As we look ahead to 2020, cyber threats will continue to be a top concern for enterprises small and large alike. The ever-evolving threat landscape will bring new challenges for security professionals to tackle.
It all starts with establishing a solid security foundation.
In this 11-part series, we will expound on the actionable steps covered in our white paper, Foresight 2020: 11 Cybersecurity Actions Your Organization Needs to Take.
Security is not a one-size-fits-all endeavor. Organizations have different security needs, depending on their respective industries and what’s at stake. That’s why a single approach to security is not effective, instead a comprehensive strategy is ideal for mitigating risk.
Let’s drill down and learn how to establish your security baseline to get started.
Review and Assess
Before creating a cybersecurity plan, begin the process by reviewing your current cybersecurity posture.
This can be done by doing a risk assessment, checking for gaps and vulnerabilities. Take notes and organize your findings to help develop a plan.
A thorough assessment will test and examine your technology as well as policy, procedures, personnel, and strategy related to IT security. One part of a security risk assessment may include scanning your network for vulnerabilities such as missing patches or unsupported hardware and software.
Be sure to do an inventory of the hardware and software that is in place. This will help you to assess internal risks, in the instance that software and hardware are misconfigured and/or outdated.
The assessment also focuses on four integral non-technical aspects of your security posture. They are:
Personnel - Do they have the right training and credentials to implement an IT security strategy?
The weakest link to keeping an organization secure are the employees, research shows. With the advent of bad actors sending out phishing emails that are well-crafted and convincing, uninformed employees with the best intentions are easily fooled into clicking on malware infected links. It happens frequently, simply read the news.
To combat this, ramp up your cybersecurity training program for all the employees at your organization. Try tailoring the program to fit the role for best results. An office manager with limited access to certain software may need different training than a staffer who is an administrative with access to massive sensitive data.
Policy - Are security policies in place and understood by users?
Review your policy and try to imagine if it is clear for non-technical staff to understand. If it is not, revise the language in layman terms by removing jargon and replacing it with simple language.
Another idea is to set up a meeting, in which you invite your staff to give feedback on what they understand. See if they have any questions and provide them with a safe space to answer honestly without judgement. With this feedback, you can revise your written policies and help better train your employees on cyber hygiene.
Procedures - Are security procedures clearly outlined with details for areas of responsibility?
Perhaps it is not clear who is responsible for what when it comes to keeping data safe. Cybersecurity isn’t simply for IT professionals. It involves the entire team. Be sure to communicate clearly what the procedures are and what people are accountable for. Once this is clearly understood, you’ll greatly reduce your risks. Clarity is key.
Strategy - Is there an overall information security strategy?
Dig deep on this one. A strategy takes time to plan and deliver. It’s a process with several steps. As you gather facts and identify objectives, you can create a mission and go from there.
To know where you are heading, you need to be aware of where you currently are. Just like anything in life, awareness is essential.
After you’ve completed the above-mentioned steps, you’ve reached the final step in establishing your baseline security.
Create and Implement a Risk Remediation Plan
Now that you’ve done your security risk assessment, you can begin developing your risk remediation plan. This will help you prioritize what to fix. Be sure to include a checklist, helping to ensure that the plan is properly executed.
Conduct risk assessments annually, and then make updates to your plan accordingly.
For certain industries such as healthcare and other HIPAA-covered entities, a risk assessment is required by law and should be conducted periodically and every time there is a major change within the organization. This could be a change in leadership, a digital transformation iteration, or a corporate merger and acquisition occurrence.
Remember, threats are a part of our every day business lives. Cybercriminals, unfortunately, are relentless in stealing data and private information. It’s a reality in our modern way of living and doing business.
Taking the steps mentioned in this blog will help you safeguard your organization in the best way you can. As always, when in doubt, you can enlist experts such as 24By7Security to assist you with establishing a security baseline, developing a security strategy, and creating a risk remediation plan.
In our second blog in the Foresight 2020 series, we will cover how to conduct a compromise assessment. Stay tuned.