It seems like no matter which direction you turn these days, the news includes headlines such as “huge ransomware attack”, or “massive data breach”, or “new regulations being enforced”. As if owning and running a business wasn’t challenging enough, you must now contend with threat actors ranging from script kiddies to nation state cyber specialists attempting to steal, leverage, or damage your valuable digital assets for their own financial gain, or to damage to your organizational reputation.
Every business’ journey to and through cybersecurity is very different. The motivation for each organization is unique due to many factors. The investment of time, money, and people is also unique for each organization. Where should you get started if you feel like your organization, your people, your data, and your customers require protection from cybersecurity threats?
Today’s blog discusses the security journey adopted by some organizations to help pinpoint actions and starting points for different areas in their cybersecurity program. The steps are:
0) Determine if you have any assets (physical or digital) that would be valuable to anyone else, and/or could be leveraged by threat actors to cause harm to your organization or its customers
1) Understand your legal and compliance requirements for your business type, data types, and customer types.
2) Assemble a cybersecurity team that includes internal and external stakeholders
3) Establish goals and expectations for the cybersecurity team
4) Setup a regular cadence of reviews with the cybersecurity team members focused on various efforts
5) Implement necessary cybersecurity controls based on results from risk/vulnerability assessments and business impact analysis
6) Implement and foster an ongoing culture of continuous improvement and awareness in cybersecurity
It may seem funny to begin a list at zero, but for the purposes of your cybersecurity journey, it is possible that you run a business that operates in such a way it doesn’t put any people or information at risk, and therefore it doesn’t require a significant cybersecurity program. If that’s the case, thank you for reading this far, the rest will be merely for entertainment for you. For everyone else, now that you’ve established there is something of value worth protecting, let’s continue to step 1 of the journey.
STEP 1 – Understand your legal and compliance requirements for your business type, data types, and customer types
There are multiple regulatory frameworks established for various businesses aimed at protecting the privacy of information. These range from state privacy laws such as CCPA (California Consumer Privacy Act of 2018), to established federal guidelines such as HIPAA (Health Insurance Portability and Accountability Act of 1996), to international standards such as ISO 27001 and protection guidelines like GDPR (General Data Protection Regulation of 2018). There are lots of others in between such as industry standards like PCI DSS (Payment Card Industry Data Security Standard) and voluntary frameworks like NIST CSF (Cybersecurity Framework).
The key here is to evaluate your business and its demographics such as where you do business and where your clients are located. Then include consideration of the type of data you process or maintain. Finally, consider any state or federal statues/regulations that may apply to your organization. All of these will require a certain level of due diligence and due care to cybersecurity standards that you must achieve and maintain to operate your business and protect your organization, people, information, and customers.
Even if you aren’t regulated by a specific federal or industry requirement, most states these days have basic cybersecurity privacy and notification laws that you should become familiar with.
STEP 2 – Assemble a cybersecurity team
The good news is that you don’t and shouldn’t try to do this all by yourself. Leveraging skill and expertise in various areas will prove invaluable as you evaluate just the right application of risk treatment in your organization. At the end of the day your goal is to identify risk to your assets, apply reasonable controls to protect those assets, and then team up with partners to assist you if something bad should happen to those assets. The following lists some areas where you may want to enlist an outside partner for counsel and/or services:
- Cybersecurity Law
- Cybersecurity Insurance
- Notification & Reporting Services
- Social Media & Reputation
- Incident Response
- Managed Cybersecurity Services
STEP 3 – Establish goals and expectations for the cybersecurity team
While inviting external experts for assistance with your cybersecurity defenses is a great idea, you will need to set the table and agenda for what is expected. Establishing a cybersecurity desired state is very important. Ensuring that all stakeholders understand what it is you are trying to achieve and what it is that you are trying to protect is paramount in making measurable progress towards the correct cybersecurity posture. This will begin by referring back to step 0 of our journey with a focus on the assets we are trying to protect, why they are valuable, and what we expect from our assembled team of experts in relation to that protection.
STEP 4 – Setup regular cadence of reviews with cybersecurity team
Everyone has a busy schedule these days, with numerous interruptions and a seemingly never-ending to-do list that is piled upon daily. To keep your cybersecurity team focused and accountable to the program and plans laid out, there should be an ongoing and regular cadence of reviews to ensure that the team is tracking towards the goals of the organization. While this can vary by organization, the follow are some possible suggestions to get started:
- Annual risk assessment leveraging chosen frameworks and business impact analysis reviews
- Semi-annual threat assessment including progress updates towards annual program goals
- Quarterly project/progress check-ins and KPI review of critical measures
- Monthly technical reviews that include vulnerability reviews and emerging threats
STEP 5 – Implement necessary cybersecurity controls based on results from risk/vulnerability assessments and business impact analysis
Cybersecurity controls include physical, administrative, and technical controls that are designed to build an in-depth defensive structure to protect your organization, people, information, and customers. Understanding the risks to the organization, including their likelihood and potential impact, means that you can proportionally implement the appropriate cybersecurity controls to provide the right level of protection without wasting resources. For each identified risk, there will be one or more controls that help to reduce the risk to an acceptable level. These controls should be continually evaluated to ensure that as the organization grows, evolves, or changes, they are still providing the expected level of protection.
STEP 6 – Implement and foster an ongoing culture of continuous improvement and awareness in cybersecurity
Starting with executive sponsorship of the cybersecurity program and top-down leadership to establish the importance of cybersecurity for the organization. Ongoing education and security awareness initiatives will help elevate the capabilities of the system’s users to ensure they are prepared to handle the ongoing cyber threats facing the organization.
Are you interested in assistance with understanding your business’ cybersecurity journey? Please contact us today to get started on the right track.