Building a Cybersecurity Strategy


A s we enter the fast track to 2020, top of mind of every C-suite executive, especially CIOs and the CISOs, is dealing with the cybersecurity threat landscape.  The new year promises to bring new challenges, and many hurdles for all kinds of businesses to break through.  There will be the usual attacks (phishing, ransomware, malware, etc.) but there will also be some more devastating and debilitating ones which when triggered can attack critical infrastructures.

Thus, the C-Suite will be pressed to develop and implement new plans to protect their organizations. This requires a solid understanding of cybersecurity strategy. Here are some important considerations to keep your organization safe.  

What needs to be considered?

When determining their specific strategy, the CIO or the CISO needs to consider certain aspects of their IT/network infrastructure, including the following:

Employee Training:

This is a key component of any cyber related strategy. Some details that need to careful attention are:

  • What is the frequency of the employee training program? For example, many organizations have adopted the “once and done” kind of mentality.  This simply means that once the employees have received a round of training then they are done with it.  But this is far from the reality.  Employees need to be trained on a continual basis, at least once a quarter so they stay up to speed on the latest threat vectors, and what to be on the lookout for.
  • Are they reminded of the penalties for not abiding by the security policy? Employees are often viewed as the weakest link in the security chain, but this does not have to be the case.  For instance, they need to be reminded, at both a professional and fair manner, as to what the consequences are if they do not maintain the proper levels of “cyber hygiene”.
  • Are employees rewarded for being proactive? In order for your team to stay encouraged to do the right things for the long term, they have to be motivated.  One of the best ways to do this is to recognize and reward those employees that have helped thwart off a cyberattack.

Patch and Update Programs:

Along with employee training, patching and updating programs is a crucial aspect of cyber security.  Many businesses still fail to do this, despite how many news headlines they come across related to data breaches and customer PII (personal identifiable information) records being hijacked.  Here are some things that need to be specifically addressed:

  • First of all, is there even a software patch and upgrade process that is deployed? If not, it needs to be implemented immediately.
  • Is there a dedicated resource to handle this task? With IT staff frequently stretched thin, there should be an individual or even perhaps a small team assigned to this task since it can sometimes be a daily chore. This person(s) needs to determine which patches and upgrades are relevant and the process to deploy.  It is also best that they foster some sort of relationship with the different vendors that the organization is using, so that they can get answers quickly to any questions or issues.
  • Are these software patches and upgrades tested first before they are released into the production environment? Although this seems self-defeating, some patches could contain security vulnerabilities themselves, and thus, pose an even greater harm.  As a result, they must be tested in a “sandbox” to make sure that they properly work with both the hardware and software in the IT and network infrastructures.

Data Backup:

After a business has been hit with a cyberattack, it is critical organizations have business continuity and resume mission critical processes as soon as possible.  Any prolonged periods of downtime mean lost customers and depleted revenue.  Here are some key areas to pay very careful attention to:

  • Is there a data backup plan in place? If not, one needs to be created and implemented immediately.  It is also equally important that the IT security staff practices this on a regular basis, so in the case of a disaster, they will be able to get mission critical processes up and running without any guesswork or delay.
  • How often are backups done? Like employee training, backups need to be regularly scheduled.  The best advice here is that all databases must be backed up at every few hours.  At the very minimum, it should be done by the end of the business day.
  • How many backups are there?  Many businesses still use the traditional tape backup systems, and then store them on-premises (at the same place where databases are housed).  This is not a good idea – what if the entire premises are taken by a natural disaster?  How can the business resume operations ASAP?  You need to have a plan to have at least two backups; one that is physically located in another place and one that is stored in the Cloud.  Today, the latter offers various options for very affordable and cost-effective storage.  If you choose to deploy all backups in the cloud, it is important to have redundancy. Download now - Guide on 3 Options for Data Storage

Remote Access:

In the workplace of today, many businesses now exist virtually, thus allowing their employees to work remotely from the conveniences of their homes.  Although this can be advantageous in terms of productivity and morale, it can also pose a grave security risk as well.  Here are some important aspects to protect a remote workforce:

  • Are the lines of network communications secure? For example, as the remote employee logs into the corporate network, the flow of communications (and vice versa) must be made impenetrable to cyberattacks.  High levels of encryption must be used, such as when using a Virtual Private Network (VPN).  With this kind of technology, two layers of network communications are established, masking the one that the remote employee is using to log in and accessing shared resources.
  • Is more than one layer of authentication being used? Most of us have heard of 2FA, or two-factor authentication.  This is when two types of mechanisms are used to confirm the identity of the remote employee.  But even this is not proving to be enough, and as a result, many organizations are using more, which is now being called multifactor authentication, or MFA.  In these instances, three or more layers of authentication are used, which could be a combination of a password, the RSA Token, and even a biometric modality (such as that of fingerprint or iris recognition).  If your business calls for robust security, you should use the MFA approach.
  • Are the endpoints secure?  There is still a fallacy that once the lines of network communications are made secure, then all is taken care of.  However, there are what is known as the “endpoints” that need to be taken care of also.  These are simply the points of origination and destination as to where the communications flow originates from and terminates at.  Many businesses fail to protect these endpoints, and because of that, this is a prime way for cyberattacks to take place. 

Passwords:

This is the oldest form of authentication that is still being used today, and despite all of the weaknesses that come along with it, is still the top choice that is being used all across the board.  As much as employees hate using passwords, they do not have to be so much of a nemesis anymore.  Consider this:

  • Are you making use of a password manager? This is a software application which stores passwords and offers the following key advantages:
  • Employees do not have to remember long and complex passwords anymore. The password manager can now create these, per the parameters set forth in your security policy. This avoids the problem of employees writing down passwords on a Post-it note and sticking it to their monitor (affectionately known as the “Post-It Syndrome”). Or just creating passwords that are very easy to guess (such as using “12345” or “password”).
  • You do not have to keep constantly reminding employees about resetting their passwords. This software application automatically does it in a seamless fashion, without any hiccups or delays to daily worker productivity.
  • It provides alerts in the case of password misuse. If a password has been hijacked or stolen, the software application will immediately notify the employee and their immediate manager of this incident, and instantly create a new password.

But despite the advantages of using a password manager, it does come with one disadvantage:  the cost of password resets.  This typically costs a business, on average, about $350 per year per employee.  An alternative to this would be to use biometrics aka single sign solutions, or SSOs, that involve swiping the finger or a quick scan of the iris to log employees into their workstation or wireless device in seconds.  This eliminates the need for passwords.

How can you build the best cybersecurity strategy?

CIO, CISO and other IT decision-makers need to keep many factors in mind when deploying their cybersecurity strategy for 2020.  There are the well-known, best practice security measures that should already be established but need to be maintained, and then there is the ongoing task of combating ever- evolving, more complex cyberattacks.

Download this free ebook “The Security Guide: Implementing a Successful Security Posture

Need more help with your cybersecurity plan? Tech Guidance offers security advice, vulnerability scanning and penetration testing – all free of charge. Just submit a consultation request.

Comment on this article