What should I do to protect myself from cyber-attacks? This is a question I have been asked many times by family and friends. Usually, they want an answer that is short and gives them one tangible thing they can do or purchase to ease their concerns.
I probably answer this question differently every time, but I usually make sure to hit some main points.
1. There is no silver bullet, it takes time and effort.
2. You cannot completely eliminate the risk of hosting sensitive data online or on internet-accessible devices.
3. The answer you need (not the one you want!) is going to take longer than a casual interaction.
At this point, if they are still interested, I am happy to talk their ear off!
What about for businesses?
For businesses and other organizations, similar points apply. There is no easy button to security, it is a critical part of your organization that needs ongoing investments of time, money, and attention; it is different for every organization; you cannot eliminate risk, but you can manage it.
As a small, growing business where should I start?
I could give you an answer like “implement Multi-Factor Authentication (MFA)” or “purchase some endpoint protection software.” Those are good things to do, but I want to address HOW you should get started more than WHAT you should do because the specifics are going to be different for everyone.
Here are some things to think about as you start your journey to securing your organization.
1. Adopt a Security Framework
There is no shortage of cyber security frameworks, that’s for sure. Frameworks help give a structured way to evaluate your security, select protective measures (called security controls), and implement those controls.
Some frameworks cut right to the chase and give you a checklist of important things to do. These are often called “control frameworks.” The Center for Internet Security’s (CIS) Critical Security Controls is one common example.
Others are more geared toward managing the process of selecting controls that are right for you and managing other aspects of a cyber security program. These are often called “program frameworks.” NIST Cyber Security Framework and ISO 27001 are two common examples.
Pick a framework that is right for you, but don’t fall victim to analysis paralysis. When in doubt, just choose the CIS Critical Security Controls. They serve as a great starting point to address fundamental security controls; you can adopt a more thorough framework or add your own controls later.
2. Make a Plan
Determine goals for your security program. Then plan the steps you will need to take to get there.
One of the first steps should always be a risk assessment. If the security framework you chose does not include guidance for conducting a risk assessment, you can use NIST Special Publication 800-30r1 Guide for Conducting Risk Assessments. The intent here is to ensure you have awareness and understanding of your important assets, threats, vulnerabilities, and the overall risk that your organization needs to manage.
The steps to reach your goal should result from your risk assessment findings.
3. Ask for Help
It may take a lot of time to research, plan, prepare for, and initiate your plan. If you don’t have the time or on-hand expertise required, you can hire a third-party to help.
Agler Security Consulting offers a service called the Cyber Security Roadmap. A roadmap consists of multiple assessments of your organization’s security posture from different perspectives, goals for improving your security, and recommended actions to take with accompanying guidance. It is not a one-size-fits-all plan, rather it is tailored to align security efforts with your business goals.
Alternatively, Agler Security Consulting can provide virtual Chief Information Security Officer (vCISO) services, where an experienced security professional can help you on an “as needed” basis.