Many organizations today lack appropriate cybersecurity controls. Ransomware attacks, email phishing, and other cyberattacks are quickly spinning out of control. At the same time, cybersecurity maturity among American small businesses is lagging at best. While large enterprises have the budgets and cybersecurity staff to defend against increasing risk, SMB’s and universities do not.
Pick a Cybersecurity Framework
Many organizations take a compliance-based approach to cybersecurity maturity. They review the laws and regulations they are legally required to meet, then build a program around those requirements. Unfortunately, this piecemeal approach can leave large gaps in a cybersecurity program. Meeting PCI DSS, or even the HIPAA Security Rule, can leave core controls that result in risk-reduction unmet while spending a great deal of time and resources on compliance-oriented documentation.
We recommend that organizations choose a cybersecurity framework to follow such as NIST CSF. The NIST Cybersecurity Framework is regarded as the gold standard for building a comprehensive and effective cybersecurity program. By following NIST CSF, you can ensure that your program isn’t missing any core competencies, and in many cases, you can crosswalk NIST to other core requirements your organization faces.
Focus on Measurable Risk Reduction
Documentation provides detailed and valuable instructions for employees to follow to reduce risk and to respond to a cybersecurity incident if one does occur. However, writing documentation for its own sake is a pointless waste of time at best, and can be actively harmful at worst.
We recommend companies focus on actionable steps to reduce risk. Documentation (that is adhered to) is part of that. But larger parts include cybersecurity training, active monitoring, incident response drills, and other concrete steps that result in risk reduction. Here are a few worth considering:
Security Awareness Training
Interactive and routine security awareness training for employees is one of the easiest and most effective ways to reduce risk across the organization. People are both your largest cyber liability and asset. Providing effective training can dramatically decrease the risk that they click on a phishing email or otherwise introduce cyber risk to the organization.
Mandate Two-Factor Authentication
Two-factor authentication is one of the most cost-effective and underutilized tools in cybersecurity. Requiring 2FA on all critical business accounts can reduce the risk of an incident and lower the chances that a breach spreads laterally throughout the organization. All sensitive records, financial data, banking, and other services should be protected with mandatory two-factor authentication.
Where possible, use an application like Google Authenticator rather than SMS authentication. SIM-swapping and other attacks can bypass SMS 2FA entirely. While authenticator applications might not defeat a determined attacker, they can reduce the risk of your organization falling risk to basic attacks.
Ensure Systems Stay Patched
Lack of adequate patching leads to an astounding number of cybersecurity incidents every year. Even large companies will at times run systems that are years old and no longer supported by the manufacturer. Make sure your organization is using modern software, and ensure that updates are applied as soon as they are released for production.
Implement Controls to Meet Your Framework
Once you have selected a framework and ensured that you have the basics down, it’s time to develop a plan and implement security controls. In certain cases, you might find it necessary to purchase software such as a SIEM solution or anti-malware. In other cases, you can implement open-source cybersecurity tools to reduce the cost burden. Unfortunately, many open-source tools may require more hands-on time to ensure they are functioning property and collecting data.
Many frameworks have a heavy emphasis on planning, response, and paperwork. Cybersecurity and incident response planning is treated by many organizations as useless paper to show an auditor should one show up. Don’t be that company. You have the opportunity to turn your incident response plan and other critical documentation into actionable content that you can use in a crisis. Time spent creating documentation is wasted only if you ignore it.
Test Your New Cybersecurity Program
Building a cybersecurity program isn’t enough. You also need to test it and make sure that there are no major holes. Testing can take many forms. You may consider running incident response drills, conducting simulated phishing exercises, or auditing computers to ensure that proper patching has been applied to them.
Ensure that when you do find a gap, it is well-documented and a remediation plan is implemented. Routinely testing your cybersecurity program and incident response capabilities is critical to maintaining risk reduction. In addition, you should routinely audit your organization against relevant compliance requirements such as HIPAA, FERPA, PCI, and other industry-based standards. If you based your program on a cybersecurity framework such as NIST CSF, crosswalk NIST controls with your requirements to ensure they are being adequately met.
Consider Adaptive Cybersecurity
Adaptive cybersecurity scales up and down based on the needs of your organization and your unique risk profile. An adaptive program enables you to rapidly increase cybersecurity budget and response time in the face of a crisis or significant threat while paying less over long periods of time.
Taking action on cybersecurity has never been more critical than in the 2020s. Threats are growing exponentially and many companies are severely exposed. Without dramatic, motivated, and targeted action, companies will continue to fall victim to preventable threats such as ransomware and email phishing. Start building your company’s cybersecurity maturity prior to a breach.
