Summer is officially over and we’re staring down the end of another calendar year. Executives who are responsible for cybersecurity, whether CISOs, CIOs, CSOs, or Security Directors, have a few security checks to complete at the end of each year. These actions are good business practices and most are required by cybersecurity frameworks and security regulations.
These reviews don’t take a lot of time, and they can make a big difference in your level of security as you prepare to ring in a new year with all of the objectives and KPIs, and, face it, distractions that come with it. Addressing these five items routinely will also help your case in the event of a data breach or cybersecurity incident by demonstrating your commitment to sound cybersecurity.
These five year-end cybersecurity checks will help you validate the primary pillars of your cybersecurity program.
Organizations should develop and maintain cybersecurity and data privacy policies and procedures to meet several purposes:
Your year-end cybersecurity check includes reviewing your organization’s policies and procedures to make sure they’re still current, removing any that are obsolete due to system changes, retired equipment, or company reorganizations, for example. And developing new documentation around new equipment, new departments, and new practices. You’ll also want to publish or distribute as appropriate to meet the three purposes above.
Research has demonstrated that we forget roughly half of all new information within an hour of learning it and can only digest six to nine data points in a single session. These two simple facts confirm that training should be delivered in short sessions, offered in multiple formats to suit individual learning needs, include testing at intervals throughout, and be repeated frequently.
Any education program should employ a few different approaches reflecting the size, budget, business, and procedures of the organization. Options include:
Below are four great tips for effective security training in your organization:
Your year-end cybersecurity check includes reviewing cybersecurity training programs from content to timing, and verifying that all employees have been trained at least once during the year.
Your organization should already have a clear and comprehensive incident response plan, which spells out responsibilities and procedures in the event of a data breach, hack, or other cybersecurity incident. Every individual assigned to execute the plan must be trained and participate in testing the plan.
Having a plan in place before you experience an unwanted incident will enable your response to be smooth, well thought out, and compliant with any applicable regulations. Most regulations contain breach notification requirements that you’ll want to document as part of your plan.
Other elements of your plan may include:
Assuming you already have a documented plan, review it by year-end and make appropriate updates to reflect changes in your organization that occurred earlier in the year.
Security risk assessments are an integral part of all cybersecurity frameworks and federal regulations that contain security requirements. These include the NIST, ISO/IEC 27001, and HITRUST security frameworks, as well as the HIPAA Security Rule, Payment Card Industry Data Security Standard (PCI DSS), Department of Defense Cybersecurity Maturation Model Certification standard (CMMC), GLBA, and the Sarbanes-Oxley Act, among others.
Generally, security risk assessments are required annually, although in some cases every two years or every three years is acceptable. Additionally, most requirements call for a risk assessment when significant changes have occurred in an organization, such as a new system or equipment installation, key personnel change, or a merger or acquisition. Penalties for failure to comply are applied frequently, and in healthcare are widely publicized as well.
The purpose of a security risk assessment is to evaluate the adequacy of security controls within your organization. It provides a structured, qualitative evaluation of the operational environment in terms of threats, vulnerabilities, risks, and security safeguards. Below are some of the activities inherent in a compliant security risk assessment.
If your last security risk assessment was conducted more than two years ago you’re due for another. To schedule it before year-end, contact a professional cybersecurity firm this month.
Increasingly prevalent ransomware attacks rely heavily on clever phishing schemes that dupe employees into divulging information they shouldn’t. All it takes is one employee making a poor sharing decision to jeopardize the entire business.
Your year-end cybersecurity check includes testing your organization’s vulnerability to social engineering attacks using a few different techniques. Below are some examples.
The last few months of each year offer a golden opportunity to review cybersecurity safeguards and practices that may have become lax, outdated, or otherwise eroded during the course of the year. Five basic checks address the primary pillars of your cybersecurity program, including policies and procedures, employee cybersecurity training, incident response plan, security risk assessment status, and social engineering testing.
If you plan to engage a professional cybersecurity firm to assist in any of the five year-end cybersecurity checks, contact them very soon to make arrangements.
Learn more about cybersecurity by becoming a sponsor of Cybersecurity Awareness Month. The National Cybersecurity Alliance celebrates cybersecurity awareness annually in October. Join 24By7Security and thousands of other organizations in supporting this vital initiative. Sponsorship is free, along with many resources to help you promote cybersecurity awareness within your organization.