There’s no silver bullet when it comes to cybersecurity. But there are a few basics that nearly any organization – whether it’s a hospital, school, financial institution, government entity, or manufacturing plant – can put into place to get a start on their cybersecurity plan.
By getting these cybersecurity basics in place now, you’ll be better positioned to protect your data, minimize potential damage, and improve recovery time after an incident.
1. Policies & Procedures
Simply put, these are guidelines you put forth to help strengthen cybersecurity efforts and guide employees down the right path.
Your policy on antivirus software may state that your organization will utilize it to prevent, detect, and remove malware. The procedures you outline will summarize how this will be accomplished: through automatic updates, requiring that all devices be scanned for viruses, and putting methods in place to prevent employees from turning off the software.
Reward employees who follow the policies and procedures and find a way to address employees who don’t. (Do they not understand? Are they not aware?) Failure to enforce policies defeats their purpose and can leave your organization vulnerable.
2. Findings from Data Analysis
Before you can protect your data, you have to know exactly what data you have and where it is. After you’ve identified the scope of your data, then you can conduct a business impact analysis and determine how your organization might be impacted if this data were interrupted or taken down – and how long you could survive before significant financial loss or damage occurred.
Having this information can help you determine where and how to prioritize, as well as make the business case for cybersecurity investments – especially when you can demonstrate to the C-suite the potential financial impacts of not having access to the systems and data that are essential to survival.
3. Incident Response Plans
Incident response plans typically feature action steps to keep an incident (like a virus) from spreading or getting worse. They’re short-term plans put into place to limit damage, reduce recovery time, and keep costs as low as possible during an event. The steps should walk you through what happens in the case of a breach, a cybersecurity incident, etc.
4. Disaster Recovery Plans
Disaster recovery steps should be outlined so you’re ready to resume business rapidly after an incident. Possible things to include in your disaster recovery plan may be:
- An analysis of threats and how your organization will react to them
- The items you’ll need to get up and running again ASAP after a disaster
- A list of critical people who will be responsible for responding after an incident
- Strategies to limit loss during and after an event
- Steps to follow once the situation is under control
Regularly update your disaster recovery plan to account for changes in systems, software, and staff.
5. Multiple Layers of Defense
Using just one defense mechanism is no longer enough. To fight back against today’s cyber threats, your organization needs the right mix of:
- Firewalls to block unauthorized access
- Antivirus software to detect and remove viruses and malware
- Intrusion detection systems to monitor networks for malicious activity
- Intrusion protection systems to respond to detected intrusions
- Network segmentation to separate groups, systems, and/or applications
- Network access control to restrict network resources to only the devices that comply with certain parameters
It’s important to understand the cybersecurity regulations that apply to your industry (there’s likely at least one), and make sure you’re meeting – if not exceeding – them. Examples include:
- DFARS for organizations that work with the government
- HIPAA for healthcare organizations
- PCI for companies that handle credit card data
- SOX for public companies
- SEC for registered investment advisors
Incorporating security awareness training into the workplace can help your employees act as your first line of defense against possible damage. You could consider monthly lunch-and-learn exercises, regular email updates about new threats, planned/simulated attacks, or web-based training. Training topics could include:
- Creating and managing passwords
- Improving data privacy
- Working safely online
- Identifying spam/phishing attempts
- Handling sensitive or critical information inside and outside the corporate network
Accomplish Your Goals With vCISO Services
ProCircular’s in-depth virtual Chief Information Security Officer (vCISO) package offers help building your security program. Our vCISO consultants work with IT departments, executives, and other team members to build an information security strategy that provides protection and compliance. An experienced virtual chief information security officer helps companies stay on top of the threat landscape and compliance standards without hiring an internal team. Want to learn more? Have questions about anything we mentioned above? We’d love to help. Send us a note or visit Virtual CISO Consulting Services | vCISO Services | ProCircular !
