Increases in both cybercrime and the need for stringent security measures have led to this point. According to the FBI’s Internet Crime Report, that year saw a record-breaking 847,376 complaints with an estimated damage of over $6.9 billion. Criminals come from all walks of life because it’s easier than ever to commit cybercrime because of the proliferation of ransomware franchise models and DIY phishing-as-a-service kits. But how do you stay ahead in this never-ending war when everyone from regulators to clients to your cyber insurance provider wants you to beef up your defences? These four foundational elements provide the foundation for developing an effective and economical cybersecurity strategy.
The Four Essential Steps of a Comprehensive Cybersecurity Strategy
Most businesses only have so much money to spend on cybersecurity, so it’s important to get the most bang for your buck. Assessing your security posture and developing a cybersecurity plan are prerequisites to implementing the most cost-effective security measures (which will be discussed in a future blog article, so stay tuned). Consider these four critical strategic elements as you build your company’s cybersecurity plan:
1. Know what you’re protecting.
The only way to secure your valuables is to first identify them. Now, let’s have a look at the goals for this stage:
- Establishing a baseline of known systems, data, and assets is the starting point for any cybersecurity strategy. The following elements are necessary for this:
- Information on both employees and clients. Document the various forms of sensitive employee and customer information you store, including but not limited to SSNs, names, addresses, dates of birth, driver’s license scans, medical records, tax returns, and financial transactions.
- Structures and resources. It’s important to take stock of all of your infrastructure, including servers, software, backups, and cloud and SaaS
- applications. Assets including cell phones, computers, USBs, and Internet of Things (IoT) enabled equipment/sensors should all be listed.
- Pick an inventory management system that works for your business without breaking the bank. Keeping data and assets trackable manually is doable, even on a small scale with an Excel worksheet. While this method is affordable, it might be time-consuming to populate and update. A different strategy involves making use of software like One Trust. Data mapping and risk management are brought together in this sort of solution, which results in an always-up-to-date flowchart of data and full audit trails of processing. The A complete data discovery package is available for those with more disposable income. Whatever method you select, maintaining up-to-date asset and inventory records is essential for accurate risk analysis and the detection of security holes.
- Keep in mind what you can get rid of as you go through your files. Information can be quite dangerous. More information means more potential damage from a hack. Reducing the quantity of data, you keep on hand is one of the simplest and cheapest strategies to lessen your exposure. As part of your business’s cybersecurity plan, it’s important to only store the data you absolutely need and to constantly examine and delete any unnecessary information.
2. Realize your commitments.
Cybersecurity obligations have recently been added to the long list of contractual and legal responsibilities that everyone in today’s digitally connected world must fulfil. You must be familiar with your organization’s responsibilities in the realm of cybersecurity before you can create a plan that is suitable for your needs. Let’s look at some of the potential responsibilities your strategy will need to cover.
- State and federal privacy laws are changing: Several states have passed or are considering privacy legislation. Our pals at Husch Blackwell have built an excellent state privacy legislation map that shows the status of various privacy laws. U.S. lawmakers recently passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (don’t worry, you have some time before it takes effect), which mandates that “covered entities report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.” (For more information on the new 36-hour reporting requirements for certain financial institutions, watch this video.) To stay abreast of your obligations under the ever-evolving cybersecurity and privacy laws, it’s wise to consult with an attorney who specializes in this area. To make sure your program complies with all relevant rules and regulations, we suggest doing an annual evaluation.
- Customers and partners include cybersecurity in contracts: Contracts between businesses often stipulate that incidents must be reported, software bills of materials must be submitted, and/or a certain level of training and security must be met. Ensure that you have a list of all contractually mandated security and privacy requirements, as well as a person that is designated to manage these commitments.
- CyberSource minimums are rising: Due to the rising prevalence of cyber threats, several insurers are now stipulating that policyholders implement specific safeguards before renewing their policies. Your organization should check on these requirements and track any looming implementation dates.
3. Keep a risk log.
Every firm needs to be aware of their cybersecurity threats and any potential security weaknesses. There are numerous ways to understand and monitor your risk:
- Assess the current state of cybersecurity controls: Assessing your cybersecurity controls entails checking out your strategy, procedures, and tools. Your security posture is evaluated in accordance with a commonly accepted measuring framework, such as the NIST Cybersecurity Framework, and both immediate and long-term recommendations and objectives for risk reduction are provided. Use this as a starting point for your cybersecurity strategy since it gives a structure for handling the five most important aspects of cyber defence: identification, protection, detection, reaction, and recovery. It’s possible to handle this in-house, but it’s going to take a lot of time and effort, so you could be better off hiring a professional service. A framework should be selected, such as the NIST CSF or the ISO 27001 standard, and used to establish and improve an organization’s cybersecurity approach. Read the blog post How to Ensure Your Cybersecurity Risk Assessment Results are Actionable for additional information about doing this assessment.
- Set up a technical test schedule: Your cybersecurity plan isn’t complete without a yearly penetration test. It locates vulnerable points in security before a criminal does. However, you shouldn’t limit your pen test to just your local network. One of the biggest mistakes enterprises make these days is neglecting cloud security testing. We’ve seen too many instances of clients believing their cloud is secure when, in fact, it was the cause of a data breach due to a misconfiguration of cloud solutions. While pen testing is an excellent beginning step, once you have found your holes, you should undertake a risk assessment to help you prioritize your risk mitigation. We recommend conducting technical testing to detect weaknesses and build a remediation strategy, whether you’re conducting the comprehensive security controls evaluation we covered above or a more limited risk assessment.
- Review and analyse situations as they occur: A monthly report detailing any incidents is an important part of risk management. Risks can be assessed, and program strengths and weaknesses revealed by keeping track of and examining this data monthly, whether it be through the use of an Excel spreadsheet and manual tracking or an incident tracking software. In the case of major incidents, a post-mortem meeting should be held specifically for the purpose of analysis. After compiling this data, you’ll be able to make the necessary adjustments to your company’s cybersecurity strategy.
4. Take precautions
Creating a long-term risk management and reduction strategy is a key aspect of any of the cybersecurity frameworks we’ve discussed here. You can recognise and manage your risks by keeping tabs on them in a spreadsheet or using a software tool that allows you to go back through and modify your risks as your program improves. You can then use this information to choose the best course of action for dealing with each threat. Treatments that are at a standard risk level include:
- Avoid the risk by eliminating the corresponding activities
- Mitigate the risk by implementing security controls
- Transfer the risk to an external party, i.e., insurance
- Accept the risk
After settling on a strategy for dealing with each potential threat, you can begin organizing and keeping tabs on your multiyear efforts to mitigate those risks. You may learn more about cybersecurity risk management by reading this blog post, The ABCs of an Effective Cybersecurity Program, or by watching the accompanying video.
We trust you will find this data useful. If you need help creating a policy, method, or plan for cyber security, please get in touch with us. Technical testing, cybersecurity solutions, advising, training, and incident response are just few of the areas in which our team excels.