirt
  • Damage control will be costly
  • Our competitors will beat us

 

Network Connections as a Business Asset

Not only does your data have value, but your network connections do too. The big Target cyber attack in 2013 that exposed 41 million accounts happened because the hackers got to the Target network through their HVAC company’s network. This was big news then, but it’s extremely common now and there’s a name for it – Island Hopping.

Add to that the fact that it can take as long as six months or more for a network intruder to be discovered, and you’ve got a situation where you could be responsible for data breaches that happen not just to you, but to your customers and vendors.

 

Business Impact of a Cyber Attack

Just the thought of having to deal with the impact of a cyber attack should be enough to make your heart race and put a rock in the pit of your stomach. Let’s go a step further and challenge you to see if you can quantify the pain that you’ll experience if your network gets breached.

  • What if your employees couldn’t access your network for a day? What would that cost?
  • What would happen if you lost your biggest customer because they became a victim of a cyber attack through your network? What kind of a hit would that be to your revenue?
  • What if the social security numbers of your employees were exposed? How much would it cost to provide them with an Identity Management solution? How much would it cost to rehire and train the people who leave because they don’t trust you anymore?
  • What if you violated confidentiality regulations? Give your best guess as to what penalties and legal fees might cost.
  • What if you didn’t get paid by your customers because their payments had been diverted to a cyber criminal’s bank? How big of a cash flow hit can you handle?
  • What if your reputation as a trusted supplier and employer was damaged? How much do you think it would cost to hire a professional communications company to do damage control? How much more resources will you have to put towards Sales and Marketing to attract new customers?

 

How Much Risk Are You Willing to Accept?

If you have a cyber attack, there will be costs. The question is, are you willing to pay that cost after the fact or would you rather use those same resources on prevention?

If you are one of 76% of businesses that has had to deal with the fallout of a cyber incident, then you know that even if the dollars are about the same, it’s much better for everyone involved if you spend the money on being proactive instead of reactive.

Being proactive about cyber security means that you must have a strategy.

Asset 10

3. Cyber Security Strategy

Security Includes Everyone
And It Starts at the Top

Security isn’t just the IT department’s job. If it were, then all you’d have to do is to make sure you have the right firewalls and software tools to make cyber attackers bounce away.

That isn’t realistic.

 

The best cyber security strategy consists of layers that include technical, administrative and physical tactics.

If you’re in an industry that has compliance regulations, these will play a factor in your security strategy. Compliance is all about being accountable for the safekeeping of information, and just because you’re not in the healthcare or banking industry doesn’t mean that you won’t need to have the same level of accountability for data storage and use.

If you haven’t already experienced it, greater accountability is coming for everyone.

Asset 13

 

Who Owns the Cyber Security Strategy

You, or you and your management team, are responsible for your cyber security strategy if it’s going to stick. If there isn’t buy-in at the top, then you’re setting your organization up to fail because security will feel like enforcement instead of responsibility.

Additionally, if you’re the one who’s responsible for managing risk, you can't exclude cyber risk in your list of business risks.

Your goal in owning, creating, and implementing a security strategy isn’t meant to keep everything on your shoulders alone. You need to create a culture of security.

Asset 11

 

What a Culture of Security Looks Like

While management is responsible for creating cyber security and compliance strategy, it’s everyone’s responsibility to implement that strategy within their role. It would be great if you could just tell people that corporate data is valuable and then they’d automatically treat it like the crown jewels, but that’s not realistic.

Helping employees understand the value of their organization’s information starts with teaching people about how information will be accessed and by whom with acceptable use policies. How you support those policies with training and enforcement will send a clear message to employees about the respect that your whole organization places on handling information.

Another way to grow a culture of security is to tie in the value of information with the value that the employees see themselves bringing to the organization. When you help people gain a sense of ownership of the impact that their work has on the organization, you can communicate to them that the role they play in handling information is important.

