The cyberthreat landscape is always evolving, but effective controls and regular education can significantly reduce risks.
The Russia-Ukraine crisis has brought the issue of cybersecurity into yet-sharper focus, with experts predicting that Russia could launch cyberattacks on U.S. infrastructure and companies. But the need for diligence in cyberspace is ever-present. According to IBM’s Cost of a Data Breach Report 2021, the average cost to global businesses of a data breach is $4.24 million, the highest average total cost in the report’s 17-year history.1 Further, these numbers do not account for less quantifiable costs, such as reputational damage with clients and vendors, productivity loss or lower employee morale.
While the volume and complexity of threats continue to grow, experts agree that businesses can significantly reduce their exposure — and costs, if a breach occurs — by following some well-vetted best practices for operating in the current threat environment. Below is a list of such practices, which begin with setting a strong governance framework and are underpinned by continual awareness and education.
Define Your Threats, Assets and Impact.
All cybersecurity programs must begin with a strong governance foundation; policies, standards, procedures and commitment from senior management are crucial building blocks for protecting data. A good way to begin this process is through performing a comprehensive analysis of the information ecosystem that needs protecting. This includes:
- Outlining who might attack your business and identifying the potential types of impact
- Defining your technology inventory, including servers, desktops, laptops, mobile devices and removable media
- Defining both your local-area networks (LANs) and wide-area networks (WANs)
- Outlining your third-party supply chain
- Classifying your people inventory – individuals, roles, access and monitoring
Create Policies and Procedures.
To establish governance and create structure for your program, you need documented policies and procedures. The results of litigation, due diligence and outside audits will all rely on these documents. They will also support business resiliency.
When building or refreshing your program and its supporting documents, consider doing the following:
- Establishing a governing body to review and set priorities
- Limiting access to non-work related sites, such as personal email, social networking, shopping and data sharing portals
- Establishing a process to build security and privacy tenets into projects from inception
- Implementing and prioritizing secure coding protocols
- Analyzing the risk of third-party vendors
- Testing and measuring your control effectiveness
- Hiring and retaining effective information security talent
- Keeping accurate records, logs and audit results and applying the information gathered to consistently improve your program
Create Cybersecurity Operational Plans.
In addition to policies and procedures, operational plans — living documents that evolve with your organization’s growth and changing cyber trends — will also help strengthen your defenses. These plans are not one-size-fits-all but rather should combine company and industry specific add-ons with certain core components. An operational plan should allow you to prioritize both your short- and long-term cybersecurity plans and budgets and should consider the use of new systems, increases in business volume, and the addition of employees and new suppliers.
Incident response plans are crucial for being able to respond quickly to a cyberattack. These plans need to be reviewed, updated and tested annually using various scenarios. It is recommend to save offline copies of the plans in the event company devices are not functioning. Incident response plans should include:
- Employees to notify and involve
- Locations of where data and data backups are stored
- Process for contacting law enforcement, legal, clients, vendors, etc.
Perform Vulnerability Assessments.
Vulnerability assessments identify weaknesses in your systems and should be conducted at least annually. They should cover your business and its supply chain and include both physical and cyber components. Using an outside firm to perform the review is highly preferred. These assessments will also test your incident response plans mentioned above.
Use Secure Methods for Sharing Confidential Information.
The protection of confidential information is critical to the continued success and protection of your business. Begin by identifying your most valuable and sensitive information, then establish controls to protect the information based on the risk associated with unauthorized access or loss. Below are some of the most effective practices in this area:
- Using encryption tools wherever possible, including for email distribution and file transfers
- Understanding the legal requirements as it relates to protecting Personally Identifiable Information (PII), including regulations around HIPPA and PCI, if applicable
- Determining what types of protection are necessary for stored data
- Considering the use of secure file sharing tools
Use Multi-Factor Authentication Whenever Possible.
The more factors needed to login or perform other transactions related to your business, the lower the risk of a breach. These can often be put into place with minimal impact on speed and convenience. For financial transactions, use both multi-factor options and call back procedures.
Conduct a Regular Awareness and Education Program.
In order for your cybersecurity program to be effective, your employees need to understand it and stay informed about evolving threats. In addition to regular education with updated curriculum on the topics listed below, ensure that evolving threats are tracked and that your education program has the flexibility to keep your employees informed of new threats in addition to those that already exist:
- Phishing emails, vishing calls, smishing texts
- Social media scams and data privacy best practices
- Social engineering
- Business email compromise (BEC)
- Executive compromise emails/whaling
- Device security including passwords, storage and acceptable use
- International travel
- Public Wi-Fi
Back Up Critical Data, and Test Recovery.
The presence of reliable recovery options, including not storing your backup data in the same location and server as your production data, will aid in mitigating the threats of a security compromise. Be disciplined in the creation, protection and testing of backups for critical data and technology systems.
Monitor Systems and Unusual Activity.
Irregular network traffic, access patterns, physical activity, and the size and types of files leaving your business should all be closely examined. If possible, consider hiring an outside firm with specialized tools and resources to help you with this work. Also, be aware of legal restrictions against certain types of monitoring, particularly as it relates to your workforce.
Take Advantage of Outside Resources.
Strengthen your cybersecurity defenses through intelligence-sharing opportunities with peers, vendors, law enforcement and industry affiliations. Also, make sure to stay informed with information offered by the Federal Trade Commission, the Federal Bureau of Investigation (FBI) and the National Cyber Security Alliance. Whenever possible, subscribe to “cyber alerts” of current threats and indicators of compromise, such as those available through the National Cyber Awareness System.
While there is no foolproof solution to protecting your business against cyber threats, following the above best practices will position you among the best of your peers. For more information on how to protect both your business and family, visit the Northern Trust Security Center.