Information technology is the lifeblood of the modern enterprise. IT has become central to business operation. It’s difficult to imagine how companies functioned just 30 years ago. The proliferation of technology has, however, introduced new risks that didn’t exist before — at least not in the same form or severity. Top of these is the risk of data loss, data theft and catastrophic system failure. Every year, dozens of major cyberattacks make international headlines. The cost of containing and recovering from a cyberattack is much higher than the cost of prevention. Developing a robust cybersecurity strategy is one of your most effective tools for preventing an attack. But how do you do it?
IT managers often struggle as much as non-technical C-suite executives in knowing just where to start. The following tips should get you moving in the right direction.
1. Inventory and classify all hardware and software
You cannot protect your assets if you don’t know what assets you have in the first place. So, the foundation of your cybersecurity strategy must be the identification and inventorying of all hardware and software. This should cover both authorized and unauthorized systems. Unauthorized in this sense doesn’t necessarily mean malicious. Rather, it’s software and hardware that may have been introduced into the organization’s network without going through the requisite clearance. During inventorying, you should also embark on system classification where each system is assigned a priority rating. Mission-critical systems would have the highest priority rating while more routine applications such as Microsoft Office would be classified as low priority.
2. Quantify the risk
Cybersecurity is a broad subject and the potential risks are vast. Nevertheless, your business isn’t equally vulnerable to all IT security risks. An important step in developing an effective strategy is therefore to identify and quantify the risks that pose the greatest danger to your organization’s systems and electronic data.
As you define the materiality of the risk, ensure that you also determine what you consider an acceptable degree of risk. What level of risk are you willing to live with and what risks do you want to eliminate by insurance or discontinuing certain business processes or products?
3. Baseline configuration
Once you have done the groundwork covered in the preceding points, this should form the basis for a baseline security-conscious configuration that’s applied to all devices in the organization. That means that you should apply system and data controls consistently to all computers within the company.
Inconsistent application of controls creates loopholes that a malicious third party can exploit. You should have an automated process of applying security updates that reduces the risk of anything falling through the cracks.
4. Management of administrative privileges
User accounts are not created equal. Virtually every system has one or more administrative accounts meant to facilitate configuration, maintenance, and troubleshooting. While administrative accounts are created as a force for good, the extraordinary privileges these accounts have mean they can cause catastrophic damage if they fall in the wrong hands.
A server, network, or database administrator account can effect far-reaching changes to company systems and data. Therefore, your cybersecurity strategy must provide for the management of privileged accounts. The security strategy should have controls that prevent both misuse by IT staff as well as abuse by a third party who happens to grab a hold of an administrator password.
5. Deter insider threats
We often view cybersecurity as a means of protecting the company’s network and data from external threats. In reality, a considerable proportion of successful attacks are the result of an insider’s action. In fact, even where attacks originate externally, they often leverage information gathered internally.
Insider threats may be intentional or accidental, and the IT security strategy must have a means of identifying and addressing each type. Your cybersecurity strategy must therefore have a mechanism for monitoring insider activity across the organization.
Most important is the management of the human element of cyber-risk since your employees are always your weakest link. The strategy must nurture a positive security-conscious work culture that discourages counter-productive behavior.
6. Recognize that some attacks will be successful and plan for that
Yahoo, TJX, Marriot, Target, Equifax, LinkedIn, EBay, AOL, and JP Morgan Chase — these are some of the most recognizable brands in the world. Yet, they’ve all been the victims of successful cyberattacks. Even the U.S. federal government hasn’t been spared. What all this implies is that despite your best efforts at securing your systems and data, a successful attack could still occur.
As opposed to waiting to think about how you will deal with it when it happens, it’s better to develop an incident-response strategy in advance. Incident response should be about quickly assembling the resources and skills required to identify and contain an attack, determine the magnitude of the impact, and ensure minimal disruption to customers and system users.
7. Integrate data, technical and physical security
Organizations must not view cybersecurity in isolation but rather as part of a wider enterprise security policy. An effective software, network, and hardware security strategy must be consistent and complementary to the physical security strategy of the business.
In fact, there can be no true IT security without some form of physical barrier such as controlled access to datacenters or a clearance process for any company-owned gadgets that leave the business premises.
8. Continuous risk and vulnerability assessment
An IT security risk assessment isn’t something you do once and forget about for good. The technology environment is constantly changing as new systems are introduced while older ones are either updated or phased out. With this state of constant flux, the risks evolve accordingly.
It’s therefore important to schedule a comprehensive cybersecurity risk assessment at least once a year that reviews the organization’s technology ecosystem. This ensures the controls in place are still adequate in protecting enterprise hardware and software.
Cybersecurity strategy: This is where your defense starts
The challenges of keeping their technology secure compels businesses to recognize the role of robust IT security in creating a healthy environment for doing business and realizing their overall strategic goals. All that begins with the development of an incisive and practical cybersecurity strategy.
Featured image: Shutterstock