Each October, we observe National Cybersecurity Awareness Month, and it's worth asking: how do we focus on cybersecurity issues not just during October but throughout the entire year? Cybercriminals, hackers, and malware certainly don't constrain themselves to just one month!
Here are 12 tips (one for each month) that you can implement in your business to keep up the spirit of Cybersecurity Awareness all year long. Remembermind that cybersecurity requires a holistic approach, which means you need to consider people, processes, and technology concerns when implementing and maintaining a cybersecurity program.
Manage your riskCybersecurity isn't a technology concern but requires technology solutions and expertise. The information and computer systems we use daily help us to drive business value - look at companies like Google that into multibillion-dollar entities without selling any physical products. However, since we can't see data (or information systems hosted in the cloud), it can be easy to forget that these valuable assets have inherent risks.
Ensure your organization's risk management strategy includes an evaluation of cybersecurity risk for all assets and appropriate risk mitigation strategies based on your available resources.
Inventory your assetsYou can't protect what you don't know about. It's as simple as that. Your business needs an up-to-date hardware, software, and dais inventory crucial to your operations. It may be possible to get some of this data from systems you already have, like a cloud management console that gives you a complete list of all servers you're currently running. To identify critical systems, software, and data, you'll likely also need to employ manual processes like surveys or audits and integrate them with other processes such as purchasing.
Whenever new equipment or services are purchased, part of the process should be updating your inventory.
Deliver continuous employee educationPut, your employees are the most significant source of weakness due to the sheer number of people accessing, using, and processing information in your business. There are more opportunities for a user to click a phishing link or browse a malicious site than there are cybersecurity professionals to help protect your operations. Ensure you incorporate cybersecurity topics into employee awareness and training throughout the year.
In-depth training on business- or role-specific security concerns is essential, as is general awareness, such as posters or employee portal messages regarding standard cybersecurity practices such as safeguarding passwords and proper physical security measures.
Measure & reportMetrics are all the rage for data-driven decision-making, and cybersecurity must be a part of your metrics program. Finding the right items to measure can be difficult, but consider critical areas that represent your organization's maturity in cybersecurity operations. Some examples include response times like incident resolution or timeliness of deploying software patches, as well as several software vulnerabilities being discovered earlier vs. later in development lifecycles (i.e., are your developers finding and fixing vulnerabilities before code makes it into production, or are you only discovering flaws after an application has gone live?).
Build for resiliencyDisaster Recovery (DR) and Business Continuity (BC) are gradually evolving into Cyber Resiliency. Rather than focusing on what to do if something goes wrong, the thinking has shifted to how to keep things running when something goes wrong. Review your organization's technical (technology) and non-technical (people & process) operations and identify ways your organization could be brittle. For example, have you configured cloud applications and services to take advantage of failover/redundancy? Are your employees artificially constrained to doing their work only in an office?
Investigating these potential points of failure and architecting resilient business processes and technology systems can better prepare your organization to withstand the unknown.
Review accessAccording to the Verizon DBIR, nearly 1/3 of data breaches involved phishing attacks; these attacks rely on hapless users giving up their credentials rather than hackers trying to brute force their way in. By ensuring your users have access only to the resources they need, you can minimize the damage an attacker can do with stolen credentials.
For example, do all employees need admin access? Most likely not, but overly broad permissions make an attacker's life easier, which shouldn't be a goal of your cybersecurity program.
Minimum necessary functionalityLike the access review tip, identify the minimum set of functionalities your technology systems require, and then ensure you don't have unnecessary ports, protocols, and services running. Many operating systems come with a broad range of functionality by default, such as FTP, media services, and preinstalled apps. Ensure you disable unnecessary software, shut down unneeded services, and have appropriate protections, such as firewalls blocking traffic to ports you aren't using.
This reduces what's known as an attack surface - in layperson's terms, the number of footholds or ways an attacker can discover.
Layers, layers, layersThere's a saying in cybersecurity: Defense in Depth. Review your cybersecurity controls and make sure none of them stand alone. For example, you should require users to enter a password to access secure systems (a proactive control) and monitor user behavior for anomalies (a detective control). Requiring proactively reduces the chances of unwanted access, while monitoring for anomalies, such as a user logging into your system from a Russian or North Korean IP address, is a further layer of defense. If your users typically log in from your US-based headquarters, detecting suspicious activity from other countries can alert you to a possible compromise of user credentials.
Layered defense is an excellent example of a resilient design - if one control fails, you've got others to pick up the slack.
Follow the dataLike most in the modern economy, your organization likely generates value from data. This may be a competitive advantage from intellectual property or simply because your mission requires access to sensitive data such as Personally Identifiable Information (PII) or national security info. Data flow diagrams can help you identify where data flows in your organization; where it's generated, stored, processed, and transmitted.
In addition, you should be able to identify controls for each phase, such as encryption whenever data is stored/transmitted or a clean-desk policy in place for anywhere data is being processed.
Plan for incidentsAn Incident Response plan is crucial. For starters, it gives you a great point of oversight into your security controls by allowing you to identify potential weaknesses that could lead to an incident. Keep in mind that incidents range from temporary loss of power to catastrophic events such as natural disasters or widespread cyberattacks.
A documented plan, including checklists or playbooks, gives you a leg up when disaster strikes.
Test, exercise, and evaluateToo much of cybersecurity is shelfware. Not every business is required to get an external audit, though many compliance frameworks such as PCI-DSS, FISMA, and SOC 2 require an independent, external entity to perform an audit. This perspective is invaluable to help you identify weak points or blind spots.
In addition, exercising and testing these procedures can help you identify outdated, incomplete, and inadequate information for more operational-focused items such as continuity or incident response plans.
Implement a continuous-improvement mindset.The world of cybersecurity is a constant game of cat and mouse. Every time we install a patch to close a vulnerability, attackers start looking for new vulnerabilities to exploit. A set-it-and-forget-it mindset is worse than no cybersecurity plans because it provides a false sense of security. Instead, identify security requirements and implement appropriate cyber risk mitigations throughout all business processes, such as launching new products, building/integrating new systems, and making strategic business plans.
Conduct regular retrospectives and postmortems to identify improvement opportunities for cybersecurity efforts and develop action plans to implement any identified improvements.
Although this list is just 12 steps long, each step involves multiple processes that will impact your entire business. There's enough work here to keep a team of cybersecurity professionals during Cybersecurity Awareness Month and beyond. Remember that cybersecurity is not simply an IT concern but impacts the people, processes, and technology in use across your entire organization. The goal of building a robust cybersecurity capability lies in recognizing its pervasiveness and approaching it conscientiously - not just during October but all year.
This piece was originally posted on October 27, 2022, and has been refreshed with updated styling.