Building an effective cybersecurity program is like building a three-legged stool. It requires a commitment to people, processes, and technology. All three must be working together to support the weight of your program. If one area is lacking, the other two can’t support the weight. If you want a strong cybersecurity program, it requires an intentional focus on all these areas.

While cybersecurity requires a long-term commitment, it is not extremely complex. There are basic, fundamental principles that any organization can utilize to create a secure environment for its data.

How to Build a Cybersecurity Program from the Ground Up

Whether you’re looking to build a cybersecurity program from the ground up, or simply looking to strengthen your existing processes, here are six fundamental steps we recommend to help you focus on people, processes, and technology.

  1. Identify all types of data and sensitive data you store. Whether it’s customer payment information, patient health records, personal financial information, or intellectual property, every company has sensitive data it stores, processes, and transmits to conduct business. As a business, it’s your duty to protect it. To do so, you first must acknowledge the nature and type of sensitive data that you have.
  2. Define where that information is stored. Once you identify what sensitive data you have, you must determine where it is stored. In addition to obvious locations like databases, does that information live in spreadsheets or in text documents on file shares? You can’t protect sensitive information if you don’t know where it is. Completely protecting every device (computer, mobile device, etc.) within your organization may be an impossible task. But, what you can do is identify where sensitive data exists in your environment and build controls around the processes that store, process, or transmit it.
  3. Take record of all hardware and software devices in your network. As simple as this seems, this is an area where organizations are impacted the most, including the infamous Equifax breach. When critical vulnerabilities are announced, you need to know the specific devices in your environment that must be updated or patched. Creating and maintaining an inventory of your hardware and software devices is key to establishing a solid cybersecurity program.
  4. Develop a plan to train employees and users on cybersecurity best practices. Cybersecurity is not solely an IT issue, it’s a business issue that requires a culture of security adoption. At the end of the day, protection of sensitive data comes down to the end users who are handling it. If they don’t know or understand their responsibilities for protecting sensitive data and interacting securely with a company computer system, they may unknowingly put you at risk. Your employees must be trained to recognize and report phishing attacks and baiting, and should be well-versed in password management to protect your systems and data.
  5. Implement multi-factor authentication for external network access. Many companies have employees who access company systems remotely. In most cases, access to sensitive systems and data is protected only by a password. Experience has shown that user-selected passwords are typically easily guessed, or can be obtained via a simple e-mail phishing attack. If multi-factor authentication is not required for all remote access, an attacker that obtains a password will have no trouble accessing remote services, and that typically leads to access to sensitive data. Nearly half the incidents our forensic and incident response team at LBMC Information Security has dealt with in the past six months could have been prevented if multi-factor authentication would have been implemented for systems that offer remote access, especially email systems.
  6. Find a trusted partner who can help you. Limited time and staffing are the most common challenges businesses face when it comes to effective cybersecurity. Having a third-party to perform penetration testing or risk assessments for your organization is key to getting an objective validation that your cybersecurity program is effective and that your sensitive data is as secure as possible.

Why Employees Are Your Number One Cybersecurity Risk

From an IT standpoint, leaders have many threats to contend with, such as viruses, worms, phishing and ransomware. But there is a much bigger threat that can be more difficult to manage: employees.

Mark Burnette, has been quoted saying, “If employees don’t understand what their responsibilities are when interacting with a company computer system, it’s going to be difficult for them to truly protect it. They might unknowingly do something that would put the company’s data at risk.”

Robert Powell, VP of Network Engineering at LBMC Technology Solutions said, “Threats can come through many avenues, such as web browsing, email, a “technician” asking for your password or a thumb drive you find on the ground. They often seem innocent, potentially helpful and may even be directly targeted to your company or even you personally. A savvy user will always be on the lookout for something suspicious or unexpected. If it seems questionable, check with your IT team before you open it, provide your password or plug it in to your computer.”

Multifactor Authentication

According to Burnette, the single biggest step employers can take is to routinely provide multi-factor authentication. Multi-factor authentication is a method of computer access control in which the user is granted access only after successfully presenting at least two separate pieces of information into the authentication device. This device is generally a cell phone, or a key fob with randomized codes.

Employee Training & Accountability

Strengthen cybersecurity with employee training and accountability. It is your organizations job to provide training to your team, properly setting the expectation levels in employee conduct. This training needs to be clear, such as setting an Acceptable Use Policy, spell out the employee’s responsibility, and define what your organization defines as misuse. It is recommended that this training occurs at least once per year.

