Is your business safe from cybersecurity threats? Do you have a plan to proactively improve and protect against new types of attacks? We want to help you improve your cybersecurity plan. By implementing even one or two of the suggestions below, you’ll be taking a step toward reducing the likelihood of data loss, downtime, reputation damage, and lost revenue.

Laying the groundwork

Before writing any cybersecurity plan, it’s important to have a risk assessment under your belt. Risk assessments highlight exactly where and how your workforce, technology, and physical environment are exposed and therefore where you need to allocate your risk-reducing budget dollars. An upfront risk assessment is also THE key input into your cybersecurity plan. After all, the whole point of a cybersecurity plan is to reduce the vulnerabilities uncovered by a risk assessment.

Chances are you probably already have a cybersecurity plan for your organization. It may be a plan that was written to meet regulatory requirements. Alternatively, it may have been written because you value the continuous operation of your organization and want to protect the private data it stores and processes. Whatever your goals, it is important to make sure your cybersecurity plan includes several key points.

Your cybersecurity plan should state:
  • The organization’s general attitude toward risk – averse, neutral, or accepting
  • The importance of cybersecurity from leadership to individual contributors
  • Commitment to adhere to any applicable regulations such as HIPAA, PCI, 23 NYCRR 500, etc.
  • Specific incident response procedures outlining what each internal and external stakeholder will do in the event of a data breach or other adverse cybersecurity event
  • The importance and frequency of performing ongoing cybersecurity tasks such as risk assessments, vulnerability assessments, and penetration tests. Remember, as your environment changes (new technology, merger, acquisition, or re-org), your initial risk baseline will shift significantly
  • How your organization handles logical access control such as users logging into systems, firewall requirements, and network traffic filtering
  • Physical security including visitor sign-in requirements, door locks or keypads, fire suppression, and security cameras
  • Data protection including handling malware and malicious activity
  • How your organization manages hardware and software configurations and how it manages changes to them
  • How information security monitoring is to be handled including how stakeholders are notified in the event of a red flag
  • How the organization will recover from a physical or cyber disaster to ensure the continuous operation of the organization, even if in a degraded state
  • Data privacy practices and expectations for employees to ensure the privacy of sensitive or confidential data

Sometimes these policy statements are broken out into different polices. Sometimes they’re included in a bigger, overarching Written Information Security Program (WISP). Whether separate or lumped into an all-encompassing WISP, each of these areas requires thoughtful consideration and written statements for how the company will handle every area of concern.

Making your policy effective

Once your plan contains the right elements, it’s important to bake the plan into regular conversations with employees. The main problem with policy is that it’s often written only to be set aside in a three-ring binder and never revisited. If you’re going to do this, you may as well not write the policy in the first place.

For policy to be effective, it needs to be regularly reviewed with staff and updated upon significant changes to the business or its technology. An easy way to ensure your cyber policy is being reviewed is to incorporate it in your annual or bi-annual employee review discussions. And please, do not simply hand the employee a stack of paper and trust them to read it on their own. Discuss it together and answer any questions the employee may have. Again, policy is pointless unless it’s updated regularly and understood and followed by all employees.

The groundwork for establishing a solid cybersecurity plan has been laid. However, good plans aren’t static. They change. They adapt. Football teams go into each game with a plan. They know their own strengths and weaknesses. They’ve reviewed countless hours of video footage of the opposing team. A head coach’s plan is designed to maximize his team’s strengths while leveraging the opposing team’s weaknesses.

Combating three current threat trends

Cybersecurity plans are exactly like football strategy. They’re designed for your team to win. While the offensive line protects the quarterback and the football, a WISP helps you protect private data and fend off cyber-attacks ensuring your company’s ability to operate with minimal interruption. Just like a football team must adjust their strategy when facing a new team, businesses need to adjust their cybersecurity plan to protect against new threats. The remainder of this article outlines three current cybersecurity threat trends and what savvy business professionals are doing to combat them. If you aren’t implementing the protections discussed, please initiate a conversation with your IT staff and work toward building them into your next budget cycle.

Threat 1: uninspected HTTPS network traffic

As of November 24, 2018, 80% of web pages accessed by the Google Chrome browser on Microsoft Windows PCs are encrypted. For Mac users, this figure is 87%. [1] This means that well over two-thirds of the data coming into and leaving your network is encrypted, including potentially malicious traffic. If you aren’t decrypting, inspecting, then re-encrypting this traffic as it flows to and from your organization, your security posture is dubious at best.

You may be asking: “So what? Who cares that my network traffic is encrypted? I thought encryption provided confidentiality, which is supposed to be a good thing.”

The issue is that malware authors are hiding their malicious code in HTTPS. When you visit an HTTPS-encrypted site in your web browser, you see the little green lock icon and think “I’m safe.” However, you could have a false sense of security as malware writers are buying digital certificates to encrypt traffic going to and from their websites which host malicious code.

According to cybersecurity firm Cyren, “the real extent to which malware is being hidden in HTTPS has been an open question—until now. Our security researchers have found that HTTPS is now being utilized in 37% of all malware. And recent growth in HTTPS use for malware has been dramatic, with malvertizing use of HTTPS jumping 30 percent in the first half of 2017.” [2]