6 questions You Need to Ask Your IT Team About Your Company’s Cybersecurity Defense
Many executives make the mistake of thinking that if their cybersystems are working right, their business must be maintaining adequate information security programs. If airlines used the same logic for their planes, they would only perform repairs when something failed. In most cases, that would be too late to save the plane or the passengers.
Like an airplane, your information security systems need to be checked before, during and after every use in order to identify the minor glitches that can lead to catastrophic failure under stress. They also need to be pulled out of service from time to time so they can be checked and overhauled more thoroughly.
Six Cybersecurity Questions CEOs Should be Asking
Most executives don’t have the technological experience to analyze systems on their own, but there are questions you can ask your team in order to gauge the effectiveness of your current information security strategies. They include:
- Do we have an information security program?
This may sound crazy, but some businesses do manage to get by with just a collection of different security practices that don’t link together to form a solid wall around your data. If you ask this question, the answer should describe a network of interconnected hardware, software, and employee training and awareness protocols that form a cohesive defense, not a list of standalone items like passwords and anti-virus software.
- What is the organization’s information security framework?
Most programs are based on an information security framework, which is basically a checklist of best practices readily available from places like the National Institutes of Standards and Technology (NIST). Is your IT Department and cybersecurity team using a checklist and reporting results to you?
- Have we done an information security assessment? If so when, and what were the results?
An assessment is basically a review of your current information security program using the framework checklist. On an ongoing basis, your systems should get a thorough review, and you should get a thorough briefing, to make sure that your company’s cybersecurity defenses are adequate to address the latest threats.
- What is our information security commitment? Does our information security budget commitment match our threat level?
Cybersecurity budget numbers will drive what your business can do within the budget period. If your assessment shows that information security is lacking, what resources are available to improve it?
In an upcoming blog post, I’ll be discussing cybersecurity budgeting in greater detail, but to give you a bird’s eye view of what spending looks like on a worldwide basis, look at the following data from Gartner, Inc.
The takeaway? Spending has increased by about 23% over the past 3 years.
- What is our information security training?
Information security training needs to work at two levels. You need your information security staff to learn constantly about the new threats that businesses face. But a business’ information protection efforts are only as strong as its least wary employee. Everyone who touches a keyboard linked to your servers, even people who use private devices on your Wi-Fi network, can expose your digital assets to breaches, viruses and ransomware.
All those users need to stay on the lookout to prevent an attack, and you need to know how your IT team is bringing employees to the battlefield when it comes to protecting your company and its customers from hackers.
- What is our plan for an information security failure?
These days, no information security plan is complete until it acknowledges the possibility that it can be breached and includes instructions for people to follow if that happens. Customers are much more willing to forgive a breach when a business shares accurate information about it quickly and helps to minimize the damage done.
Review your company’s plan with your IT and cybersecurity team, and if necessary, engage the services of a cybersecurity consultant to help you prepare for a response to a breach to your customer’s data and your reputation.
Put a Cybersecurity Assessment, Remediation and Action Plan in Place
With the information gained from a self-assessment, many executives wonder what their next step should be.
Above all, do SOMETHING.
Many organizations paralyze themselves trying to choose between good options when the most important thing they need to do is move forward. For example, say a business performs a security assessment and determines that their password protocols are weak. To strengthen protocols, it could either require longer passwords with a wide variety of characters that remain stable over time or it could allow less rigorous passwords but require that they be changed frequently. Either option is a positive step. But every day that the business delays implementation with discussions about which is best is a step backward.
When you’re ready to do something, here’s a suggested order for addressing your information security concerns:
- First, protect against the major vulnerabilities.
- Next, implement changes that address multiple weaknesses. Some improvements can address several red flags on your checklist at once.
- Fix the easy stuff. Some changes can be as quick as instructing all employees to change their passwords this week. If vulnerabilities have been identified in connections to the network from offsite, a temporary ban on telecommuting could prevent a situation from getting worse while you work on a more permanent fix.
Contact the Cybersecurity Experts at Datasure24
We can help you assess your cybersecurity program’s current strengths and weaknesses, and develop managed security, disaster recovery, and security awareness training.
For more information about maintaining and improving the day-to-day information security functionality of your business’ systems, contact DataSure24 at 716.600.3724 or connect with us here.View full article
Cybersecurity budget benchmarks and guidance
As you might imagine, we get asked this question a lot.
And our response often surprises people because the answer isn’t some formula that says “x percent of your budget should go to cybersecurity.”
We respond by pointing out that the question isn’t just “How much should you budget for cybersecurity,” but instead, “How should you budget for cybersecurity?” and “What should you budget for?” The important factor isn’t so much the amount you spend so much as it is the need to spend it wisely.
How Should a Company Budget for Cybersecurity in 2019?
When you’re trying to figure out how much to budget for cybersecurity, here are three factors to keep in mind:
Assessment is key. You can’t solve a problem if you don’t understand what it is. Every business today is legitimately concerned about its cybersecurity, but very few understand the strengths and weaknesses of their current structure, policies and processes, and by extension, how to spend wisely to shore up weaknesses. We see companies that make their situations worse by buying a security “solution” that doesn’t solve any of their existing problems or redress weaknesses, and in some cases, create new problems.
“Magic Bullets” are neither. This is the natural follow-up to the assessment item above. There is no software or hardware or combination of the two that will solve every cybersecurity problem. If it did exist, it would be outdated tomorrow. There is no substitute for finding a combination of hardware, software, training and support that focuses on the day-to-day operational security of your business in an environment where new threats arise every day.