It all comes down to trust. You ultimately have to trust your employees to do the right thing. They have to trust that if they make a mistake or have an error in judgement that they can report it without fear of reprimand.

Trust comes from consistency and in clarity about expectations.

Asset 12

 

Resilience = Goal of Cyber Security Strategy

If you’ve been thinking about cyber security like a project – building walls and barriers – it’s time to change your thinking. Cyber security is an ongoing process that needs to be managed. Not only do you have to make sure that the technical walls and barriers don’t crumble, you must think ahead and decide how you’re going to respond when at attack does happen.

When you start thinking about security as a process that includes detection and recovery, a whole different set of questions pops up. Answering these questions proactively will be essential to build your ability to bounce back after a cyber attack.

  • What are the most likely threat scenarios that could happen?
  • What do we want employees to do if they suspect a cyber intruder or breach?
  • What protocols do we want in place to guide our response to a cyber attack?
  • How long can we afford to be without our IT systems?
  • How are we going to operate if our systems are down?
  • Have we prioritized our systems based on their importance to daily operations?
  • How will we determine the extent of the damage and which data was compromised?
  • What will we do in the event of permanent data loss?
  • How are we going to restore our systems so we can get up and running again?
  •  How are we going to use communications to maintain confidence and uphold our reputation during damage control?

Before we get into the tactics that should be a part of your cyber security strategy, we need to address cyber security compliance. If your organization needs to follow regulatory guidelines for the safekeeping of information, that should be addressed in your cyber security strategy.

Asset 14

4. Cyber Security
Compliance

Accountability for the Confidentiality, Integrity and Availability of Data

The goal of compliance isn’t that different from the foundational goal of any cyber security strategy, which is to control access to information.

What’s different is that accountability for meeting this goal needs to be documented and verified. In other words, compliance doesn’t just mean “keep this data safe”, it means “prove how you’re keeping this data safe”.

Certain industries have had compliance requirements for a long time. For example, the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. Banks and financial institutions have been required to follow Payment Card Industry (PCI) standards since 2006.

Security Standards Pushed Down the Supply Chain

More recently, NIST compliance has become mandatory for companies who contract with the federal government. If the Department of Defense (DOD) is your customer (or your customer’s customer), then you need to follow the Cybersecurity Maturity Model Certification (CMMC).

Increased accountability for companies that gather and store information about consumers is no doubt in the future, led by General Data Protection Regulation (GDPR) in the European Union, and in California with the California Consumer Privacy Act (CCPA) regulation that went into effect in January 2020.

 

Interpreting Regulations into Security Controls

If you’re not familiar with regulations for network security compliance, then you might imagine that all you have to do is to implement a list of security measures and you’re good to go – but it’s not that simple. Most organizations need help interpreting regulations into the security controls that will meet compliance objectives, and then to maintain and manage the security process. It’s typically a specialized skill set.

While this guide doesn’t go into detail about how you should go about achieving compliance with specific regulations, our message that the baseline for foundational security has changed is relevant for you. Keep reading and you’ll be more informed when you have conversations about compliance, especially when it comes to the advanced tools that are included in the Security Controls section.

5. Threats and Vulnerabilities

Difference Between Threats and Vulnerabilities

Think about a threat as a bad thing that could happen. Cyber threats include ransomware, viruses, phishing and business email compromise, denial of service attacks, bot nets and more. The list of cyber threats is always increasing because the technology that the bad guys use is evolving just as fast as the technology that the good guys use.

Vulnerabilities are potential weak spots that threats can exploit.

Your cyber security strategy needs to include multiple layers of controls that are designed to address vulnerabilities so that you can either avoid the threat altogether, or enable detection and response to stop a threat in its tracks if it gets through.

In the following section, we’re going to present threats and vulnerabilities together so that you can start to connect them with the security controls that are used to manage vulnerabilities.

