The Importance of Both Proactive and Reactive Cybersecurity Planning
Our firm works with medium to large organizations across the country – all at varying states of digital maturity – and we help them formulate technology strategies. Cybersecurity has become a more common request over the last two years. One look at the headlines, and you’ll understand why. For leaders in every organization, from the neighborhood mom-and-pop shop to the federal government, cybersecurity is now a paramount concern. If there is an overarching lesson small businesses can take away from the big boys, it’s this:
Maintain a good balance of proactive to reactive approaches to cybersecurity.
We often get calls from clients dealing with reactions to situations. A common example happens when their computer screen is inexplicably replaced with a message telling a user that their customer data has been encrypted and the only way to have the data unlocked and returned is to pay a ransom. In this situation, we help clients work through a very specific set of steps, depending on the scenario, to react in a way that brings the best result possible. This is an example of incident or event management. It’s a predetermined, reactive response to a cyber breach or attack. This is not unlike the planning organizations do for disaster recovery; companies plan for how employees should respond to common disasters, like fires or tornados. Planning for reactions to cybersecurity incidents should be similar in at least one respect – they should be planned ahead of time.
It is wise to have prepared responses for these common cybersecurity threats:
- Company data is encrypted and ransom is demanded for release
- Customer information is stolen from your business
- Employee loses a device (laptop, tablet, phone) holding sensitive company data
- Employee is suspected of stealing or leaking company data
- Your web properties are targeted by a Denial-of-Service attack
If any of these things happen, do you know how you’ll react? This is not an exhaustive list, but the scenarios are common ways we see cybercriminals take advantage of companies. Having known and tested prepared responses will help you make good decisions when they count. Making a wrong move can lead to bigger issues, like losing your customer data forever. We’ve seen it happen before and it will continue to happen to organizations large and small. This is why planning for the worst is critical.
Our hope is that companies apply enough proactive protections so that they never need to use their reactive plans. Unfortunately, however, our experience shows that cybersecurity is often an afterthought… until the company is breached.
When we talk about proactive protections with companies, there are several important steps you can take to begin building a foundation of strong cybersecurity:
- Regular internal/external network audits and penetration tests
- Employee training
- Employee testing
- Ensuring no systems are using default login credentials
- Up-to-date patching and upgrades across all tools, accounts, and servers
These proactive options are relatively basic, but they can go a long way toward protecting the company, especially training and testing employees. There’s a mental shift that every company must make today, and most companies aren’t there yet. This is:
A network is only as secure as its most vulnerable user.
Even if technologists do everything they can to secure a network, it remains exposed if users are not properly educated about how to avoid falling victim to a cyberattack.
Every person connected to the network is responsible for cybersecurity. It’s no longer just the job of technologists on the team or third-party technology support to protect the organization; the organization needs to have adequate rules and response plans in place, leaders need to take responsibility for making risk-based decisions about what to protect and to what extent, technologists need to constantly harden the network’s perimeter, and employees need to take responsibility for protecting the company’s network and data. If any one of these groups falters, the organization becomes vulnerable.
Below are some steps you can take to lay the foundation for your company’s strategy:
1) Inventory and rate all the data you currently have – This is easier when done in ’buckets’ of data rather than file by file. Create a list of all the data you currently collect (e.g., customer data, transaction data, employee data, etc.). Ask yourself specific questions about each group of data, like 1) What is the risk to the organization if this data is stolen? And, 2) Where is this data currently housed, and how secure is it? Just having this list will help you think through how to be more secure.
2) Perform internal/external cybersecurity audits to understand vulnerabilities – These audits vary depending on the vendor performing them, but the idea is to understand the strength of your perimeter, and, if there are weaknesses, provide some concept of scale to the issue.
3) Create a remediation plan – From the information collected, you will likely be facing a list of tasks needed for remediation. Some will be more pressing than others. The goal is to understand the pace needed for making the changes and to create an action plan that is reflective of this.
4) Training, education, and testing – We are not far from the day when employees (all employees) are held directly responsible for their ability, or inability, to avoid falling victim to cyberattacks. Every employee should undergo cybersecurity training to help them spot a cyberattack. These attacks are becoming increasingly sophisticated and targeted. They’re often aimed at specific individuals in an organization, contain information taken from publicly available sources (such as social network profiles). Testing your employees’ ability to recognize a phishing, spear-phishing, or social engineering campaign has shown to drastically reduce incidents. When employees are called out for failing these tests, they’re far less likely to fail such tests in the future, and hopefully when it really counts.
The last suggestion I’ll leave you with, and we share this with every organization we interact with, is to commit yourself and your team to learning more about cybersecurity. Regular and continuing cybersecurity education should be a cornerstone of your digital strategy moving forward.
For more on information about building a strong cybersecurity foundation and local options for cybersecurity defense and education, please visit www.fpov.com/cybersecurity.
Matt Stafford is a consultant for Future Point of View. Future Point of View is a partner in TriCorps Cybersecurity. The two organizations help companies worldwide plan technology strategies designed for a quickly evolving world. Feel free to email Matt with questions or comments at [email protected].