Building an effective cybersecurity program is like building a three-legged stool. It requires a commitment to people, processes, and technology. All three must be working together to support the weight of your program. If one area is lacking, the other two can’t support the weight. If you want a strong cybersecurity program, it requires an intentional focus on all these areas.

While cybersecurity requires a long-term commitment, it is not extremely complex. There are basic, fundamental principles that any organization can utilize to create a secure environment for its data.

Fundamental Steps for Building or Strengthening a Cybersecurity Program

Whether you’re looking to build a cybersecurity program from the ground up, or simply looking to strengthen your existing processes, here are six fundamental steps we recommend to help you focus on people, processes, and technology.

  1. Identify and classify sensitive data. Whether it’s customer payment information, patient health records, personal financial information, or intellectual property, every company has sensitive data it stores, processes, and transmits to conduct business. As a business, it’s your duty to protect it. To do so, you first must acknowledge the nature and type of sensitive data that you have.
  2. Locate Data Storage Points. Once you identify what sensitive data you have, you must determine where it is stored. In addition to obvious locations like databases, does that information live in spreadsheets or in text documents on file shares? You can’t protect sensitive information if you don’t know where it is. Completely protecting every device (computer, mobile device, etc.) within your organization may be an impossible task. But, what you can do is identify where sensitive data exists in your environment and build controls around the processes that store, process, or transmit it.
  3. Maintain Hardware and Software Inventory. As simple as this seems, this is an area where organizations are impacted the most, including the infamous Equifax breach. When critical vulnerabilities are announced, you need to know the specific devices in your environment that must be updated or patched. Creating and maintaining an inventory of your hardware and software devices is key to establishing a solid cybersecurity program.
  4. Implement Employee Training. Cybersecurity is not solely an IT issue, it’s a business issue that requires a culture of security adoption. At the end of the day, protection of sensitive data comes down to the end users who are handling it. If they don’t know or understand their responsibilities for protecting sensitive data and interacting securely with a company computer system, they may unknowingly put you at risk. Your employees must be trained to recognize and report phishing attacks and baiting, and should be well-versed in password management to protect your systems and data.
  5. Enforce Multi-Factor Authentication. Many companies have employees who access company systems remotely. In most cases, access to sensitive systems and data is protected only by a password. Experience has shown that user-selected passwords are typically easily guessed, or can be obtained via a simple e-mail phishing attack. If multi-factor authentication is not required for all remote access, an attacker that obtains a password will have no trouble accessing remote services, and that typically leads to access to sensitive data. Nearly half the incidents our forensic and incident response team at LBMC has dealt with in the past six months could have been prevented if multi-factor authentication would have been implemented for systems that offer remote access, especially email systems.
  6. Engage Trusted Partners. Limited time and staffing are the most common challenges businesses face when it comes to effective cybersecurity. Having a third-party to perform penetration testing or risk assessments for your organization is key to getting an objective validation that your cybersecurity program is effective and that your sensitive data is as secure as possible.

The Human Factor in Cybersecurity

Cybersecurity’s success hinges on addressing the most challenging threat: employees.

Leaders emphasize the importance of:

Multi-Factor Authentication:

Routinely employ multi-factor authentication to bolster access control.

Employee Training and Accountability:

  • Conduct regular, clear employee training sessions, incorporating an Acceptable Use Policy.
  • Establish employee responsibility expectations and define misuse.

Protection of Removable Media:

  • Highlight the risks associated with unauthorized use of removable media.
  • Emphasize proper configuration settings to prevent data compromise.

Excelling at Cybersecurity: A Simple Template

1. Identify Potential Targets:

  • Recognize sensitive data and critical systems as potential targets.
  • Assess and manage risks while considering the organization’s risk appetite.

2. Planning and Administration:

  • Elevate cybersecurity discussions to the boardroom.
  • Communicate in a non-technical, positive manner, focusing on combating cybercrime.

3. Effective Communication:

  • Align legal, audit, and compliance channels with cybersecurity objectives.
  • Seek feedback and buy-in from allies outside the boardroom.

4. Program Execution:

  • Develop robust security policies.
  • Create a comprehensive asset inventory and classify all data.
  • Embrace multi-factor authentication for all remote access channels.

Tips for Success

Community Engagement:

Connect with a community of cybersecurity peers for insights and alternative perspectives.

Ongoing Risk Assessments:

Continuously assess and remediate significant risks.

Effective Communication (Again):

  • Hone your message with peers and allies.
  • If your recommendations are ignored, consider seeking a more receptive employer.

Effective Cybersecurity is a Daily Commitment

Cybersecurity isn’t a one-time project; it’s a continual process. In a rapidly evolving technological landscape, staying protected requires dedication. LBMC Cybersecurity stands ready to support your organization’s ongoing commitment to cybersecurity, you can connect with our team at any time.