How Cyber Threats Exploit Vulnerabilities

Email Phishing and Spear Phishing

 

Asset 16

 

Phishing involves sending out emails that look like they are from a trusted person or organization with the purpose of getting the recipient to click on a link or open an attachment that will unload malware. Some phishing schemes ask the recipient to transfer money or give the sender access to other financial resources. The source of the email can appear to be from an organization or a specific person that you know.

VULNERABILITIES:

  • Minimal email spam filtering
  • Inadequate password and identity management
  • Employees don’t know how to recognize phishing
  • Lack of business policies for verifying financial actions

Malware, Spyware, and Ransomware

 

Asset 15

 

Malware is any piece of software that is intended to do harm. Malware is delivered in many ways including clicking links, opening attachments, downloading software and just by browsing a compromised website on the internet. There are many kinds of malware, but we want to draw your attention to two types because they are especially prevalent right now.

Ransomware is a type of malware that you’ve probably heard of. In the past, having a good backup was considered insurance against ransomware. The rationale was that you could refuse to pay the ransom and just restore from a backup. Unfortunately, ransomware heists are now threatening to expose data if a ransom is not paid, instead of holding it until you pay.

Spyware is exactly what it sounds like. It’s a program that lets a bad guy see everything that you’re doing on your network. They’re not only looking for account access and your weaknesses, they’re observing your email communications so they can impersonate your people in phishing schemes.

VULNERABILITIES:

  • Out-of-date and unpatched software
  • Email impersonated from a look-alike domain
  • Unmanaged endpoints
  • Unrestricted access to the internet

Social Engineering

 

Asset 20

 

When people are tricked and manipulated into doing an action they wouldn’t otherwise do, that’s social engineering. These ploys often use authority and urgency to coerce a person to provide login credentials, change banking information, purchase gift cards, or just click a link or attachment in an email.

The entry way for a social engineering trick may come in through a phone call or text, as well as an email or online message. The goal of this irritating tactic is to get a person to either give up information or to persuade the person on the line into taking an action that will give the hacker access to their computer or network.

Phone scams can be very targeted with their attack, with the bad guy possessing information about the recipient that leads them to believe that they can be trusted.

VULNERABILITIES:

  • Basic email and spam filters
  • Inadequate password and identity management
  • Lack of knowledge about social engineering
  • Inadequate business processes for verifying certain actions

Connected Devices

 

Asset 19

 

If you have remote workers, you’re a multi-location business. The laptops and PCs that your people connect to your network are all considered endpoints. You probably have more vulnerable endpoints than you realize because anything connected to your network – anything—should be protected. That goes for your heating and cooling system, security cameras and other IoT devices as much as it does for your computers and tablets.

Smartphones are also connected devices, and they often control your other connected devices. There are some additional factors to consider with phones because they move around with the owner, and they may be owned by the employee and not your company.

VULNERABILITIES:

  • Unsecured network access
  • Out-of-date hardware and software
  • Easy passwords or no passwords
  • Lack of Mobile Device Management (MDM)

Insider Threats and Physical Security

 

Asset 18

 

Hopefully, you can trust the people you hire and you’re assured that they wouldn’t do anything on purpose to steal, corrupt or expose your data. Unfortunately, that’s not always the case.

It's nice to think that none of your employees would betray your trust, but things happen. Whether it’s a bribe from a competitor or the act of a disgruntled employee, you want to be aware of the actions that your people could take to compromise your business information and IT systems.

Don’t forget that cyber criminals don’t just operate online, they can walk through your front door. Maintaining the security of your office space includes limiting access to your server room, locking workstations when not in use and never leaving post-its or other notes with login credentials where someone could easily find them (re: your desk drawer or stuck to your monitor).

While you might envision intruders sneaking their way into your facility, don’t discount potential threats from people who have a reason to be there – whether they’re visiting, or are one of your employees.

VULNERABILITIES:

  • Uncontrolled access to your facility
  • Uncontrolled access to servers
  • Unhindered access to computers and servers
  • Sharing account credentials between multiple people

 

6. Security Controls --
Cyber Defenses with Layers

Prevent, Detect, and Respond

As you get ready to call it a night, the last thing you do before you head to bed is lock the doors, turn on the electronic alarm system, and give your German shepherd a pat on the head as he snoozes in his bed.

