by Foluwa T. Rewane, Founder, CEO, & vCISO, Iron Defence Security Corporation
I wrote this article in response to what is currently happening around the world with regards to cybercriminals' scams that are taking advantage of all of our sympathies and empathizes associated with the COVID-19 pandemic. With the ever-increasing cybercrime rate, there’s pressure on companies to take responsibility for their cybersecurity measures. This means the development of the best cybersecurity practices and creation of an effective plan to keep cyberthreats at bay.
The first step is safeguarding your company’s databases and ensuring tight security around valuable corporate information, by developing a strong cybersecurity plan. While this sounds simple, it requires sufficient time, understanding, and effort to create a plan and make sure that it is being consistently followed.
The level of sophistication of current cybersecurity threats means that there should be procedures in place on how to deal with an incident timely and effectively.
In this article, I am providing you with a roundup of the key elements of a cybersecurity plan that can ensure and strengthen your organization’s defense against rising cyber-attacks. So, let’s get started.
1. Leadership Commitment
To be able to implement a successful cybersecurity plan, it is vital to have the entire company leadership on board. This is because cybersecurity affects all aspects of the organization and business and without having the leadership involved in the process, will complicate and even hinder development, implementation, and maintenance of security protocols. You will need the approval of the senior management to enforce security policies and guidelines on an organization-wide level. Once they commit to the plan, you can allocate the necessary resources and budget to do the job.
2. Risk Assessment
To be prepared for combating cyber-attacks, you first need to risk assessment to identify all the threats and prioritize them. You can perform a risk assessment by ranking your company’s data and assets in priority order based on the value that would be last in case a theft or breach occurs.
For example, an email ID list getting leaked may or may not be so damaging, but a customer’s credit card records getting stolen is worrisome. Anything that scores above a certain threshold (determined by your overall resources) needs to be prioritized.
3. Classification of Data
A company wide classification of data is one of the initial steps to devising and implementing a cybersecurity plan. This includes categorizing what’s private and what’s public.
For example, the information you can make public would be everything that your competitors can view without posing any danger to your company such as advertising information or contact details. On the other hand, private information such as product development procedures and new launch timelines should only be accessed by employees or partners on a need-to-know basis.
Further categorizing of data would include who can access what kind of data and to what extent, how data has to be stored or shared, how it is backed up, and so on.
4. Defence Measures
When you have identified and prioritized your biggest security threats you need to start putting out the defenses in place. While some particular threats may need more sophisticated defense mechanisms, most can be addressed with relative ease. Some of the basics that you can begin with include:
Data Access Control
This ensures that employees can access information that is relevant to their job roles so that unnecessary information sharing and potential data leakages can be limited. This also brings down the risk of insider data breaches, whether malicious or unintentional. Furthermore, if a cyber thief somehow breaks into an employee’s account, they won’t have access to the company’s entire database.
Password Policies
Train your employees on how to create strong passwords and keep them private. This can significantly reduce the number of company accounts getting hacked.
Multi-Factor Authentication
It can further mitigate the risk of accounts being compromised. This requires the employees to provide a combination of something they know, i.e. a password or code. It also includes a one-time code sent to them on their mobile phones or email IDs.
5. End-User Education
A very crucial part of any good cybersecurity plan is to train the employees about cybersecurity. The most common errors that result in sensitive data getting stolen are human errors. Every employee should be well aware of phishing attacks through emails and links and should the knowledge and tools to deal with cyber threats they may face during their routine working. Employees should know how to keep their data private and that they shouldn’t share any passwords with co-workers.
6. Cyber Resilience and Business Continuity Planning
Once the right security measures are in place, your organization would feel confident in their ability to defend against any attack that may come their way. However, you should also consider the possibility of failure or things getting completely out of control. In such cases, you need to have a disaster recovery mechanism available.
The concept of cyber resilience and business continuity planning enables your organization to both defend against attacks and also implement measures to limit the damage in case a successful attack occurs.
7. Cybersecurity Professionals
The single biggest threat to organizations all over the world is the shortage of a qualified cybersecurity workforce. Without the right professionals in place, you will not be able to establish, implement and maintain any kind of cybersecurity measures. This is why more and more businesses are being challenged to step up their IT security workforce and hire professionals who have the necessary set of skills needed to manage cybersecurity for your business.
Whether you train current employees or do new hiring, your company must have a team of experts on hand to implement a cybersecurity plan.
In Conclusion In this era of technology, cybersecurity is needed to prevent and protect the internal systems, networks, and technologies from unauthorized access. The elements discussed above form the basis of an effective and systematic cybersecurity approach. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Foluwa T. Rewane is a cybersecurity consultant and CEO of Iron Defence Security Corporation, a Toronto, Canada based security firm specializing in cybersecurity solutions for small and mid-sized businesses. When Foluwa is not battling cyberattacks, you can find him spending quality time with his wife and three kids. You can reach Foluwa via Twitter, twitter.com/FoluwaTRewane at his handle @FoluwaTRewane.