You remember the Equifax data breach last year, right? Of course, you do. How can you forget? Sure, they have a cybersecurity insurance policy, but that policy only covers $125 million of the $242.7 million that theyve needed to spend in the fallout from the breach to keep from treading water. These massive data breaches arent typical, but that doesnt mean that you shouldnt beef up your cybersecurity stance. With global ransomware damage costs exceeding $5 billion in 2017 (thats 15 times greater than in 2015), organizations must come to terms with the costs of cybersecurity procrastination that could be too great for them to stomach.
Fast tracking your company to a more astute cybersecurity posture takes getting up to speed on the latest in compliance, technology, and education, while integrating software and enlisting the pros to cover all your bases. Without further ado, lets dive in and give you the brass tacks on how to best upgrade your cybersecurity posture for 2018 and beyond.
A recent study highlighted how a staggering 39% of companies currently have no written cybersecurity policies in place. Instead of positioning themselves to possess a strong cybersecurity posture, they opt to develop strategies on the fly as new threats emerge. This type of methodically nonsensical path to destruction is notoriously prompted by the lack of a sufficient cybersecurity budget. With over 77% of businesses having suffered a cybersecurity attack in 2017 alone, it would behoove your organization to audit its cybersecurity compliance to recognize where its most valuable data resides.
Once your data is configured, your company can coordinate its resources to protect that data whether its in storage or transit to or from your network. If your organization is new to cybersecurity compliance, you can easily get up to speed and organize your response by using any of these cybersecurity policy templates to manage the flow of information through your company’s chain of command.
The cost of cybersecurity damages is predicted to hit $6 trillion per calendar year over the next 4 years while the costs to remain cybersecurity compliant would equal $1 trillion over that same 4 year span. That means that the damages pertaining to noncompliance are anticipated to dwarf the costs of compliance, 24 to 1. This is a wakeup call to organizations that the era of voluntary adoption of cybersecurity best practices is fast coming to an end. Companies must examine their controls and procedures to ensure they are compliant with securities law disclosure obligations while still considering the effects that compliance will have on their organizations reputation with their customers.
Cybersecurity issues and compliance with emerging requirements from PCI, HIPAA, GLBA, FISMA, ISO 27002 and other security compliance mandates will continue to be a story in 2018 and organizations must start preparing their playbook to respond if they have not already.
Companies must employ palpable evidence of compliance that better secure their data assets with prescribed security measures. To do this, companies must conduct a risk analysis to identify potential areas of weakness, failure, or compromise in your environment. Constructing an ironclad cybersecurity umbrella via company-wide compliance will ensure sustainability of your network environment by blocking malicious policy violations & data exfiltration threats before they become an issue.
Cybersecurity Compliance Checklist
No matter your company’s industry, these 8 tasks are important for you to bolster up your cybersecurity compliance:
|1||Multi-factor Authentication (MFA)||SMS authentication, OTP, thumb, retina, or hand scan. 86% of consumers say that using MFA makes them feel more secure about the status of their online information.||Link|
|2||Network Access Control (NAC)||Role-based control for a user, device, or application post-authentication. Restrict device usage to an extent that ensures chances of malware cyber attacks are minimized.||Link|
|5||Control Administrator Privileges||Restrict rights to extract data and distribute data. With more controlled admin privileges, companies of various sizes can strike the perfect balance of security and empowerment, without the risk of compromise.||Link|
|6||Company-Wide Email Awareness Training||Personnel need to be reminded to be skeptical of emails they did not expect and are out of character. Ensure employees are proficient at spotting phishing, ransomware and whaling attack emails and bringing them to the attention of IT professionals for immediate investigation and remediation.||Link|
|7||Encrypt your Sensitive Data||Encrypt and validate any data that leaves the building while also regularly reviewing backup logs for completion. Utilize an Encrypted File System (EFS) to encrypt your files, folders, partitions, and drives.||Link|
|8||Customize your Breach Response Plan||Simply knowing about a data breach incident isnt enough. You must take action immediately or risk major data implications for your company.||Link|
Technology is a key component when included in the cybersecurity conversation. If you currently employ an in-house InfoSec team, they must be adept at understanding the types of threats that exist in the myriad of different platforms that are available. Your company’s cybersecurity plan will be unique to the current technologies that your associates utilize; thus, no two companies will have identical cybersecurity solutions. The firewalls and cybersecurity technologies that are deployed, managed and maintained in your network environment must work alongside each other to ensure that if a technology were to fail, a side-along solution can pick up where it left off.
As there is a known cybersecurity industry skills shortage, some companies have had their IT department working at exhausting rates to analyze and react to the ever-increasing volume of security logs and alerts. This type of reactive environment is a recipe for a disaster. Many companies are coming to this conclusion and are looking to work smarter, not harder by integrating Artificial Intelligence (A.I.) and Machine Learning into their bag of cybersecurity solutions.