Now imagine that someone wants to break in. They’ll have to find a way to disable your alarm, get through the locked door and maneuver past Fido in order to gain access to your valuables. These three layers of security act as barriers (locks and the dog), detect an intrusion (alarm and the dog), and attack the intruder (the dog).

An attacker could certainly find ways to circumvent all three of these security layers, but getting in-and-out for his mission will be more difficult and take longer than if he only had to deal with locked doors.

The concept is similar in a technology environment where the layers of security are designed to detect and thwart attacks before they can do any damage.

Three Types of Security Layers
Technical, Administrative, and Physical

Security controls aren’t just technical, they’re also administrative and physical. Your security strategy needs to include all three.

Technical Security Controls

How you use hardware and software to deter, detect and respond to cyber intruders.

Administrative Controls

What your people need to do to deter, recognize and respond to cyber intruders.

Physical Controls

How the physical environment is set up to promote security.

In our example, the actual doors and windows with their locks and the electronic alarm system would be like technical security controls. The administrative controls would include training people to get into the habit of locking the doors and turning on the alarm system, and teaching them what to do when the alarm or the dog gives an alert.

Let’s go through the list of security controls that you should be using. As you become familiar with the security tactics listed here, you’ll see some crossover because different tactics support and enhance others.

Basic Technical Controls:

Anti-virus, Anti-malware, Firewalls, Patching and Updating Software, Network Design

Think of basic technical controls as the method you use to close and lock the doors to your data and IT systems. Keep in mind that older software and hardware don’t have the advanced capabilities that newer technologies include. Your network design should promote control access to data and minimize damage if/when a hacker does get through your defenses.

Advanced Security Tools:

Threat Detection and Response, Artificial Intelligence, Email Security

The need for advanced security tools can’t be ignored when it can take more than six months for an intruder to be detected without them. That’s a lot of time for cyber criminals to plan out how they can get the biggest strike.

Advanced security tools use Artificial Intelligence to learn about your network traffic so that they can recognize activity that is not normal and act when something out of the ordinary occurs which could be a sign of an intruder.

Endpoint Security Protection, Detection, and Response:

Agent-Based Software on Connected Devices

Endpoint protection can be considered an advanced security tool, but it’s worth calling it out here because of the increasing number of devices that are connected to your network. Whether it’s your remote workers’ corporate or personal computers, your cloud services, or smart devices, anything connected to your network is a potential access point for a cyber attack.

Endpoint security protection detects and responds to potential threats.

Mobile Device Management:

Monitoring Software, Identity Management, Security Policies

Using smartphones makes it easy for employees to be in touch when they’re not in the office, but when you think of smartphones as doors to your network, then it’s scary to think of who could get access to your data if the phone is lost, stolen, or used by an unauthorized person.

Software can be used to control what employees can do on their phones. Teaching people how to use the security features that are available on their phones, and providing training on acceptable use will help to instill in the employee their individual responsibility for using their smartphones with safety in mind.

Advanced Email Security:

Spam Filters, Encryption, Identity Management, Cyber Security Awareness Training

Phishing continues to be a preferred cyber criminal tactic because it works. The bad guys use tricks to impersonate companies and people whom your people trust to get them to do something that they wouldn’t otherwise do.

If your email software is up to date, you probably already have advanced security tools available but they may not be activated. This could be for many reasons, but it’s usually because your IT team doesn’t know about them or your leadership team has declined to use them due to the potential impact on workflow.

Cyber Security Awareness Training (discussed below) and Identity Management are essential parts of email security.

Identity and Asset Management:

Password Management, Multi-Factor Authentication, Biometrics

Identity and Asset Management (IAM) is like the set of keys that allow your people to access their accounts, your network and your information. Cyber criminals want to get those keys because it’s a lot easier for them to unlock your doors than to figure out a way around or through them.

