What does a cybersecurity strategy look like?

For all the news, discussion and energy surrounding cybersecurity, many small and medium-sized businesses (SMBs) seek to cut through hype and implement a sound IT security management strategy. But how can firms best plan, implement and maintain proper cybersecurity practices without getting sidetracked or overthinking the ever-expansive issue? Fortunately, reviewing essential practices leading government agencies and IT security authorities repeatedly advocate reveals several recurring elements. By creating and maintaining a cybersecurity strategy covering recommendations that repeatedly surface, SMBs can have confidence they’re addressing cybersecurity issues responsibly.

In its Spring 2021 Cyber Essentials Starter Kit, the Cybersecurity & Infrastructure Security Agency (CISA)—itself an arm of the US Department of Homeland Security—lists six essential elements for building a culture of cyber readiness. Those components form a sound foundation for any cybersecurity strategy. Such a comprehensive cybersecurity approach is now no longer a luxury but necessary for SMBs to effectively protect against and prepare for cyber attacks. A recent US Small Business Administration survey revealed 88 percent of small business owners feel their companies are vulnerable to cyberattacks. Worse, the cost of cybercrimes rose 7 percent to $6.9 billion in 2021, according to the FBI, which itself maintains business email compromise and cybercrime resources, so prevalent are such attacks and the corresponding need for respective remediation efforts. Multiple nation states—including China, Iran, North Korea and Russia—pose a threat to critical infrastructure, private sector businesses and government offices and US agencies. Computer networks, cloud applications, supporting systems and all the various connecting components are vulnerable targets for an ever-expanding range of increasingly sophisticated and advanced threats and attacks. Unfortunately, securing such infrastructure is notoriously difficult for several reasons, including the facts state-sponsored hackers can operate from any nation, connections between the public Internet and private systems are more prevalent, networks’ complexity exacerbates reducing threat surfaces and securing everything from applications and servers to networks and cloud services.

Ever-sophisticated malicious actors have begun combining social engineering techniques with artificial intelligence (AI) and machine learning (ML) technologies to assist accessing, exploiting, corrupting, disrupting, destroying and ransoming essential systems and services. These criminals are heavily invested in gaining strategic advantages for their nation, an edge for military operations or personal profit.

As the US Small Business Administration notes, “there’s no substitute for dedicated IT support.” The administration emphasizes the importance of learning about common threats, understanding how businesses are vulnerable and taking practical actions to improve cybersecurity defenses.

Just what actions should SMBs take? Just what does an effective cybersecurity strategy look like? CISA’s six elements of an effective cybersecurity strategy lay strong groundwork for SMBs to implement. The organization states success depends upon readiness, which requires a comprehensive “holistic approach,” similar to the mindsets often applied to other operational risks. The government agency warns cyber threats place a business’ operations, information access, reputation, customer trust, profitability and actual survival at risk and recommends building a culture of readiness to combat those information technology, network and systems risks.

Here’s how SMBs can embrace each element needed to create sound defenses. While each organization’s cybersecurity strategy will feature different nuances, almost every cybersecurity strategy should include each element in some capacity.

1. Appoint A Leader

CISA recommends beginning technology security initiatives by appointing a leader to drive an overarching cybersecurity strategy. Subsequently, this leader should drive investment and build and maintain the organization’s corresponding cybersecurity culture. To do so, the leader must understand how the organization and its employees are dependent upon software, systems and data. Ultimately, an individual must be assigned to own these responsibilities. The cybersecurity owner must build the strategy, confirm proper investments are made and establish and maintain a corporate culture that practices proper computing habits. To prove successful, the cybersecurity strategy leader should establish and maintain relationships with technology staff, government agencies, hardware vendors and industry service partners to ensure the organization deploys and maintains technologies properly, while also receiving alerts and updates regarding new threats and vulnerabilities. By approaching and managing technology threats as business risks, which they are, cybersecurity leaders can help organizations better prepare for and prioritize IT defense efforts.

