While October is earmarked as National Cyber Security Awareness Month by the U.S. Department of Homeland Security and the National Cyber Security Alliance, cyber security plays a critical role to protect internet-connected businesses year-round. Every organization entrusted with confidential customer and business data/information is obligated, both morally and legally, to secure that data with care and vigilance. Beyond that, no company wants their brand splashed across news headlines as the victim of the latest security breach. Having a process in place, and if needed, support from a qualified managed security partner that understands the role security plays in the customer experience is essential.
Implementing cyber security
Implementing a multilayered IT security process that follows best practices demonstrates a high effort to meet compliance requirements and that an organization respects its customers and partners. At a minimum, this kind of IT security process should include the following steps:
- Recognize and value information assets: Knowing which assets you have and their value helps you determine exactly what you must secure and protect and provides for more accurate budgeting and expense forecasting as well.
- Assess and evaluate risk: Organizations perform a risk assessment to identify the most serious risks against their assets, to prioritize those risks and to determine the best methods of control. In a nutshell, avoid risks whenever possible, but manage high-priority risks, accept low-priority risks and look to transfer risk via insurance or other means.
- Establish mitigation and avoidance strategies: Implementing new or upgrading current controls to protect assets is essential to risk mitigation. This may involve firewalls, intrusion prevention systems (IPSs), and role-based and application controls, to name a few. To avoid risk, look for ways to discontinue unnecessary practices, such as collecting customer information your organization no longer tracks.
- Consider cyber insurance: One way to reduce risk is transfer it, and insurance is a common method to do so. Cyber insurance covers costs associated with security breaches, such as business losses, privacy breach notification expenses, extortion and so on. Be aware this is a relatively new type of insurance, so policies vary from provider to provider.
- Understand compliance requirements: Many organizations must meet regulatory compliance such as PCI DSS and EMV (for payment cards) or HIPAA (for healthcare data). Failure to understand and follow requirements can lead to penalties and fines.
- Establish security policy: An organization’s security policy should be comprehensive, addressing access controls, authentication, acceptable use, auditing, and more. Be sure to conduct an annual review and revise as necessary.
- Measure and monitor security: Use next-gen firewalls, IPSs, network monitoring and web fraud detection to reduce vulnerabilities and thwart cyberattacks. Many solutions provide dashboards and detailed reporting functions to help track and measure activity.
- Respond to detected incidents: Every organization needs an incident response plan to deal with security breaches or exploits. Everyone involved with incident response must know their roles ahead of time and where the plan resides. Then they can act with dispatch and precision.
- Conduct periodic security audits: Audits assess security within an organization, including status and compliance (if applicable), and point to technical controls and guidance that must be enforced or updated.
Nine steps down, one to go
While no organization can be fully immune to threats in today’s environment, by following these steps, you’ll be ready to act if the need arises. So set a date today to discuss these steps with your IT leadership and security team, and then work toward goals to tighten your current security posture.
Some organizations may find it advantageous to address this with an experienced managed security provider (MSSP) who can help them fully understand the risks their organization faces and then implement accordingly. If you go that route, look for one with a comprehensive range of services that can evolve with your needs.
How does this process match up with your organization’s approach? It’s always good to hear new ideas. Feel free to reach out and share yours.
Experts predict up to 80% of organizations will suffer at least one harmful attack. EarthLink’s Threat Monitoring and Defense offers 24/7 security monitoring and protection to identify and manage threats before they become disruptive and costly breaches.
View our Threat Monitoring and Defense video here if you’d like to learn more.