by Rob Simopoulos, Co-Founder, Defendify
IT professionals are entrusted to recommend methods to help strengthen overall data protection. But for many, it might be difficult to lead the charge toward improving cybersecurity if there is no organizational culture around security established. This often requires leadership to work with their teams to create the foundation for proper cybersecurity processes, procedures, and plans – but for this to happen, all key stakeholders must first have an awareness of where the current state of their cybersecurity program stands.
Spurs to Greater Cybersecurity
What kinds of situations or events alert organizations that it is time to assess the strength and weaknesses of their cybersecurity program?
- For some, it is merely the constant barrage of cyber incidents showcased in the media every day. These stories are no longer just about large enterprise businesses having become victims of a cyberattack. Organizations of all sizes and types have been the recent targets of cybercriminals.
- Leadership and the Board of Directors, who consistently monitor business risk, may use the cyber incident related news, or have heard of a costly cyberattack from a peer, to ask questions about how their organization is responding to increased threats.
- Someone within the organization might receive an unexpected cybersecurity assessment request from a customer or partner. Failure to check the boxes would mean stalling business with that organization.
- Government, insurance, and industry regulations may have been updated to include new data security requirements. Non-compliance with these mandates often means less opportunity to bid on projects, doing less business with industry-related groups, or potential fines.
The Cybersecurity Assessment
To check your level of “cyber maturity,” a cybersecurity assessment is the first step. Like a doctor’s checkup that inspects and recommends efforts to improve your overall health, a cybersecurity assessment directs you through a checklist of security controls that will help map out the current state of cybersecurity protection across your organization.
These assessments are not simply a technical scan you run on the network, but rather a holistic review of all aspects of your cybersecurity, including often overlooked policies, plans and procedures.
Once complete, the cybersecurity assessment can act as a benchmark to track improvements to your cybersecurity posture over time.
Your Cybersecurity Checklist
You can perform a cybersecurity assessment yourself or hire an outside company to conduct one for you. You begin with what is sometimes a surprisingly difficult decision: Which security framework or standard should be used?
There are many cybersecurity frameworks including NIST series, PCI, CIS, CMMC, HITRUST, the ISO 27000 series, SOC 1/2, and more. Reviewing these will require you to wade through some detailed descriptions and directives. The type of work you do, may be a factor as you make this selection. As an example, many U.S. Department of Defense contractors are required to match up to the controls within NIST 800-171, and soon, to a multi-tiered approach in the new CMMC standard.
It is important to note that many control frameworks, like NIST, are not just for larger enterprises who can afford a complex stack of cybersecurity technology, and a team of security professionals monitoring it around the clock. As cyber threats grow in sophistication, more and more small and mid-sized organizations are now mapping their cybersecurity to these frameworks.
Whatever you use, the result should be a report that clearly outlines the strengths and weaknesses within your cybersecurity program. This report should include an overall score or grade, which can be extremely useful to track and communicate the current state of cybersecurity protection across your organization.
The broad view is particularly important if your score is not what you would have liked it to be. Perhaps your assessment came back as a C- grade. Your goal can now be to move your organization to a B and then on to an A. With the report and grade in-hand, you will be able to identify where to begin, where to budget first, and how to assemble an improvement plan accordingly.
Some Key Checklist Elements
While every situation is unique, there are basic elements that all organizations should consider to ensure more robust cybersecurity health:
Regularly scan for vulnerabilities within your IT infrastructure, including internal networks, external networks, and web applications. By deploying vulnerability scanners, you can be notified of any network or device-related security vulnerability. Quite often these tools will rank vulnerabilities by severity (Ex. High, Medium, Low). Once weaknesses are discovered, review and patch the vulnerabilities as they arise, starting with the most critical. You may consider deploying automated patching tools to make remediation a simpler process to manage.
Establish a regular cadence of cybersecurity awareness training across the entire organization. This means consistently training all employees on the types of threats to be on the lookout for, and how to properly address and report a threat. Threats change rapidly, so many organizations are increasing the frequency of their training cadence closer to monthly, rather than one-time annual training.
Develop and utilize policies, such as a Technology and Data Use policy, for employees and contractors who interact with sensitive company data and resources. Cyber hygiene has not been taught to a large portion of the work force, and many untrained users pose a threat to your organization as they begin to interact with your systems. Reviewing the “rules” around use of company technology and how to protect company data with all users, along with a sign-off procedure, can align expectations.
Take your technology beyond firewalls and anti-virus. These technologies are still extremely valuable, but as you map your organization against cybersecurity frameworks, you will identify areas where additional tools will be needed to protect todays evolving workplace.
Form a way to quickly and easily “check the boxes” on cybersecurity mandates and audits. These are appearing more often than ever with tight timeframes to complete the cybersecurity audit or third-party assessment. Maintaining a cybersecurity posture that maps to key security frameworks will help avoid a time-consuming hassle in the future.
The key to strong cybersecurity is being consistent with understanding current threats, risks, and weaknesses, then making prioritized improvements. This consistency takes desire, discipline and continuous progress, but it does not have to be overly complicated. Include ongoing cybersecurity assessments as a standard business practice and get ahead with your cybersecurity program.
About the Author
Rob Simopoulos is the Co-Founder of Defendify, the all-in-one cybersecurity platform for organizations without dedicated security teams.
Defendify is a single platform designed to help streamline how organizations can build comprehensive cybersecurity policies, plans, education, scanning, breach detection, and more. This means that organizations without security teams can now achieve similar data protection as with larger enterprise companies, but without the complexity or expense of implementing multiple security technologies and hiring around the clock security professionals.
You can reach Rob at firstname.lastname@example.org