You can’t set it and forget it. The days when cybersecurity amounted to a firewall or an encryption program that could be installed and forgotten about are over. Protecting the sensitive data of your business and your customers is a constant battle. To give you some idea of how much this aspect of cybersecurity has grown in recent years, one of the standards that we use to measure the effectiveness of cybersecurity is a checklist of 600 items. Just a few years ago, only 50 of those items had to be continuously modified to earn certification under the standard. Today, 450 items, a full 75 percent of the items necessary to pass the test, must be continuously monitored in order to be considered effective.
Cybersecurity Budget Benchmarks
Over half of the IT professionals surveyed stated that employee security training tools are the most effective solution to prevent security incidents, followed by breach detection and anti-ransomware solutions. Each employee needs to understand how vulnerable your business is to an accidental click in a phishing e-mail, and each of your IT people needs to understand his or her role in constantly maintaining and updating whatever security solutions you choose.
Figure 1: From Spiceworks "2019 Annual Report on IT Budgets and Tech Trends: Future Workplace Tech"
Employee awareness and training is usually at the top of our list when looking at cybersecurity budgets. The easiest way for a hacker to penetrate your business is though employees being duped into giving cyber thieves access to company files.
It’s also interesting to note where companies will be increasing their overall IT budgets in 2019.
The Spiceworks study reveals that relative to overall IT spending, about two-thirds a plan to increase their IT spending to upgrade outdated IT infrastructure. It’s interesting to note, however, that 56% intend to increase the IT budget for “increased security concerns”.
Figure 2: From Spiceworks “2019 Annual Report on IT Budgets and Tech Trends: Budgets"
These two factors are far from mutually exclusive—in fact, they’re almost symbiotic. If your business is among those considering hardware upgrades, it’s important to remember that the new infrastructure will have to integrate effectively with your overall information security strategy and framework .
Contact the Cybersecurity Experts at Datasure24
In short, effective spending effectively for cybersecurity is about how you use your money, not just how much money you use. Your budget needs to:
- Include an assessment of your needs,
- Understand the interaction between software, hardware and the people who use them, and
- Fund the monitoring and maintenance of whatever solution you choose.
Keep these three items in mind and you’re more likely to get the full benefit of the money you spend on cybersecurity.
We can help you assess your cybersecurity program’s current strengths and weaknesses, and provide budgeting guidance that will enable you to spend smarter and create a better security program.
For more information about budgeting and planning for cybersecurity upgrades, please contact DataSure24 at 716.600.3724 or connect with us here.View full article
7 plays that should be in your cybersecurity playbook to better protect your company from hackers and cyberthieves
They’re waiting for the shoe to drop in the form of ransomware, stolen customer personal account information, asset appropriation, or even brazen grabs for intellectual property made available through missteps made by gullible employees.
It’s extremely likely, for example, that right at this very moment without your knowledge, information from or about your company in the form of stolen passwords, credit card numbers, and personal information is being traded on the Dark Web.
Installing and managing a robust cybersecurity defense strategy after the fact is not a solution. There’s not a lack cybersecurity facts, figures and statistics available that should drive small and medium size business owners to sleepless nights and fears of writing big checks to cyber consultants and software companies.
Do you really need to raise your hand and surrender, or can you go on the offensive with a cyber attack strategy and pitch a shutout?
Going on the Offensive Against Cyberattacks
Truth be told, there will never be a way to secure a 100% guarantee that your company won’t be exposed to cyber risk or attack, but rather than ignore the situation or wait for the inevitable, it is time to consider going on the offensive.
Going on the offensive means installing layers of cybersecurity products, services and technologies that deliver 24x7x365 monitoring and robust barriers that stop or even defeat attacks in real-time. It means keeping abreast of threats and the technologies available to deal with those threats. It means a well-educated and responsible workforce. It also means developing, installing and monitoring plans, processes and technologies acting in concert with one another, rather than as unrelated standalone capabilities.
Today, integrated cybersecurity defense is the new cybersecurity offense.
A Playbook for a Cybersecurity Defense Strategy
Your Cybersecurity Playbook must be able to deal in the time continuum - the present (24x7 security monitoring), future (vulnerability scanning) and past (Dark Web scanning & reporting). Here are seven ways that can serve as a foundation for your organization’s offense strategies against cybercriminals:
- Cybersecurity Strategy Play 1: Have a security assessment conducted and a penetration test completed on a regular basis to expose internal and external risks
- Cybersecurity Strategy Play 2: Create and execute a remediation plan to address issues found in the assessments and penetration tests
- Cybersecurity Strategy Play 3: Ensure that your business has a robust backups solution in place in addition to a disaster recovery plan to mitigate data loss and ransomware impacts
- Cybersecurity Strategy Play 4: Identify a tool set for 24x7x365 managed continuous security monitoring to identify attacks happening in real-time
- Cybersecurity Strategy Play 5: Purchase an annual security awareness training program subscription for all of your employees to participate in
- Cybersecurity Strategy Play 6: Do regular scans of the Dark Web to identify your exposure. You can do this fee of charge, with the compliments of DataSure24 here.
- Cybersecurity Strategy Play 7: Create, install and do regular, periodic updates of a disaster recovery and response plan for your company.
Let Us Help You Develop, Install and Manage a Cybersecurity Playbook for Your Company
The cybersecurity experts at DataSure24 stand prepared to render assistance, consultations, services and products to help you protect your computers and network.
We provide Managed Security services, including vulnerability scanning and intrusion detection, as well as Disaster Avoidance/Recovery solutions for protecting data, maintaining availability and minimizing cyber-attacks. We also provide a variety of Security Training Awareness programs and services for making your employees a critical part of your company’s cybersecurity defense systems.
If you are concerned about your company’s ability to fend off a cyberattack, complete and submit the form, call me at 716.600.3724 ex 225 and schedule a no cost/ no obligation review of your situation, today.View full article