Building an Effective Cybersecurity Program
Building an effective cybersecurity program presents challenges to businesses of all sizes. It doesn’t matter if you are a 25-employee manufacturer or a Fortune 50 global business, the concepts of cybersecurity do not change. Of course, there are more employee and financial resources to scale a program the larger you are, but the basic concepts of developing and maintaining an effective program remain the same. In this short blog, I’ll try to break down cyber fundamentals into useable, real world analogies.
Build a perimeter: Perimeter defense is what many consider to be effective cybersecurity. To a certain degree, this is true. Modern firewalls, routers, switches and monitoring devices are an absolute necessity, but the path to a meaningful cybersecurity program does not end there; it is simply the beginning. Cybersecurity is not a device. Treat your perimeter the same way you would secure your personal property as it’s the first line of defense.
Understand your data: With over 20 years of IT and cyber experience, I cannot stress this point enough. So many of the companies we speak to never take the time to truly understand where their most sensitive data lives. The key word here: sensitive. Take the steps to understand what your recipe for Coke is and apply proper controls to protect it. Whether you’re an engineering based company, a health system, or a financial conglomerate, you need to understand what your crown jewels are, and apply pressure to protect them. You can’t protect everything all the time; put a bubble around what matters. We often advise our clients to think of this the way they would a piece of jewelry, birth certificate or cash you might keep on hand. These are not items you throw in a drawer because you have locks on your exterior doors. These are precious items which need an extra layer of protection. Treat your most valuable business assets the same way.
Control access to that data: Once you understand where your data is, gain an understanding of who has access to that data and why. Controlling and monitoring access to systems can be a daunting task, especially if done manually. Providing access in accordance with the principle of least privilege will help to keep your data secure and will prevent the introduction of unnecessary risk. You would not give your garage door code or front door key to just anyone, would you? Similarly, if you fired a contractor who was helping at your home, you wouldn’t let him or her keep your keys, would you?
Train your people: As most of us know, the one thing you cannot always control is your people. Even a well-trained staff can fall victim to social engineering attacks or can introduce unnecessary risk to an organization unintentionally. Training your most essential assets, your people, has become easier over the past few years with the introduction of cost-effective solutions through e-learning. Training programs are the most effective way to reduce your cyber risk introduced by your employee base. As Brian Krebs once said “Someone recently asked me how I defined security. I really had to think about that. Fundamentally, it seems to be about making it easier for users to do the right thing, and/or harder for them to do the wrong thing.”
Provide assurance that the data is protected: Once controls are functioning properly, work independently or with a partner to provide assurance. We commonly see businesses who begin their cyber journey by developing the proper program, but when an assurance check is performed, procedures are not functioning as intended. If you can get in a position where your controls and procedures are documented, gain an understanding of which of those controls are most critical and put them into a periodic testing cycle. This will create peace of mind as well as cyber/process assurance for your leadership team. Also, for quick wins, don’t just collect data to collect data. Only store/transmit data that’s of relevance or importance and try to cleanse what’s not. Purging like this will help to keep things clean. Double check your locks before you go to bed.
There are many areas of cybersecurity which support these core fundamentals (asset management, incident response, patch management, vendor risk, etc.). For more information on the pillars of cybersecurity, we would suggest reviewing the Critical Security Controls or the NIST Cybersecurity Framework. If you would like to read our white paper, Cybersecurity is not a Device, you can download it here.
Be confident and feel free to email any questions you might have – David Lefever, CEO; firstname.lastname@example.org