If you’re not familiar with machine learning, it is essentially a branch of A.I. that involves the implementation of an algorithm that learns and makes predictions based upon data input at an accelerated pace. Machine learning can be employed as a type of blockade to your network infrastructure to deter cyber criminals from breaching your system with complex threats. Although A.I. and Machine Learning has been an effective solution for businesses that have implemented it for cyber threat deterrence, this technology is ineffective at predicting new threats to your environment.
A.I. and Machine learning has many strong benefits of taking the burden of sorting through the noise to help pinpoint potential threats quicker through utilizing normal InfoSec methodologies. By integrating a side along Machine Learning/A.I. solution to your network infrastructure, your IT team can be more effective at taking down threats before they become an issue. For those who shutter at the possibility of A.I. running your front-end cybersecurity deterrence strategies, take note that 91 percent of security professionals believe that black hat hackers will use AI to launch sophisticated cyberattacks in the near future. With A.I. and Machine Learning spending set to grow from $12 billion in 2017 to $57.6 billion by 2021, it would benefit your company to stay ahead of the curve in the technology department and automate some of your processes to optimize your threat hunting efficiency and keep your network safe.
Education is an important topic of discussion when it comes to cybersecurity. With new technologies being implemented for companies to utilize and hackers to attempt to exploit, having a constant appetite for accelerate learning is of paramount importance for your entire organization.
As 95 percent of all security incidents involve human error, according to the 2017 IBM Cyber Security Intelligence Index, continued education of your entire company on matters pertaining to cybersecurity is vital. 93% of all breaches could be stopped by basic cyber hygiene thus it is crucial that employees be educated on current cybersecurity attack methods such as phishing and pharming, and cyber threats including ransomware and social engineering that hackers employ to gain access to a users computer.
Although 78% of employees surveyed are adept at identifying a phishing email, they remain subpar at reporting the instance of phishing to an IT professional within their company. Poorly trained employees that are not aware of the risks of not reporting these types of cybersecurity breaches can be the weakest link in your data security plan. Staff need to be reminded how to hover over an email link before clicking it and to be check the email properties to see if the senders email address matches the topic in the body of the email that was sent.
Appropriate cybersecurity learning is built on regular, daily reinforcement accompanied by an annual refresher course in cybersecurity practices for employees across the company. This ensures that security awareness training policies and practices stay fresh in employees’ minds, and that they understand any policy additions or changes. In the end, furthering your employees education should be focused on improving their knowledge of cybersecurity while developing appropriate metrics to define and measure success. Doing this will empower them to work toward a common goal of lowering your risk of a breach.
If your company is looking to take your IT teams cybersecurity training to the next level, the below certifications are your best bet for inexpensive and quick translation of skills from the textbook to the workplace:
|The International Information Systems Security Certifications Consortiums (ISC2)||Link|
|Certified Information Systems Security Professional (CISSP)||Link|
|SysAdmin, Networking, and Security Institute (SANS)||Link|
|Global Information Assurance Certification (GIAC) Security Expert||Link|
|Certified Ethical Hacker (CEH)||Link|
|Offensive Security Certified Professional (OSCP)||Link|
|ISACA Certifications: CISA, CISM, CGEIT, and CRISC||Link|
As mentioned previously, the cybersecurity industry has been and will be going through a skills shortage for the foreseeable future. To ensure your cybersecurity posture doesn’t slump due to your IT department working overtime to solve complex InfoSec problems that they’re not adequately trained to handle, you can always outsource your cybersecurity needs to another company to fill the gaps that are present in your networks infrastructure. Outsourcing can free up your time to focus on your internal IT teams strengths while specialized tasks such penetration testing and internal software development can be securely engineered and delivered by a programming team that adheres to the same high level of security consciousness your internal staff adheres to.
If your company is growing exponentially more than you prepared for, outsourcing at least some of your core functions can help you successfully (and safely) scale up your operations. Companies that lack the budget or bandwidth to set up their own security operations must take a proactive approach to their Trust and Safety (TnS) operations to help their IT team focus on their core competencies. Overall, more than 60 percent of IT professionals surveyed said that they were employed at an organization that outsourced at least some of their cybersecurity work.
Another measure that your company can outsource to increase its cybersecurity posture is incident response. If your company collects sensitive information from your customers, you have essentially painted a bullseye on your company for hackers to have their target practice. The task of assembling an internal 24/7 incident response team to remediate threats to your network is near impossible. The act of integrating a third-party on-demand Incident Response team to weed through the noise, remediate potential exploits to your network, and combat Advanced Persistent Threats (APTs) at their Point of Contact (PoC) is of paramount importance for your organization.
Lets circle back to Equifax. To recap, nearly 150 million (147.9 million to be exact) of their customers had their data stolen via this breach. Where is Equifax at now? Digging themselves out of the disaster that occurred from May 13th to July 30th 2017, but was not publicly announced until September 7th. Talk about a PR nightmare that could have easily been deterred with some proactive cybersecurity compliance, technology, education, and employing the help of cybersecurity professionals that will inspect, monitor, and remediate any threats to your network infrastructure.