Holidays are coming up and there will undoubtedly be movie messages about keeping the holiday spirit alive not just for one month but the whole year through. Looking back, we just finished National Cyber Security Awareness Month and it's worth asking: how do we focus on cyber security issues not just during the month of October, but throughout the whole year? Cyber criminals, hackers, and malware certainly don't constrain themselves to just one month!
Here are 12 tips (one for each month) that you can implement in your business to keep up the spirit of Cyber Security Awareness all year long. Keep in mind that cyber security requires a holistic approach, which means you need to consider people, process, and technology concerns when implementing and maintaining a cyber security program.
- Manage your risk: Cyber security isn't a technology concern, though it requires technology solutions and expertise. The information and computer systems we use every day help us to drive business value - just look at companies like Google that grew to multibillion-dollar entities without selling any physical products. Since we can't see data (or information systems hosted in the cloud), it can be easy to forget that these valuable assets have inherent risks. Make sure your organization's risk management strategy includes an evaluation a of cyber security risk for all assets, as well as appropriate risk mitigation strategies based on your available resources.
- Inventory your assets: You can't protect what you don't know about. It's as simple as that. Your business needs an up-to-date inventory of hardware, software, and data that is crucial to your operations. It may be possible to get some of this data from systems you already have in place, like a cloud management console that gives you a complete list of all servers you're currently running. To identify critical systems, software, and data you'll likely also need to employ manual processes like surveys or audits, as well as integrating with other processes such as purchasing. Whenever new equipment or services are purchased, part of the process should be updating your inventory.
- Deliver continuous employee education: The simple fact is your employees are the greatest source of weakness, due to the sheer number of people accessing, using, and processing information in your business. There are more opportunities for a user to click a phishing link or brows a malicious site than there are cyber security professionals to help protect your operations. Make sure you incorporate cyber security topics into employee awareness and training throughout the year. In-depth training on business- or role-specific security concerns is important, as is general awareness such as posters or employee portal messages regarding common cyber security practices such as safeguarding passwords and proper physical security measures.
- Measure & report: Metrics are all the rage for data-driven decision making, and cyber security must be a part of your metrics program. It can be difficult to find the right items to measure, but consider critical areas that represent your organization's maturity in cyber security operations. Some examples include response times like incident resolution or timeliness of deploying software patches, as well as number of software vulnerabilities being discovered earlier vs. later in development lifecycles (i.e., are your developers finding and fixing vulnerabilities before code makes it into production, or are you only discovering flaws after an application has gone live?).
- Build for resiliency: Disaster Recovery (DR) and Business Continuity (BC) are gradually evolving into Cyber Resiliency. Rather than focusing on what to do if something goes wrong, the thinking has shifted to how to keep things running when something goes wrong. Review your organization's operations, both technical (technology) and non-technical (people & process) and identify ways that your organization could be brittle. Have you configured cloud applications and services to take advantage of failover/redundancy? Are your employees artificially constrained to doing their work only in an office? By investigating these potential points of failure and architecting resilient business processes and technology systems, you can better prepare your organization to withstand the unknown.
- Review access: According to the Verizon DBIR, nearly 1/3 of data breaches involved phishing attacks; these attacks rely on hapless users giving up their credentials, rather than hackers trying to brute force their way in. By ensuring your users have access only to the resources they need, you can minimize the damage an attacker can do with stolen credentials. Do all employees really need admin access? Most likely not, but overly broad permissions make an attacker's life easier, which shouldn't be a goal of your cyber security program.
- Minimum necessary functionality: Similar to the access review tip, identify the minimum set of functionalities your technology systems require, and then make sure you don't have unnecessary ports, protocols, and services running. Many operating systems come with a broad range of functionality on by default such as FTP, media services, and preinstalled apps. Make sure you disable unnecessary software, shut down unneeded services, and have appropriate protections in place such as firewalls blocking traffic to ports that you aren't using. This reduces what's known as an attack surface - in layman's terms, the number of footholds or ways in an attacker can discover.
- Layers, layers, layers: There's a saying in cyber security: Defense in Depth. Review your cyber security controls and make sure none of them stand alone. As an example, you should require users to enter a password for access to secure systems (a proactive control) and monitor user behavior for anomalies (a detective control). Requiring proactively reduces the chances of unwanted access, while monitoring for anomalies such as a user logging into your system from a Russian or North Korean IP address is a further layer of defense. If your users normally log in from your US-based headquarters, detecting suspicious activity coming from other countries can alert you to a possible compromise of user credentials. Layered defense is a great example of a resilient design - if one control fails, you've got others to pick up the slack.
- Follow the data: Your organization, like most in the modern economy, likely generates value from data. This may be in the form of competitive advantage stemming from intellectual property, or it may simply be that your mission requires access to sensitive data such as Personally Identifiable Information (PII) or national security info. Data flow diagrams can help you identify where data flows in your organization; where it's generated, stored, processed, and transmitted. You should be able to identify controls for each of these phases, such as encryption whenever data is stored/transmitted, or a clean-desk policy in place for anywhere data is being processed.
- Plan for incidents: An Incident Response plan is crucial. For starters, it gives you a great point of oversight into your security controls, by allowing you to identify potential weaknesses that could lead to an incident. Keep in mind incidents range from as simple as a temporary loss of power to catastrophic events such as natural disasters or widespread cyberattacks. A documented plan including checklists or playbooks gives you a leg up when disaster strikes.
- Test, exercise, and evaluate: Too much of cyber security is shelfware. Not every business is required to get an external audit, though many compliance frameworks such as PCI-DSS, FISMA, and SOC 2 require an independent, external entity to perform an audit. This perspective is invaluable to help you identify weak points or blind spots. For more operational-focused items such as a continuity or incident response plans, exercising and testing these procedures can help you identify outdated, incomplete, and inadequate information.
- Implement a continuous-improvement mindset: The world of cyber security is a constant game of cat and mouse. Every time we install a patch to close a vulnerability, attackers start looking for new vulnerabilities to exploit. A set-it-and-forget it mindset is actually worse than no cyber security plans at all, because it provides a false sense of security. Identify security requirements and implement appropriate cyber risk mitigations throughout all business processes, such as when launching new products, building/integrating new systems, and making strategic business plans. Conduct regular retrospectives and postmortems to identify improvement opportunities for cyber security efforts and develop action plans to implement any identified improvements.
Although this list is just 12 steps long, each step involves multiple processes that will impact your entire business. There's enough work here to keep a team of cyber security professionals during Cyber Security Awareness Month and beyond. Keep in mind that cyber security is not simply an IT concern, but impacts the people, processes, and technology in use across your entire organization. The goal to building a robust cyber security capability lies in recognizing its pervasiveness and approaching it conscientiously - not just during the month of October but all year long.