The biggest problem with identity management is in getting people to take it seriously. Methods like multi-factor authentication (MFA) and biometrics have evolved so that you don’t have to rely on password management and human behavior alone to keep accounts safe. But they still require training. If a user will click on a pop-up to authenticate even when they weren’t the one who initiated it, then the cyber criminals will still able to get in. .

Secure Network Access for Remote Workers:

Virtual Private Network (VPN)

Enabling your remote workers with security includes many components. VPN is the tool you need to let employees access your network securely.

A VPN opens a secure path through your firewall that requires any connections to be encrypted and authenticated. It’s essentially a tunnel that prevents outsiders from seeing the traffic that goes in and out of your network.

Securing Cloud Applications:

Encryption, Data Backup, Identity Management, Email Security

Whether your whole infrastructure is in the cloud, or you have several departments using cloud services, you can’t leave security totally up to the cloud provider.

Before using cloud services, make sure that the service meets your parameters for security and compliance. (Get help with this technical discussion if you need it.) Make sure you backup your cloud data and secure the devices that are accessing your cloud services with Endpoint Protection and Identity Management.

Cyber Forensic Tools:

Logging and Security Information and Event Management (SIEM) Software

Cyber forensics is what you need after you have a cyber attack so that you can prevent the same thing from happening again and to determine the extent of the data breach.

These tools must be in place before the incident takes place.

The ability to track down how an intruder gained access, and then determine what damage was caused, will be critical when it’s time to make an insurance claim, or defend your organization in legal proceedings.

10 

Security Policies:

Documenting, Training and Enforcing How to Access Information and Your IT Systems

Think of your Security Policies as the way you answer your employees’ questions about how they should access your network and data. It starts with “What data do I need to do my job?” and details how that data may or may not be shared.

Your policies set out your expectations for how employees should act in certain situations, like what to do when a vendor needs to access your network. The effectiveness of security policies is directly related to the level of training and enforcement that is present.

11 

Cyber Security Awareness Training:

How to Recognize and Respond to Potential Cyber Attacks

Although both are directed at employee behavior, cyber security awareness training is different from security policies.

Cyber security awareness training uses simulations, tests and interactive instruction to teach employees to recognize potential cyber attacks. Much of this training is focused on social engineering and how it’s used in phishing and spear phishing attacks, because these are favorite cyber criminal tactics.

12 

Physical Security:

Restricting Access to Facilities and Devices

Whether at the office, out and about, or at home, physical security matters when it comes to keeping prying eyes and sticky fingers off your business data. Part of physical security has to do with limiting access to your facility, but EVERY employee must play their part too. This can be as simple as getting into the habit of locking their screen when they step away from their workstation, or making sure that someone doesn’t enter a building behind them.

Asset 10-1

7. Incident Response Plan

Hope for the Best,
Plan for the Worst

If you don’t prepare for the day when your organization does have a cyber incident, then your cyber security strategy is not complete. An Incident Response Plan (IRP) documents what you want employees to do ahead of time so that they have a path to follow in the heat of the moment.

Your IRP answers questions like:

  • What do I do if I think I did something that created an entry for a cyber attack? (click a link, open an attachment, responded to email or phone call, etc.)
  • What do I do if I suspect we have a cyber intruder?
  • After the IT team, who should we notify?
  • Do we notify law enforcement? When?
  • What do we tell employees?
  • Who will lead communications?
  • What’s our plan to restore from backup?
  • What backup or alternate systems can we put in place to keep operations going until we can be fully restored?

Putting Your Incident Response Plan into Action

Your IT team should have documented procedures for their response to a cyber incident. They’ll need to confirm that an incident has taken place and stop the activity. Preparation for their response includes having all of the resources that they might need in one spot – hardware, software, cables, chargers, communication protocols, etc. – so they can pick them up and go.

