Is your business safe from cybersecurity threats? Do you have a plan to proactively improve and protect against new types of attacks? We want to help you improve your cybersecurity plan. By implementing even one or two of the suggestions below, you’ll be taking a step toward reducing the likelihood of data loss, downtime, reputation damage, and lost revenue.
Laying the groundwork
Before writing any cybersecurity plan, it’s important to have a risk assessment under your belt. Risk assessments highlight exactly where and how your workforce, technology, and physical environment are exposed and therefore where you need to allocate your risk-reducing budget dollars. An upfront risk assessment is also THE key input into your cybersecurity plan. After all, the whole point of a cybersecurity plan is to reduce the vulnerabilities uncovered by a risk assessment.
Chances are you probably already have a cybersecurity plan for your organization. It may be a plan that was written to meet regulatory requirements. Alternatively, it may have been written because you value the continuous operation of your organization and want to protect the private data it stores and processes. Whatever your goals, it is important to make sure your cybersecurity plan includes several key points.
Your cybersecurity plan should state:
The organization’s general attitude toward risk – averse, neutral, or accepting
The importance of cybersecurity from leadership to individual contributors
Commitment to adhere to any applicable regulations such as HIPAA, PCI, 23 NYCRR 500, etc.
Specific incident response procedures outlining what each internal and external stakeholder will do in the event of a data breach or other adverse cybersecurity event
The importance and frequency of performing ongoing cybersecurity tasks such as risk assessments, vulnerability assessments, and penetration tests. Remember, as your environment changes (new technology, merger, acquisition, or re-org), your initial risk baseline will shift significantly
How your organization handles logical access control such as users logging into systems, firewall requirements, and network traffic filtering
Physical security including visitor sign-in requirements, door locks or keypads, fire suppression, and security cameras
Data protection including handling malware and malicious activity
How your organization manages hardware and software configurations and how it manages changes to them
How information security monitoring is to be handled including how stakeholders are notified in the event of a red flag
How the organization will recover from a physical or cyber disaster to ensure the continuous operation of the organization, even if in a degraded state
Data privacy practices and expectations for employees to ensure the privacy of sensitive or confidential data
Sometimes these policy statements are broken out into different polices. Sometimes they’re included in a bigger, overarching Written Information Security Program (WISP). Whether separate or lumped into an all-encompassing WISP, each of these areas requires thoughtful consideration and written statements for how the company will handle every area of concern.
Making your policy effective
Once your plan contains the right elements, it’s important to bake the plan into regular conversations with employees. The main problem with policy is that it’s often written only to be set aside in a three-ring binder and never revisited. If you’re going to do this, you may as well not write the policy in the first place.
For policy to be effective, it needs to be regularly reviewed with staff and updated upon significant changes to the business or its technology. An easy way to ensure your cyber policy is being reviewed is to incorporate it in your annual or bi-annual employee review discussions. And please, do not simply hand the employee a stack of paper and trust them to read it on their own. Discuss it together and answer any questions the employee may have. Again, policy is pointless unless it’s updated regularly and understood and followed by all employees.
The groundwork for establishing a solid cybersecurity plan has been laid. However, good plans aren’t static. They change. They adapt. Football teams go into each game with a plan. They know their own strengths and weaknesses. They’ve reviewed countless hours of video footage of the opposing team. A head coach’s plan is designed to maximize his team’s strengths while leveraging the opposing team’s weaknesses.
Combating three current threat trends
Cybersecurity plans are exactly like football strategy. They’re designed for your team to win. While the offensive line protects the quarterback and the football, a WISP helps you protect private data and fend off cyber-attacks ensuring your company’s ability to operate with minimal interruption. Just like a football team must adjust their strategy when facing a new team, businesses need to adjust their cybersecurity plan to protect against new threats. The remainder of this article outlines three current cybersecurity threat trends and what savvy business professionals are doing to combat them. If you aren’t implementing the protections discussed, please initiate a conversation with your IT staff and work toward building them into your next budget cycle.
Threat 1: uninspected HTTPS network traffic
As of November 24, 2018, 80% of web pages accessed by the Google Chrome browser on Microsoft Windows PCs are encrypted. For Mac users, this figure is 87%.  This means that well over two-thirds of the data coming into and leaving your network is encrypted, including potentially malicious traffic. If you aren’t decrypting, inspecting, then re-encrypting this traffic as it flows to and from your organization, your security posture is dubious at best.
You may be asking: “So what? Who cares that my network traffic is encrypted? I thought encryption provided confidentiality, which is supposed to be a good thing.”
The issue is that malware authors are hiding their malicious code in HTTPS. When you visit an HTTPS-encrypted site in your web browser, you see the little green lock icon and think “I’m safe.” However, you could have a false sense of security as malware writers are buying digital certificates to encrypt traffic going to and from their websites which host malicious code.
According to cybersecurity firm Cyren, “the real extent to which malware is being hidden in HTTPS has been an open question—until now. Our security researchers have found that HTTPS is now being utilized in 37% of all malware. And recent growth in HTTPS use for malware has been dramatic, with malvertizing use of HTTPS jumping 30 percent in the first half of 2017.” 
The problem is that malware is hiding under your nose in encrypted web sessions. The solution is to perform decryption of all web-based traffic on your firewall, inspect the traffic once it’s decrypted, then re-encrypt it and send it along. All modern firewalls have this capability and it’s typically called “SSL Inspection” in the settings. Unfortunately, most business professionals don’t have this setting turned on.
So, today’s marching orders are to ask your IT folks if they can enable SSL Inspection on the firewall because you don’t want malware to hide within encrypted traffic streams. After all, being blind to over two-thirds of your web traffic is not good security!
Threat 2: Online account takeover is at a record high
We all use the Internet. Whether for personal email, social media, corporate email, or data processing, the Internet is a huge part of our everyday lives. The Internet makes things easier and more accessible. It makes the world a smaller place and allows businesses to reach a large audience with minimal effort.
For all the good that the Internet brings, it also comes with significant security issues that should be addressed in your cybersecurity plan. Every year for the last decade, Verizon’s Data Breach Investigation Report has shown that social engineering is the most common method criminals use to take over online accounts. It starts with a phishing email that tricks you into giving up your username and password. From there, criminals can take over your email account and pose as you.
It is universally accepted that passwords alone are not enough to protect your online accounts. Whether through social engineering or simple brute force password cracking, criminals can easily obtain your password and thus gain access to your online accounts. To overcome this, companies need to step up their authentication game. This means enabling multi-factor authentication for all online accounts. Multi-factor authentication (MFA) simply means adding another authentication factor such as a hardware token, fingerprint, or smartphone-based authenticator to your primary authentication factor (your password).
According to KrebsOnSecurity, “Google has not had any of its 85,000+ employees successfully phished on their work-related