2. Security Awareness

CISA also recommends organizations develop computer users’ security awareness. This element is a critical component of any organization’s technology security defenses. By educating staff members and instilling proper cybersecurity knowledge and skills among users—whose individual decisions continually impact or protect the network, systems and data—companies can proactively develop IT security awareness, instill a sense of vigilance within its user base, minimize the chances of expanding potential threat vectors and help prevent infections and breaches.

Organizations can educate users multiple ways. Popular methods include adopting in-person instruction, offering self-paced classes or requiring staff complete online training courses. Numerous reputable providers offer effective web-based training programs, including Arctic Wolf, KnowBe4 and Proofpoint.

Encouraging and enabling staff and users to make good choices in their everyday computing habits is a key factor in developing an effective cybersecurity culture. By teaching employees to spot phishing attempts, recognize unsafe attachments and identify suspicious messages and requests, organizations can better defend against common threats. Regularly conducting training sessions and even displaying posters and sending reminder messages are effective methods organizations can adopt to help ensure cybersecurity concerns don’t fade and that cybersecurity concerns and best practices remain current in everyone’s mind.

3. Protect Systems & Data

Another important step in developing an effective cybersecurity strategy is understanding and protecting the data, software programs, cloud services and networks that actually power the organization’s daily operations. The cybersecurity strategy leader, and a business’ IT staff—including outsource service partners—should know where all essential information is stored, which specific programs and networks house and process that data and ensure a sound cybersecurity strategy safeguards all those technology assets. While it’s tempting to believe IT staff and business officials know with certainty where critical data is stored, how and which systems process that information and which specific networks house and safeguard that data, in real practice that’s often not the case. Personnel come and go. Platforms receive upgrades. New sites are added and removed from network configurations. Ensuring critical information and systems are documented and diagrammed and that such information is regularly updated and confirmed are among the most critical steps of any cybersecurity strategy. Another important and related component of every cybersecurity strategy is ensuring operating systems, software applications and network gear are regularly patched and updated. Manufacturers regularly release service packs, performance patches and security updates for software programs and equipment. Organizations must prioritize installing these updates quickly upon release, as many exploits and attacks take advantage of the known corresponding vulnerabilities the updates address, especially when such fixes are publicized. By patching systems and software, companies can at least know those assets benefit from the latest security safeguards and the respective threats are eliminated and are not permitted to persist.

Cybersecurity strategies should also prioritize reviewing and confirming operating systems, applications, servers, network equipment, wireless networks and other software and hardware components possess secure configurations. Ensuring bring-your-own-device policies include conditions for securing such equipment and that unapproved software and hardware are prohibited from being used on the network or are automatically blocked also help reduce an organization’s threat surfaces available for exploitation by hackers.

In addition to implementing advanced threat detection-powered tools—which benefit from adding (AI) and (ML) technologies to an organization’s defensive practices—further helps. Companies should also ensure these advanced threat detection tools provide email and web browsing protections, as those two elements are often responsible for introducing damaging infections.

4. Restrict Access

The fourth element CISA recommends incorporating within a cyber readiness strategy is a long-standing IT best practice: limiting permissions to only those requiring access. The principal of least privilege is a long-running best practice that involves providing access to only those users requiring application, network or data access to those needing such permission to fulfill their professional responsibilities.

The principle includes granularly controlling rights and permissions, too. In other words, one user needing to monitor sales might receive read access, but not the ability to alter, edit or otherwise change the sales data, whereas a production executive might receive both read and write access to set individual sales goals, account for promotional incentives and otherwise adjust information.

As part of any initiative to tighten security, firms must also study their networks to ensure any unnecessary, outdated or no longer needed accounts are purged. The same principal applies for wired and wireless networks, workstations and servers. Connections and systems that are no longer needed should be shut down to reduce the number of threat surfaces that could be used to enter or attack the network. Users, too, should be encouraged to use complex passwords that must be changed often. Further, multifactor authentication should be required on all applications and networks supporting such enhanced protections.