Protecting Removable Media

Removable media is any kind of storage device that can be removed from a computer while the system is still running. This can include USB drives, flash drives, external hard drives, CD’s, DVD’s and Blu-Ray disks. While seemingly harmless, if employees use unauthorized removable media, such as an external hard drive, information can be easily compromised. Not only can removable media be easily lost, but if a user doesn’t check configuration settings, items such as external hard drives may be cloud enabled. This can easily result in having contents made available to anyone who wants to access it.

Every day IT security threats increase and companies struggle to keep up. LBMC can scale up your security resources without adding staff – saving you time and money, while increasing the security of your data. Contact us for more information.

Podcast

4 Ways To Excel at Cybersecurity

When evaluating the perceived level of success for organizations ranging from the U.S. Government to large public companies to small businesses in regards to protecting information and preventing breaches, the results can vary and would likely be frightening. Most informed cybersecurity experts would provide a general “thumbs down” to nearly all groups of businesses and entities to date.

But there is hope! Any organization wishing to improve in this regard, and to implement necessary defenses to effectively protect its environment against most cybersecurity risks, can follow a simple template.

First, companies must identify the potential targets of cyberattack (the entity’s sensitive data and critical systems), then, once an inventory has been developed, entities should assess the risk to each target, and take steps to manage risk to an acceptable level, while considering the organization’s risk appetite.

While this process sounds simple, the fact is that today’s organizations are struggling to effectively complete these steps. There are several areas that cybersecurity professionals should consider when managing their information security program efforts that can help to improve the chances of success.

Planning & Administration

Proper planning and administration of a cybersecurity program involve getting the discussion into the boardroom and in front of the decision makers, enabling them to make well-informed decisions. When this opportunity presents itself, it’s critical to avoid technical speak, keeping the information at a simple yet appropriate level of communication for the audience. Try to have a positive discussion focused on combating cybercrime rather than a “sky is falling” negative tone. Executives don’t want to hear that commonly uttered phrase “It’s not a matter of IF we’ll get breached, but WHEN.” After all if, that’s truly the case, why bother implementing security controls at all! When developing cybersecurity objectives, it’s also important to consider what’s driving your company’s business, and how data security plays a role. Regularly asses your program’s effectiveness, striving to make proper security risk management a focus instead of compliance with regulations as the main focus. Also, be careful about trying to quantitatively compute security return on investment. Stock price impact and per-data-record breach cost calculations can be easily questioned, undermining your argument for security investment.

Effective Communication

The phrase never gets old—effective communication is key. One wrong move in any communication strategy can cause confusion and misunderstanding, especially with cybersecurity, which by its nature is often seen as technical jargon. Make sure to get legal, audit, and compliance channels on board with cybersecurity program objectives. Don’t be the only one in the company carrying the responsibility for IT security. To avoid this situation, communicate one-on-one with allies outside the boardroom to get their feedback and buy-in on your plans.

Program Execution

When it comes to executing your cybersecurity program, there are several must-dos to ensure cybersecurity success.

  1. Make sure your security policies are robust.
  2. Create an asset inventory, and classify all data. You can’t protect what you don’t know you have.
  3. Use multi-factor authentication for all remote access channels. Be sure webmail is included in your multi-factor implementation!
  4. One major “key” to security is good passwords. While you should educate employees on how to choose good passwords, multi-factor authentication is the single best way to defend against bad passwords.
  5. Avoid getting enamored with looking for the silver bullet of security. A technology solution won’t solve the problem completely. Make sure the basic “blocking and tackling” components of your program are in great shape before you spend money on the newest shiny software solution.

Tips for Success

And finally, to be most successful with your cybersecurity efforts, these tips can help you along the way. First, plug into a community of cybersecurity peers who can serve as a sounding board and can offer alternative perspectives in regards to your existing practices. Conduct ongoing risk assessments and seek to remediate all significant risks. If your company is ignoring your cybersecurity risk management recommendations, it likely either means that you are not communicating risks effectively or the company is not committed to proper cyber risk management. In either case, seek to remedy that situation. Work with a peer to hone your message, and practice it with your allies in the organization. If that still doesn’t work, find another employer who values your expertise.

Effective Cybersecurity is a Daily Commitment

Cybersecurity is not a once-a-year project; it’s a daily process. As the technology landscape continues to evolve, making sure your organization is protected against the latest threats is important.

As always, if you want to learn more about how our team at LBMC Information Security can support your cybersecurity program, you can connect with our team at any time.

Enjoying the Read?

Don’t miss out on latest security news from our LBMC team.