Adequate cyber security is a cultural, organizational and technological issue. Security doesn’t just reduce threats from the outside; it reduces downtime and stabilizes revenue.
“We need to think of security economically and statistically, not just as an IT matter,” says Lemon Williams, Cyber Security Consultant and Strategist.
Williams currently acts as Managing Partner at The Ionado Group specializing in cyber and emerging technologies, with two decades of experience in information security and control systems technology.
Operational Risk is the risk of loss resulting from inadequate or failed execution of core business functions. Of course, there is no such thing as an absolute risk-free operation, so increasing resistance to danger does not mean incident-free, it simply means reduced probability in a measurable, repeatable way. Today, most important business data resides electronically on servers, desktops, laptops or somewhere in the cloud — but not long ago, it was sitting in a filing cabinet, and some still is. Good information security is concerned with making sure data in any form is kept secure yet accessible for business needs. It encompasses the range of policies, practices, tools and concepts.
Most organizations have much of the tactical cyber protection technologies such as intrusion detection, anti-virus, password management and devices like firewalls to secure electronic assets and access to their systems.
Here are seven important but lesser known practices to increase your company’s cyber health.
Raise Security Consciousness
Security awareness is vital at all levels of an organization. Emphasize and communicate commitment to sound cyber security practices. Raise the awareness of applicable cyber threats and the importance of being aware. Circulate email and memos on the dangers of exploits like social engineering or phishing. Discuss in meetings how businesses like yours have been compromised. Foster a culture that promotes and rewards security-minded approaches to doing work across the entire company.
Adopt a Security Framework That Complements
Your company may already be under one or more regulations that necessitate heightened information security practices such as:
- the EU General Data Protection Regulation (GDPR), which addresses data protection and privacy for all companies that collect personal data from someone in an EU country
- the Health Insurance Portability and Accountability Act (HIPAA), which applies to U.S. companies in the health care sector to ensure confidentiality and security of personal health information
Depending on the regulation, selecting a suitable established framework can jumpstart and help take the guesswork out of maintaining a sustainable security program. Organizations like the International Organization for Standardization (ISO) or the National Institute of Standards and Technology (NIST) publish lists of cyber-related controls that can best meet the unique needs of various industries such as agribusiness, finance and energy.
Implement Robust Asset Management
Good asset management provides a standardized, consistent means to identify high value critical electronic data, assets, systems and devices essential to operations. This provides both a means to ensure adequate security of assets and also limits the population of assets given the most rigorous security measurements, which better manages cost.
Asset management also provides the basis for controlled and deliberate change management of cyber systems whose compromise could lead to exploit or instability. A hallmark of a mature security program is focused, deliberate control or access and maintenance of assets. Cyber security policy can accomplish the “where” and “how” of the critical assets in very certain terms.
Implement Supply Chain Risk Management
Supply chains have become increasingly dependent on electronic systems. As others provide supporting functions necessary for your business, you extend information system endpoints outside your own defense perimeter. Supply chains are linked, so a successful insertion can be carried across the entirety of the supply chain infrastructure, allowing versatile, effective options for malicious actors. “Hack one, control them all.”
Many enterprise risk management programs lack a readily identifiable, end-to end risk management governance layer that addresses all supply chain interdependencies and key cyber dependencies at all tiers of the supply chain ecosystem. Supply chain cyber-attacks and the sophistication of the attackers are outpacing government regulations and the ability of organizations to identify, respond and protect what can be very complex supply chain ecosystems.
Employ Two-factor Authentication
Two-factor authentication (2FA) adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that’s considered a single-factor authentication. 2FA requires the user to have two of three types of credentials before being able to access an account.
The three types are: something you know, such as a personal identification number (PIN), password or a pattern; something you have, such as an ATM card, phone or fob; or something you are, such as a biometric like a fingerprint or voice print.
Don’t Forget Data Disposal
Purging data that is no longer required for business purposes is as important as maintaining it. A robust plan for the disposal and reuse of equipment used to create or store sensitive data and a plan for how to irretrievably erase the data must be in place.
Draft policies to make sure that data on repurposed or replaced hardware is erased and destroyed thoroughly, going so far as to have hard drives professionally erased or physically destroyed.
Set Proactive Cyber Security Program Timelines
Your program should include the following activities at these minimum intervals:
- Monthly, perform security awareness reinforcement and have a mechanism for reviewing unusual activity
- Quarterly, require changing passwords and track metrics such as cyber-related downtime
- Annually, have a third-party audit of cyber and physical security and companywide training