IT policies and procedures offer yet another line of defense. By incorporating written policies users must review, acknowledge and practice helps ensure staff understand and are again reminded—as with continuing cybersecurity education—of proper computing behaviors, whether those behaviors involve the proper use of organization-provided email and Internet access or the steps HR and IT personnel are to complete when a user or employee leaves the organization.

5. Prioritize Backups

Another component CISA emphasizes addressing when building a culture of cyber readiness involves a common disaster planning component: backups. Only by ensuring essential data is properly backed up, safeguarded and can be recovered as quickly as and how the organization requires can a company ensure its business continuity and disaster recovery (BCDR) approach properly integrates with its technology security strategy. Occasionally even well-constructed systems fall victim to attack and compromise. The ability to properly recover operations, including from an alternative location, when required, is vital. A proper BCDR plan that’s prepared for such contingencies using advanced threat detection and, often, a secure cloud services component, can properly assist such recovery.

Before cybersecurity czars can confirm proper backups are in place, as mentioned previously, they must know where essential information is stored and understand how that data is updated and processed. Cybersecurity leaders should ensure, too, outdated and legacy platforms that are no longer needed are decommissioned, thereby simplifying backup and recovery routines. Backups should be encrypted, too, to further protect data. And organizations should consider storing some essential backups offline to protect against malicious encryption disrupting operations, as recently befell Macmillan, one of the US’ largest publishers. In addition to managing backups and planning recovery options, other steps must be taken to reduce threats to daily operations. Systems and networks should be monitored in real time. DNS protections should be in place to help prevent common attacks from succeeding and capable and centrally managed antimalware agents should be maintained on all systems and devices.

6. Prepare A Crisis Response Plan

Last, CISA recommends organizations plan a popular crisis response plan. Such disaster recovery plans should list specific actions and responsibilities. Effective plans also include key stakeholders’ contact information and are regularly tested to ensure they can recover production operations as required. Such preparedness is an integral part of creating a culture of cyber readiness. Recovery plans should also prioritize who manages crisis communications—including announcing attacks and the corresponding response actions—and how, as such efforts can have remarkable impact containing and minimizing infection and disruption. Which systems and users are returned to operation first is another element disaster recovery plans must address to prove most efficient.

Get Started With A Cybersecurity Strategy

Implementing a cybersecurity strategy can prove a daunting, even intimidating, task. Fortunately there are many respected sources assisting such efforts, including:

For a thorough list of free cybersecurity tools, resources and news outlets, visit CISA’s Free Cybersecurity Services and Tools List. The National Institute of Standards and Technology, meanwhile, publishes its own Cybersecurity Framework designed to help organizations better understand and manage cybersecurity threats. Don’t let the scope of a cybersecurity strategy or number of available resources and tools delay efforts. The sooner you get started, the better. And, some quick first steps can yield remarkable improvements.

Maximize cybersecurity efforts by tackling three critical issues first:

Back up essential data
Introduce multifactor authentication
Patch and update operating systems, software programs and network equipment

The most important action is to actually get started. Not all elements need be in place, at least at first. Some preparedness is better than none. By naming a leader, determining how user education will occur, confirming how essential functions are performed and how those systems are protected and backed up, minimizing access and permissions, eliminating unnecessary outdated systems and constructing a BCDR plan, organizations can create a cybersecurity strategy and create a culture of cyber readiness. But the key is to get started.

The necessity for such technology security planning and awareness should be evident. Recent headlines confirm the need:

By beginning to implement a plan, organizations can take the essential first steps necessary for adopting and implementing a cybersecurity strategy. Or, maybe it’s time to overhaul and update a cybersecurity strategy that’s been in place but is potentially neglected or outdated.

Need help creating a cybersecurity strategy?

Still have questions or need assistance implementing or maintaining your own cybersecurity strategy? Contact Louisville Geek at 502-897-7577 or email a technical specialist at [email protected].