Visit the sections below to dig into each topic
If you enjoy this resource, sign up for our mailing list for latest news, alerts and information
from RoundTable Technology.
Start here. Buy-in means that the leadership of your organization is committed to understanding and improving your organization’s cybersecurity. If you do not have buy-in from leadership, you are fighting an uphill battle and need to incorporate that into your planning.
Most organization leaders take cybersecurity seriously and want to improve it, but when it comes down to actually allocating resources, they often choose to prioritize other things. Your job is not to make cybersecurity a priority, but to give your leadership enough information and context so they can make informed decisions about how to prioritize and allocate resources to cybersecurity.
Share the “Should we Get Cybersecurity Insurance” article with your leadership and then speak with them to learn about their level of concern around cybersecurity.
A risk assessment will help you identify and prioritize the cybersecurity risks you want to address at your organization. Without an assessment, you are likely to be reactive instead of proactive.
REACTIVE cybersecurity looks like this: A hard drive fails and some important data gets lost. The next day you spend $10,000 on a state-of-the-art backup system. In the meantime, your biggest risk may actually involve weak passwords on critical accounts.
PROACTIVE means identifying your most critical risks, before they are realized, and mitigating them in a manner that makes sense within overall organization priorities. You work to prevent bad things from happening and plan on how to respond effectively if and when they do happen.
Complete the assessment listed in the Tools section. After completing the assessment you will receive a report with findings and recommendations.
Cybersecurity Awareness Training is the single most cost-effective action you can take to improve cybersecurity at your organization. The term can mean a lot of different things, but basically it means providing training on cybersecurity for all staff at your organization with the goal of both building skills and raising awareness of risks.
Please notice that the first three steps in the ten-step plan for cybersecurity maturity all work together because they give staff a shared context to think about cybersecurity risks at the organization which helps you identify and prioritize risks.
Awareness training is low-cost, easy-to-implement, highly effective (if done well) and has the added benefit of helping with buy-in for further cybersecurity effort.
Schedule a cybersecurity awareness training for your staff, or gather together to watch the recorded webinar listed in the tools section.
Many breaches are the result of compromised passwords. Passwords can get compromised through phishing attacks, guessing, cracking or through breaches of larger sites and services. There are three tools that organizations can deploy to improve security around passwords and authentication.
1. Encourage the use of passphrases such as “I went to the store on Tuesday.” in place of difficult to remember passwords such as “h&[email protected]!."
2. Use password managers such as LastPass or 1Password. These low-cost tools automatically generate random, long and complex passwords and manage them. They can also audit your existing passwords to warn you of passwords that are weak, reused or have been part of breaches.
3. Turn on two-factor authentication for every account you can, starting with your most sensitive accounts, such as email, financial, and database accounts.
Turn on two-factor authentication for your email service (most likely Gmail or Office365).
Patch Management is the process of keeping your servers, workstations and other critical infrastrastructure current with software updates provided by vendors. Vendors such as Microsoft, Apple, Adobe, and Intel all regularly release software updates to improve the security of their products by patching vulnerabilities that have been discovered.
If you fail to keep your organization’s systems updated, then you are exposing your organization to vulnerabilities that are known and actively being exploited in the wild. This puts you at unnecessary risk.
There are many solutions available that can help you manage patching effectively and at reasonable costs. Solutions like Automox can be deployed for as little as $10 per year, per patched device, but most will cost more along the lines of $75–$150 per year per device. If you work with an IT vendor, they often have plans that include patch management and may be bundled with other services (such as helpdesk) which can make patch management even more affordable.
Obtain pricing for at least one patch management solution that could work for your organization.
There are two challenges to effective policies for cybersecurity.
The first is simply not having any policies in the first place. Many organizations do not have any cybersecurity policy and some don’t even have a basic Acceptable Use Policy (AUP). So the first challenge to overcome may be getting policies in place.
It’s easy to get caught up in trying to draft the “perfect” policies for your organization. Done is better than perfect. Get it done. You can always change them. Think of policies as living documents that adapt to a changing environment—not stone tablets handed down from a mountaintop.
The second challenge is getting your staff to actually understand and comply with the policies. It’s a good idea to draft policies with this in mind. Avoid creating policies that are difficult to understand, impossible to comply with and/ or difficult to impossible to enforce. The persona templates included here are a nice tool for creating visual, clear and understandable policies that focus on the most critical behaviors you want your staff to comply with.
Using the templates supplied, complete an Acceptable Use Policy for your organization.
Onboarding is a critical time to deliver initial security awareness training to your new employee. This training should include identification of critical data and guidelines around its access and use, examples of ‘popular’ threats such as phishing and spear phishing, and the procedure to report an incident. Onboarding is also a critical time to ensure your new employee reads and understands policies around your organization’s IT and cybersecurity.
Offboarding presents a different set of challenges wherein you need to ensure that no critical knowledge is lost with the departing employee and that the employee is denied access to all organization systems upon departure. Creating, maintaining and USING detailed onboarding and offboarding checklists are a key aspect of ensuring these processes happen consistently.
Using the template supplied, complete an onboarding form for your organization.
To this point the focus has been on preventing a cybersecurity incident. Monitoring focuses on how to know if an incident does occur so that you can respond quickly and effectively to limit impact.
There two main areas to focus on in this regard:
1) STAFF REPORTING: If you conduct awareness training and include cybersecurity training in onboarding, then your staff should understand the importance of reporting a suspected incident immediately. Your staff are a critical piece in learning of a possible breach and you want to do all you can to encourage the immediate reporting of suspicious activity or mistakes.
2) ALERT SYSTEMS: Most Software as a Service (SaaS) providers such as Google, Microsoft, Dropbox and Salesforce provide a number of administrator alerts than can be configured to notify your IT personnel of suspicious activity (such as an account login from a new geographic location or new device). For the systems your organization uses, ensure your IT personnel learn about and configure the alerts to optimize for discovery of suspicious activity early.
Login to your Office 365 or G Suite admin portal and review the alert notifications. Set up at least three (3) notifications for your organization.
Like monitoring, incident response is meant to limit the damage done by a breach or other cybersecurity incident. It’s critical to have an Incident Response Plan (IRP) in place BEFORE an incident requires a response. While it can seem overwhelming at first, a good incident response plan does not have be comprehensive and need not be dozens of pages in length. It does need to include a few key elements such as:
DEFINING. What level of event warrants invoking the incident response plan (IRP)?
DECLARING. A process for declaring that an incident has occured and initiating the IRP.
CONTAINING. Focus on containing the breach and understanding the level of damage that has been caused.
COMMUNICATING. Once the breach is contained and the damage understood, communicate with all affected stakeholders as to what happened, what’s been done, and what’s going to be done, along with any actions they should take as a precaution.
LEARNING. Once all the dust has settled and things have returned to normal, consider any lessons learned and any changes you want to make in response to the incident.
Watch the Incident Response Planning webinar supplied in further learning.
Congratulations! You made it to step 10. It gets easier from here. Now that you have completed the steps toward cybersecurity maturity, you want to make sure you institute a process of continuous improvement. The world is changing constantly and in the world of technology and cybersecurity, the pace of change is dramatic. If you’re not continuously reviewing and refining your practices, you will lose ground and then have to play catch up again. The best practice is to incorporate ongoing review and refinement of your cybersecurity practices to ensure you are NOT falling behind and that you can address the inevitable changes that will happen, both internal to your organization and external as part the overall environment.
Congratulations! Reward yourself and your team for taking a huge step toward better cybersecurity. Continue to assess and improve, updating your roadmap and other documentation along the way.