As many of today's enterprises are struggling to get their
arms around cybersecurity, our world has seen an explosion in the number of
solutions, providers and recommended steps to take to secure a company’s
environment and protect it against cyber incidents. With so many options and no standardized
solution, it is difficult to know where to begin. However, one place to start
is to establish the core elements for a solid cyber security risk mitigation
plan – including proven elements that have been used by private and public
sector players alike for some time. Let’s review a four-stage roadmap that will
help companies prepare for a strong cybersecurity foundation. Take InventoryThe first step is to take a thorough inventory. What data
assets do you have and how are they accessible or vulnerable (both from
external attacks and from insider threats)? What information does your company
have that would attract hackers or outsiders? Personally identifiable
information? Financial data? Customer
or client information? Transaction-related data? Which of your assets would
your company consider “crown jewels” versus less concerning or important data
assets? Which assets might outsiders find attractive, regardless of whether
they may be important to you? How much
of the data is segmented or separate (physically and virtually) such that a
single attack or penetration would allow for a complete loss of critical
information, etc.? This information will be critical to helping your
organization determine what is most important (and warrants the highest level
of protection) and in determining where and how to focus your efforts as you
move into the evaluation of existing protections (and identifying necessary
augmentations your organization may need).
Evaluate Existing ProtectionsNext, establish what tools, processes and resources your
organization already has in place to protect cyber and data assets, e.g., “CISO
in a box” or other third-party provided solutions. Catalogue your
resources’ skills and determine if more training is needed to address the
current threat landscape. And check the retention steps you are taking to make
sure you are keeping your staff happy and engaged – the labor market for tech, and
cyber in particular, is red-hot and people are leaving their current employers
in droves for 2, 3, 4 or more job offers at a time. Also, determine what you have on paper relative
to individual, team and corporate requirements for compliance with cyber
standards, and refresh if these are older than 12-18 months old or if your
business needs or requirements have changed. Take the time to evaluate the internal and third-party
provided services and tools in use, including how the tools align with the
cyber landscape and how third-party providers have differentiated themselves in
demonstrating consistent value and thought leadership to your organization. From a process perspective, confirm that your
data is backed-up comprehensively and regularly (doing so can help defray the
potential impact of a cyber-attack). Additionally, determine what relationships
are already in place with law enforcement resources, as having an understanding
of who to call and how they will respond before a breach happens is important.Create (and Test) Your Cyber ForecastThird, create a forecasted view of the future, utilizing
sources of cyber threat intelligence combined with expertise to parse that intelligence
and identify the “so what” relative to your company’s operations. There are
multiple threat intelligence sources, coming from a variety of providers – some
paid, some free, some from private sector sources, and some more public or broadly
available. Obtaining threat intelligence is one step, but being able to analyze
and understand what is actually important and meaningful for any organization
(and should in turn inform that organization’s efforts) can be challenging, so
having a formalized methodology for both is critical. Companies should develop and manage test runs for cyber
breaches to provide practice opportunities to determine what happens – and how
parties should act – if and when a cyber breach occurs. Such test runs can
include performing red team exercises at least annually, including all key company
players, from the CEO down. Such red team or “tabletop” exercises are
often where the real story is told. You
wouldn’t want to learn that you have no way to contact key resources in your
organization because all contact lists are “on the network” at a time that your
network is effectively shut-down due to a hack or cyber-attack. The tabletop exercise breathes life into the
concepts and concerns and makes it real for the C-suite (and can help
underscore shortcomings you may have been speaking about for some time). Consider Risk Transfer OptionsLastly, consider developing financial risk transfer options, such as securing a cyber insurance policy, which can provide cost relief and support that result from a real-world attack or breach. A number of industry sources indicate that the average cost for a cyber breach exceeds $1M, and it is highly unlikely that most companies will have a line item of any material amount in their budget to cover such costs. Cyber insurance programs can provide a cost-effective means to deliver a safety net in the event a breach does happen. While in years prior many cyber insurance policies contained a significant number of carve-outs, exclusions and general loopholes that were favorable to the underwriter (but not the insured), such programs have come a long way toward providing more meaningful risk transfer options. That said, being wary of what is covered and what isn’t is still important to ensure cyber coverage does actually provide a realistic and reasonable risk transfer option. If you have a good handle on your data assets, your processes and tools, etc., the premium for a cyber insurance policy should be reasonable. Make sure to utilize knowledgeable resources when evaluating coverage offerings to confirm that the insurance will provide coverage for both the most obvious and the more esoteric costs and damages associated with a cyber-attack.Following these steps doesn’t guarantee that a cyber-attack
won’t happen – general wisdom is not “if” a company will be attacked but rather
“when.” Given that an attack of some
kind is more than likely to occur at some point, focusing on both prevention
and recovery can help make sure that a company minimizes the opportunities for
an attack and is prepared to recover from an attack as quickly (and painlessly)
as possible.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news