Preserving the Scene

The investment that you made in logging tools is going to payoff when it’s time to figure out what happened – but you have to balance your need for investigation with your desire to get back up and running.

Once you restore from backup, the data that you need for forensic analysis is gone. Let the cyber forensics experts do their postmortem to find out what happened, then restore.

Communications Plan

One of the biggest impacts of a cyber attack is going to be on your reputation so you’ll need a communications plan within your Incident Response Plan. Your reputation helps you keep trust with your customers, employees, vendors and even your local and industry communities. Your skill in getting the right messages to the right people will help maintain your reputation, as well as confidence in your ability to handle the incident.

Asset 22

8. Testing and Managing Your Cyber Security Process

If you want to be confident that your organization is doing what they’re supposed to be doing to manage cyber security, you need to test your processes from time to time. Ideally, this would be done by a 3rd party. Some industries require 3rd party verification for compliance.

Whether you do it quarterly, twice a year, or annually, get into the rhythm of performing a risk assessment and security review. Include employee training in your process so that people can learn what they need to do and keep security top of mind.

Your backup and disaster recovery plan should also be tested. Some companies also run simulations with different threat scenarios to more fully train people to respond when there’s a cyber attack.

Asset 23

9. Communicating Cyber Security Accountability to Customers and Vendors

As cyber risks persist and continue to threaten organizations of all sizes, there is a growing demand for organizations to be accountable for keeping data safe. We already see this in regulated industries like healthcare and banking.

As mentioned, companies that are government contractors and subcontractors now must follow the Cybersecurity Maturity Model Certification (CMMC) and/or NIST cyber security standards. These standards don’t just address cyber security controls, they give organizations common language to use when communicating expectations.

Accountability for cyber security is also important if you want to get the best rates on cybersecurity insurance, or provide evidence that you took all necessary precautions when it comes time to file a claim or build your defense in legal proceedings.

Having a detailed cyber security plan may be all of the documentation that you need to verify your level of cyber security. If you want to go up a level, the NIST cyber security framework can be used by any organization to demonstrate your level of cyber security readiness.

Asset 24

10. Working with a Managed Security Services Provider (MSSP)

If you’re relying on your in-house IT team to take care of everything that’s involved with support and security, you could be sacrificing some goals for others. There’s an inherent conflict between IT management and IT security. IT management focuses on ease of access, productivity, data integrity, etc. IT security focuses on layers to keep the bad guys out. A lot of times, those layers get in the way of efficiency. You need to take a high-level look at both areas to get the right blend.

Additionally, cyber security expertise cannot be achieved part-time. You really should think about what your cyber security department should look like because there are different roles that you need to fill to make sure that all the technical, administrative, and physical components of your security plan are working together to effectively manage risks.

Managed Security Services Providers (MSSPs) are a good option to pull in cyber security expertise and guidance without increasing your payroll. In addition to collaborating with you to create and implement a cyber security plan that’s appropriate for your level of risk, they can interpret compliance requirements, and bring ideas for how you can develop a culture of security at your organization.

Asset 10-1

11. Achieving the Goal of Resilience

When you think about it, the ultimate goal of cyber security is survival.

Surviving so that you can do business another day is much easier when you can proactively meet the challenges that come your way. Whether it’s activating your response plan when an incident happens, or preventing intrusions in the first place, investment on the front end is a much more elegant use of resources, and a lot less painful for everyone involved.

12. Uncover Your
Security Gaps

It’s your job to be informed about the risks that your business faces so that you can make good decisions about how to allocate resources for their management. Thinking about cyber security, however, can be overwhelming. It might seem like you need to be an IT expert in order to put together the pieces of an effective defense.

Asset 26

Get a Cyber Security and Risk Assessment

Knowing where you need to go with cyber security is much easier when you have a clear picture of where you are right now. A cyber security and risk assessment gives you new understanding about your vulnerability, provides recommendations for improvement, and helps you close the gaps that are exposing your business to unnecessary risk.

Learn More about Security Assessments