In this blog, we share what to consider when building your business’s cybersecurity program using real-world analogies.
Building an effective cybersecurity program presents challenges to businesses of all sizes. Whether you are a 25-employee manufacturer or a Fortune 50 global business, the concepts of cybersecurity do not change. Of course, the larger you are, the more employees and financial resources your organization requires, but the basic concepts of developing and maintaining an effective program remain the same. Establish your perimeter, train your people, and protect your data.
In this short blog, I’ll break down cyber fundamentals into useable, real-world analogies.
Build a Perimeter
What many consider to be effective cybersecurity is merely perimeter defense, like a gated fence that surrounds your backyard, or a garage door secured shut with a code. Modern firewalls, routers, switches, and monitoring devices are absolute necessities, but they are only the first line of defense – not your entire cybersecurity program.
Treat your security perimeter the same way you would your home – in other words, even if your gate is shut, you still need to lock your doors.
Understand Your Data
Think of your most sensitive data the way you would a piece of jewelry, birth certificate, or emergency stash of cash you keep on hand. These are not items you throw in your nightstand because you lock your doors at night. They are precious belongings that warrant an extra layer of protection, like placing them in a small fireproof safe.
Conversely, you wouldn’t store a grocery list or a library card in your personal safe. These everyday items not only lack the need for special protection, but they would also occupy valuable space you could use to store genuinely important belongings.
Whether you’re an engineering-based company, a healthcare system, or a financial conglomerate, treat your business assets the same way you would your personal valuables. Take the time to understand where your most sensitive data lives (the key word here: sensitive) and apply the appropriate pressure to protect it.
Control Access to That Data
You wouldn’t give your garage door code or front door key to just anyone, would you? Similarly, if you fired a contractor who was working on your home repairs, you wouldn’t let him or her keep your house keys, would you?
Once you understand where your sensitive data is, gain an understanding of who has access to that data and why. Controlling and monitoring access to systems can be a daunting task, especially if done manually. Providing access to sensitive data in accordance with the principle of least privilege will help to keep your data secure and will prevent the introduction of unnecessary risk.
Train Your People
As most of us know, the one thing you cannot always control is your people. Even well-trained staff can fall victim to social engineering attacks or introduce unnecessary risk to your organization unintentionally. Training your most essential assets, your people, has become easier over the past several years because of cost-effective virtual learning solutions. Training programs are the most effective way to reduce the cyber risk introduced by your employee base.
As Brian Krebs once said, “Someone recently asked me how I defined security. I really had to think about that. Fundamentally, it seems to be about making it easier for users to do the right thing [and] harder for them to do the wrong thing.”
Provide Assurance that You’re Protecting Data
Once your controls are functioning properly, work independently or with a partner to provide assurance. We commonly see businesses begin their cyber journey by developing the proper program, but when they perform an assurance check, their procedures are not functioning as intended.
Get in a position where you document your controls and procedures, understand which of those controls are most critical, and put those controls into a periodic testing cycle. This will create peace of mind as well as cyber and process assurance for your leadership team.
Also, don’t collect data to collect data. Only store and transmit data of relevance and cleanse what’s not important. Purging like this will help keep things clean. In other words, double-check your locks before you go to bed.
There are many areas of cybersecurity that support these core fundamentals (asset management, incident response, patch management, and vendor risk, to name a few). Understanding them is critical to understanding how to build an effective cybersecurity program. For more information on the pillars of cybersecurity, we suggest reviewing the Critical Security Controls or the NIST Cybersecurity Framework.