It is the middle of Cybersecurity Awareness Month. Let’s recap the ground we’ve covered in the first two installments before moving on to Phase 3, Managing Cybersecurity Risk.
- Start your journey with a risk assessment. Taking stock of your Strengths, Weaknesses, Opportunities, and Threats from a holistic viewpoint of People, Process, and Technology using a recognized framework should give you that vital roadmap to start improving.
- Incorporate Data Privacy and Cybersecurity controls into your organization. Start at the beginning of each major project and aspect of the business rather than hurriedly bolting them on as an afterthought. It is less expensive, and the controls will generally be less invasive and still more effective. A knowledgeable Security Architect is a must for this phase.
The “Manage” aspect of the Cybersecurity and Data Privacy lifecycle is about security and data privacy controls’ effective operations. This phase is concerned with factors like:
- Education and Awareness Training,
- Policy Planning,
- Vulnerability Management,
- Penetration Testing,
- Thought Leadership, and
- Services Provider Partnerships
We will address the why behind each of these elements below.
In a recent LinkedIn post, we mentioned that tops among cybercrime trends are Ransomware and Executive/Business Email Compromise (https://www.linkedin.com/posts/jonemurphy_cybercrime-12-top-tactics-and-trends-activity-6722498246016610304-NkHi). These attacks would less likely impact an organization that has a firm grasp of the management portion of the security lifecycle. Why? Because they would be proactive with security and awareness-raising to create a cyber-vigilant workforce.
Similarly, savvy organizations know that courts and regulatory bodies only credit written policies as proof of formal programs around data privacy and cybersecurity. We find many organizations are trying to do the right things right and have some version of ad hoc process or written documentation. However, it is often not standardized, nor reflective of a programmatic approach with annual reviews and formal change management applied as necessary. Each of these is a best practice expected by oversight bodies like courts and commissions. Regular and frequent internal and external vulnerability scanning of systems and applications followed up with at least annual penetration testing is also part of sound operational controls. Some organizations will need help implementing and measuring the ongoing effectiveness of these operational measures. A virtual or fractional Information Security Officer can be a cost-effective alternative to hiring a full-time qualified leader in these cases.
The bad actors are more organized and relentless as ever. Their attacks are more sophisticated and frequent. Experts agree that they are likely only becoming more so and love to target Small to Mid-Market Businesses (SMBs), regardless of the industry vertical. Defense-in-depth and 24x7x365 vigilance on your systems is the only way to stay fully aware of what is happening in your environment in real-time. Many SMBs don’t have the wherewithal for that level of dedicated and qualified technical, eyes-on-glass staffing. A Security Operations Center as a Service (SOCaaS), empowered with Managed Detection and Response (MDR) capabilities, is also often a far more cost-effective alternative.
Lastly, you need to measure your program’s progress along a maturity continuum. As the old saying goes, “what gets measured, gets managed, gets accomplished.” The assessment will establish your baseline; then, you need to create a quantifiable set of markers that will communicate your progress on a meaningful and relevant scale to your organization’s particular circumstance. Alliant Cybersecurity can help with SOCaaS with MDR, vulnerability management, penetration testing, policy/program creation, metrics, and a virtual Information Security Officer to coordinate and steer all these necessary efforts.
In summary, after assessing and designing, you need to operationalize the controls in an ongoing programmatic manner. The controls need to be tailored for your organization, sustainable, and scalable. Metrics that clearly communicate the good and the bad aspects of your program are a must.
Our fourth and next-to-last installment will address how to pragmatically deal with compliance mandates for data privacy and security proactively. Compliance, too, helps you make continuous improvements for a more robust and resilient organization. See you then. In the meantime, BE AWARE. BE SECURE.