As we approach the end of 2023, validate the primary pillars of your cybersecurity program with these five core reviews
Summer is officially over and we’re staring down the end of another calendar year. Executives who are responsible for cybersecurity, whether CISOs, CIOs, CSOs, or Security Directors, have a few security checks to complete at the end of each year. These actions are good business practices and most are required by cybersecurity frameworks and security regulations.
These reviews don’t take a lot of time, and they can make a big difference in your level of security as you prepare to ring in a new year with all of the objectives and KPIs, and, face it, distractions that come with it. Addressing these five items routinely will also help your case in the event of a data breach or cybersecurity incident by demonstrating your commitment to sound cybersecurity.
These five year-end cybersecurity checks will help you validate the primary pillars of your cybersecurity program.
Check 1: Policies & Procedures Review
Organizations should develop and maintain cybersecurity and data privacy policies and procedures to meet several purposes:
- First, as tools to educate employees and direct their behavior;
- Second, to meet compliance requirements imposed by regulations from HIPAA, the Gramm-Leach-Bliley Act, and the Sarbanes-Oxley Act, for example, as well as state-specific regulations; and
- Third, to effectively implement cybersecurity frameworks such as NIST and HITRUST CSF, for example, which require current documentation of detailed policies and procedures.
Your year-end cybersecurity check includes reviewing your organization’s policies and procedures to make sure they’re still current, removing any that are obsolete due to system changes, retired equipment, or company reorganizations, for example. And developing new documentation around new equipment, new departments, and new practices. You’ll also want to publish or distribute as appropriate to meet the three purposes above.
Check 2: Employee Cybersecurity Training
Research has demonstrated that we forget roughly half of all new information within an hour of learning it and can only digest six to nine data points in a single session. These two simple facts confirm that training should be delivered in short sessions, offered in multiple formats to suit individual learning needs, include testing at intervals throughout, and be repeated frequently.
Any education program should employ a few different approaches reflecting the size, budget, business, and procedures of the organization. Options include:
- Classroom training
- Online webinars
- White papers and blogs
- Online self-paced web-based training
- Train the trainer sessions
- Regular email reminders, quizzes, and newsletters
- Testing the effectiveness of training and retention of content among employees.
Below are four great tips for effective security training in your organization:
- Train employees to use strong passwords, and enforce the policy consistently;
- Train employees to use multifactor authentication, which is super-easy when everyone has their own personal device to accept unique MFA sign-on codes;
- Train employees to spot phishing schemes, which is a popular tool for ransomware attacks; and
- Train employees to practice identity management to keep their data secure.
Your year-end cybersecurity check includes reviewing cybersecurity training programs from content to timing, and verifying that all employees have been trained at least once during the year.
Check 3: Review Incident Response Plan
Your organization should already have a clear and comprehensive incident response plan, which spells out responsibilities and procedures in the event of a data breach, hack, or other cybersecurity incident. Every individual assigned to execute the plan must be trained and participate in testing the plan.
Having a plan in place before you experience an unwanted incident will enable your response to be smooth, well thought out, and compliant with any applicable regulations. Most regulations contain breach notification requirements that you’ll want to document as part of your plan.
Other elements of your plan may include:
- Definition of what constitutes an incident for your organization;
- Processes to be followed depending on the type of incident;
- Procedures for incident handling and reporting;
- Procedures for investigation, forensics, and ongoing communication; and
- Procedures for containment, eradication, and recovery.
Assuming you already have a documented plan, review it by year-end and make appropriate updates to reflect changes in your organization that occurred earlier in the year.
Check 4: Security Risk Assessment
Security risk assessments are an integral part of all cybersecurity frameworks and federal regulations that contain security requirements. These include the NIST, ISO/IEC 27001, and HITRUST security frameworks, as well as the HIPAA Security Rule, Payment Card Industry Data Security Standard (PCI DSS), Department of Defense Cybersecurity Maturation Model Certification standard (CMMC), GLBA, and the Sarbanes-Oxley Act, among others.
Generally, security risk assessments are required annually, although in some cases every two years or every three years is acceptable. Additionally, most requirements call for a risk assessment when significant changes have occurred in an organization, such as a new system or equipment installation, key personnel change, or a merger or acquisition. Penalties for failure to comply are applied frequently, and in healthcare are widely publicized as well.
The purpose of a security risk assessment is to evaluate the adequacy of security controls within your organization. It provides a structured, qualitative evaluation of the operational environment in terms of threats, vulnerabilities, risks, and security safeguards. Below are some of the activities inherent in a compliant security risk assessment.
- Collect and review all relevant data, including policies and procedures, network maps, equipment inventories, and other materials.
- Identify threats and vulnerabilities using penetration testing, system scans, and other accepted techniques.
- Document the threats and vulnerabilities revealed by each method.
- Determine the likelihood of threat occurrence and identify the potential consequences of threat occurrence.
- Determine and document the level of each risk based on severity and potential impact to your organization and its stakeholders.
If your last security risk assessment was conducted more than two years ago you’re due for another. To schedule it before year-end, contact a professional cybersecurity firm this month.
Check 5: Social Engineering Testing
Increasingly prevalent ransomware attacks rely heavily on clever phishing schemes that dupe employees into divulging information they shouldn’t. All it takes is one employee making a poor sharing decision to jeopardize the entire business.
Your year-end cybersecurity check includes testing your organization’s vulnerability to social engineering attacks using a few different techniques. Below are some examples.
- Test whether secure areas in your company can be physically accessed by unauthorized individuals, by using in-person social engineering attempts.
- Try to obtain confidential information from random employees by using phishing (or vishing, or smishing) techniques.
- Test for management vulnerabilities to more sophisticated schemes, such as targeted spear phishing or whaling attacks.
- If you have a clean desk policy, for example, validate employee compliance by conducting covert office walk-throughs.
The last few months of each year offer a golden opportunity to review cybersecurity safeguards and practices that may have become lax, outdated, or otherwise eroded during the course of the year. Five basic checks address the primary pillars of your cybersecurity program, including policies and procedures, employee cybersecurity training, incident response plan, security risk assessment status, and social engineering testing.
Learn more about cybersecurity by becoming a sponsor of Cybersecurity Awareness Month. The National Cybersecurity Alliance celebrates cybersecurity awareness annually in October. Join 24By7Security and thousands of other organizations in supporting this vital initiative. Sponsorship is free, along with many resources to help you promote cybersecurity awareness within your organization.