These are difficult times for those charged with protecting data, and this challenge is especially tough for the C-Suite and Board members or even small business owners who may not have any formal training or experience with cybersecurity and compliance.
Here are the key things you need to know (or find out) about your cybersecurity, based on the National Institute of Standards & Technology (NIST) Framework.
Identify – What data does your organization transmit and/or store? This is critical, as you need to know what types of data you have in order to know which compliance requirements you need to meet. If you process credit cards, PCI will apply, health data may fall under HIPAA, if you maintain Personally Identifiable Information (PII) then it’s likely State regulations will apply and even the new GDPR regulation if you have PII on citizens of the UK. A data classification project should be your very first step. Talk to heads of each department as even your IT team may not realize all of the types of information being processed.
Protect – Now that you know what you have, confirm what is in place to protect it. All sensitive data should be encrypted and should be accessible only by the staff who need to use it to lessen your exposure should a breach occur. Two-factor authentication can be put into place to require something in addition to a log in and password to gain access. For example, our portal uses Google Authenticator to generate a random token to a cell phone, so after we enter a login and password, we need to enter that token. Even if our credentials were compromised, the hacker couldn’t get in without the token.
Detect – This is a critical and often overlooked piece in cybersecurity. Since the ultimate responsibility to protect the data falls on the highest rank in the organization, you need to know what is in place to detect unusual behavior on the network. Simply having antivirus software is no longer enough – malware is constantly evolving and the protections that rely on signatures cannot keep up. Behavior-based solutions and 24/7 monitoring should be in place for key systems, and you should define what types of incidents you want brought to your attention instead of assuming IT has it all covered. We provide monthly or quarterly briefings which give context to alerts during the period and can keep you updated about threat activity.
Respond – Confirming that your team will make you aware of incidents also provides you an opportunity to proactively think about how the organization will respond to them. Do you have the expertise on staff to quickly identify threats, know what action to take, understand what you are required to report under compliance, and how to remediate without compromising logs or other evidence that could be needed if litigation occurs? Most organizations do not, so make sure you have an outside incident response resource available before an event occurs.
Recover – In addition to the obvious getting back to business as quickly as possible after an event, you will also want to use every event as an opportunity to get stronger. Analyze what happened, and what has been done to prevent it in the future. If clients were affected, what kind of follow up communication will you want to provide from your level to reassure them? How you handle recovery can make a huge difference in the overall cost of the event, so don’t skip over this step.
Whether you go through these steps internally or leverage an outside resource to help you, make sure you understand these cybersecurity basics so you can be effective in your responsibility to manage the risks.
Want to know more about how we can help? Read out cybersecurity consulting-case-study!