There have been some very dramatic headlines over the past few months about malware infections that have been breaking out around the globe. Factories shut down, websites infected and a loss of confidence by consumers. WannaCry, Petya, NotPetya…The list goes on. Are they ransomware or were they created to destroy? Are the perpetrators cybercriminals or state-sponsored?
The question asked by people interested or responsible for cybersecurity is “how do we protect ourselves?”. Do we rush out to buy the newest technology or do we take a step back and look at the basics? I recommend the latter. That is, taking a moment, removing emotion from the equation and looking at the lay of the land.
Consider the following questions:
- Do we understand the value of our data and the risk to that data?
- Do we have documented cybersecurity policies?
- Do we have documented, practical cybersecurity procedures?
- Do our users know the cybersecurity policies and procedures?
- Do we audit our cybersecurity policies and procedures?
- Do we perform risk assessments and penetration tests regularly?
- Do we review and update our policies and procedures regularly?
- Do we have a Computer Emergency Response Team (CERT)?
- Does the CERT know what to do in the event of a cybersecurity incident?
- Do we have a documented disaster recovery plan?
- Do we have a documented continuity plan?
If you said no or I don’t know to any of these questions your business is at risk.
Hard cybersecurity controls such as antivirus, firewalls and intrusion prevention systems are a small but important part of the puzzle. Soft cybersecurity practices, such as planning, testing and training are a large part of the puzzle. Most companies have technology deployed to help protect against cybersecurity threats. What are you doing for your soft cybersecurity practices?
Recommendations
Cybersecurity Awareness Training
All users should have basic cybersecurity awareness training. This will help users identify attacks and ideally prevent them from happening in the first place. Do they know what social engineering is? Do they click on links in email or attempt to open suspicious files from people they do not know or trust?
Cybersecurity awareness training is available through many vendors on the Web. Get your users trained. They are the first line of defense!
Develop and Document Policies, Plans and Procedures
The business should have documented policies, plans and procedures. If you do not know where to start, you can hire someone who specialises in this area. Alternatively, if you have time and an interest you can work through a number of different cybersecurity standards and frameworks such as ISO 27001 and NIST Cybersecurity Framework.
Once the policies, plans and procedures are in place, practice them so that your team knows how to prevent a cybersecurity threat and what to do if there is a cybersecurity incident.
Risk Assessments and Penetration Test
Take the time to perform risk assessments on your company’s systems. This will help you identify risks and help you mitigate them. You can mitigate risks by training your users, implementing policies and procedures or implementing technical security controls.
Penetration testing is to put all of the above to test. Penetration tests can be performed against a system or the business itself. Once the Penetration test has been completed the tester will be able to present their findings and let you know where your weaknesses are.
Conclusion
What will the next cybersecurity threat be? How much damage will it cause? Hopefully, if you have prepared your business and your users well by implementing your soft cybersecurity practices you will be well protected. It takes effort, planning and will to make it happen. Take the first steps today for a safer future tomorrow!
