7 Habits of a Cyber Secured Businesses
IT Security lies heavy on the mind of every IT Leader today. The FBI has been heard to say that the only secure business is one that hasn’t been hacked yet, and it is certainly true that IT Security is a continual struggle between the White Hats of suppliers of security software and hardware and the Black Hats of the cyber-criminal.
In the middle of it all sits the IT Leader, trying to make sense of it all and sort reality from hype, and apply a probably strained IT budget to the IT Security countermeasures needed to secure the site.
Simply put, you need a cybersecurity plan.
Here are seven things to do to maximise your business security.
Landscape Evaluation – find and define what you are protecting
You need to know what you are protecting and the relative priorities of each. In short, your security planning must be tied in with corporate business planning, so you aren’t protecting things that are no longer relevant, and not protecting the new stuff.
This implies that the Head of IT is part of the Corporate Strategic Planning function so that the security of new developments can be properly planned and funded.
The output of the evaluation is a high-level statement of the physical areas and systems and data to be protected.
Security Strategy/Plan – Prepare a timed and costed plan for protection
Networks nowadays don’t have defined perimeters. Your organisation may have mobile workers connecting remotely. You may have connections used by third parties such as suppliers and customers. You may have an Internet site giving the general public access to limited information sources.
What is needed is a resourced, timed and budgeted strategic plan that sets out how the existing network and access to it is to be protected and how extensions and enhancements are to be managed.
The output of this stage is a document setting out:
- The physical and systems architecture to be protected;
- The tools and techniques to be used;
- Staffing requirements;
- Outline budgetary numbers;
- Outline non-IT requirements
Security Policies – The Hows and Whys of Implementing Security
All users of the network and suppliers and users of corporate information must work according to acceptable behaviours. This requires preparation and acceptance of policies and procedures about the use of the corporate IT services and the associated non-IT activities.
An important part of the setting out of policies and procedures is to define sanctions and disciplinary actions stating what happens when they are broken. This will need the involvement of HR and other interested parties to ensure that they are fair and in line with the transgression. Legal may also need to review them to ensure that they conform to legislation.
Incident response plan – What do do if there is a breach
If an incident occurs, what happens next and who does what must be clearly understood by all. This will probably need at least two separate documents, one for technical actions and one for other actions, for example, communications programmes that do not have technical content.
This is usually for minor incidents. Major incidents are dealt with in the Business Continuity plan.
Training – A Vital Component
The FBI has stated that most incidents occur because of user action or inaction than by external attack.
A prudent cybersecurity environment recognises this and has a planned programme of user education and reinforcement. The programme starts at induction and is regolarly reinforced by update workshops, notices and the like.
Disaster Recovery – The Way Back
Disaster Recovery, or as it is more often known nowadays, Business Continuity planning is a vital part of cybersecurity planning. If and when a major incident occurs it is vital to have a clear statement of what is to be done and by whom. This will also include the invocation of standby facilities and perhaps manual backup procedures.
Keeping up to Date
All that is all very well, but IT security is a very fluid environment. New items of malware and attack vectors are continually arising and need to be addressed.
- All the above documents are living documents and need to be continually reviewed and updated as required. A formal programme is needed to ensure that this is done. Documents shoold have version control and formal change management procedures.
- The IT Head and if there is one, the Head of IT Security need to keep on top of industry trends and security issues. This will mean using the Internet and Social media information sources and attendance at relevant conferences.
- Your senior executives need to be kept up to date as well if only to make it easier to get an increased budget allocation for network security and to demonstrate you are on top of the horror stories they read about and hear at the 19th Hole.
Hopefully, these suggestions will provide a framework for the development of your cybersecurity plan.