If you have been following this blog for a while, you may find yourself thinking that the time has definitely come to do “something” about cybersecurity in your business. As a busy and successful entrepreneur, business owner or senior manager you may have no idea where to begin, or where you will find the time to create and implement a plan. The National Institute for Standards and Technology (NIST) has created a 41 page roadmap for businesses to use in preparing their own cybersecurity plan. It is called Framework for Improving Critical Infrastructure Cybersecurity, and can be downloaded from the link.
Fundamentally, your process looks like this:
- Identify the information and resources that are vulnerable and need to be protected.
- Protect the identified information and resources with the security assets we have or need to acquire
- Detect attacks and other incidents quickly as they happen
- Respond quickly to the breach or attack to minimize loss of assets and potential legal exposure
- Recover systems and services in priority as identified in your plan.
In order to carry this off, you will benefit from the services of a trained and experienced cybersecurity professional. It is my firmly held belief that any program needs to start with training your employees to become more security conscious, to identify and report suspicious activity, especially including suspicious emails or infected websites. A vast majority of modern breaches start with a clever and well crafted phishing or spearfishing email, and if you can get your staff to stop falling for these, you will be miles ahead.
Next comes an on-site security audit, perhaps a vulnerability scan using standard software tools, and if necessary, a full-on penetration test in order to determine if there are any Internet-facing weaknesses in your perimeter defenses or internal systems or software.
This is an iterative process, which means that you will need to revisit your plan periodically, at least annually, to keep it up to date against the current and developing threats. But the ROI can be substantial, as current estimates of the costs due to losses from cyber-crime activity is $1500 per employee. Even if you only reduced that by half, it would likely more than pay for your program many times over. Do the math on your headcount – this is where the budget is going to come from.
“A journey of a thousand miles begins with the first step.” The important thing today is to make that first step by meeting with a cybersecurity professional and beginning your program.
Share
SEP
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com