1 Start with the "tone" at the top. Information security begins with senior attention, including regular reviews by a firm's senior executives and board of directors. Executives should begin with a self-assessment on their cybersecurity program. A free tool is available at TechNet, www.technet.org, which enables you to determine your dependency on information systems and analyze your organizational structure and approach to cybersecurity. The tool yields a score enabling you to evaluate whether your current program and structure are good or need improvement. Additional guidance on infosec corporate governance is available at: www.cyberpartnership.org.
2 Initiate an internal examination of your information systems to identify those most critical to your operations. Not all systems require an equal level of security, attention and resources. What systems must always work for you? Your website? Financial reporting? Customer relationship or supply-chain management software? Systems supporting manufacturing processes? Identify external dependencies as well. If your firm requires data from an entity outside your organization, you should inquire about its security.
3 When making decisions about IT procurement, factor security in from the beginning. Use your procurement power to request hardware and software products that are secure "out of the box." Delayed consideration is costly.
4 Deploy anti-virus and intrusion prevention and detection software that include automatic updates. Some ISPs offer anti-virus and intrusion prevention software bundled with their services on a subscription basis. In one case, a security vendor blocked more than one billion virus attachments from reaching an ISP's members. Deploy vulnerability management software that will regularly scan your systems for vulnerabilities; a firewall to filter web traffic; and a VPN to secure remote access to your information systems.
5 Deploy authentication and access control technology, particularly for critical parts of your network. A recent survey revealed that 70 percent of people would reveal their computer password in exchange for a candy bar. Maintaining online identities is becoming a burden for many people who, on average, use 20 sites that require them to register and login. To ease the burden, two-thirds of the respondents said they use the same password. We must move beyond simple password protection to two-factor authentication.
6 Encrypt communications wherever appropriate. Security solutions are available that allow you to seamlessly encrypt email and databases.
7 Remember the insider. While we often focus on detecting and preventing external threats, there are threats on the inside, too. Use technical solutions to track access to, and use of, your information systems. But addressing the insider threat requires more than technology. It requires policies and a strategy to enforce proper use of information systems. These should cover training, awareness and responsibilities of employees, contractors, suppliers and customers accessing the firm's extranet.
8 Prepare and exercise contingency plans in case of an attack. Devising contingency plans now will save time and resources in the (likely) event of an attack. Establish a crisis management team that includes senior-level representatives who can convene and act quickly. Assign roles and responsibilities for each member of the team and exercise your plans regularly.
9 If you have extensive information security needs, consider turning over security operations to a full-service vendor. Some vendors offer full-service solutions that address many of these steps. Such services are available on a contractual or subscription basis.
10 Remember you are not alone in facing cybersecurity challenges. To learn more about how your peers are addressing cybersecurity, join an Information Sharing and Analysis Center (ISAC). ISACs share information about cyber threats, vulnerabilities, and attacks. Several sectors have established ISACs including: banking and finance, transportation, information technology, energy, and water. Similarly, several sectors – such as finance – have established "coordination councils" to address policy issues facing a particular industry. You can also join InfraGard, a grassroots effort sponsored by the FBI to share information at the local level (www.infragard.net). At the website for the National Cyber Security Alliance, www.staysafeonline.info, you can find general information about cybersecurity awareness as well as numerous tips and useful tools.
Paul Kurtz is the executive director of the Cyber Security Industry Alliance