Planning for your Cyber-Safe 2019 – Part 1: Where do I begin?
As the turkey is wearing off and the end-of-year shopping season is upon us, I think about all the businesses that will suffer breaches on Cyber Monday. In 2017, 75% of workers admitted they will shop online from work today according to Robert Half Technology. With the average single-product security solution (think Anti-virus) being only 22% effective in stopping network intrusion, a higher than average number of companies will be breached on cyber Monday given the soaring numbers of fictitious and infected sites in cyberspace.
Think you’re ok because your computers still work and everything seems OK? The average time from infection until detection is 145 days. Hackers lie in wait on your network and creep laterally, stealing data slowly to avoid detection. You probably won’t know that you’ve been breached until sometime in April.
If you haven’t planned for how to stop your network from being infected when your employee clicks on a cyber Monday offer and infects your network, it’s probably too late. However, planning now for 2019 can help you rest well next cyber Monday and know that you’re doing all you can to protect your business.
Where do I begin planning for cybersecurity?
Often companies purchase a security product or service, turn it over to IT and declare the job of security done. Companies who do this almost certainly do not have a comprehensive cyber-safety plan inclusive of People, Process, Technology and Data.
Security products have their place in an aligned strategy. How do you create alignment? The first step in aligning security to the business is to define the 3 “R’s” for your business:
1) What gets your company Rich?
Rich can literally mean revenue or profit for commercial entities or rich can mean meeting social, government or business goals or milestones that fund the company. Securing your revenue systems, financial systems, payroll, HR and other key functions is job #1.
2) What can Ruin your company?
If your company is in the public eye, any reputation impact for privacy and security violations can kill your business. Any public trust violation or impact for which there is no reasonable recovery are ruinous events for many companies. Protecting against those events that could bring the business down is a key driver for security.
3) What is Required?
If you are in Healthcare, HIPAA compliance is required. If you’re publicly traded, SOX compliance; if FDA regulated, NIST / ISO alignment is required; if you operate in Europe or have European client data, GDPR compliance is required. These are the table stakes of security and compliance work. Meeting requirements simply and effectively is a cornerstone of any security plan.
Once you know the 3 R’s about your business, you have the foundation for a plan. Every action you take should be aligned. If what you’re doing isn’t adding clear benefit, stop doing it and align back to this model. In Part 2 of this series, we’ll talk about assessing your current security posture against the 3 R’s and determining a strategic cybersecurity plan for your business.