Five Basic Steps to Being Prepared
As 2020 kicks off, cybersecurity remains ever present in the news whether its predictions for cyberattacks in conflict between state actors, such as the United States and Iran, or the recent New York Times report regarding a possible hack at the Ukrainian gas company at the heart of the impeachment investigations. Additionally, this week, it was reported that the chief information security officer for Mayor Pete Buttigieg’s presidential campaign resigned over differences allegedly “regarding the architecture and scope of the [campaign’s] information security program.” Despite this week’s resignation, the Buttigieg campaign was actually the first to hire a full-time cybersecurity team member. Notwithstanding a growing general awareness of cybersecurity and its importance, as the Buttigieg campaign’s experience shows, lessons are still being learned in real-time about implementing best practices. Here are five basic keys for unlocking cybersecurity preparedness.
Foundational Items: Budgeting and Personnel
Budgeting. Simple as it might seem, many companies still do not budget formally for cybersecurity. According to research from BTI Consulting, 55% of companies do not have a formal budget allocation for cybersecurity. Instead, cybersecurity expenditures come from existing budgets for information technology generally or legal, according to BTI. Hiding cybersecurity underneath other budgets does a disservice to the growing need for cybersecurity resources and robs certain issues of the proper context.
Take the debate over company-owned device policies versus bring-your-own-device (BYOD) policies. The latter is often cheaper, permits broader employee choice, creates less administrative hassle and, supposedly, improves productivity. To some, the choice would seem like a no-brainer decision. However, calling this decision out as a cybersecurity concern frames the discussion in a distinct context that is essential to understanding the initial policy question. Even if an organization determines to stick with a BYOD policy, couching the discussion in cybersecurity terms is likely to introduce important questions about mitigating the cybersecurity risk (for example, how to implement remote wiping capability via third-party software to offset some of the risk) rather than simply seeing it as an IT decision. Identifying cybersecurity as a standalone budgeting item will force decision-makers to confront this issue head-on in a prospective manner and allow for proactive and forward thinking.
55% of companies do not have a formal budget allocation for cybersecurity. Hiding cybersecurity underneath other budgets…robs certain issues of the proper context.
Personnel. Most organizations are only as good as their people. Making sure you have the right people in place to execute on cybersecurity initiatives is critical to effective and timely action. Mick Baccio, the aforementioned former chief information security officer at the Buttigieg campaign was not hired as a chief technology officer or chief information officer. On the contrary, his role specifically related to information security.
In this case, Baccio was also an experienced hire as he was formerly a cybersecurity official in the Obama administration. However, not every organization can afford an experienced hire and it might be necessary to use existing personnel to stand up cybersecurity efforts until funds become available for a dedicated hire (see Budgeting above). When it comes to standing up a cybersecurity unit from existing resources, it is critical to emphasize risk management as the priority over functional departmental expertise. Put another way, consider the best way to secure a stable risk footing with the people best suited for that task rather than simply drawing technical resources from IT, legal and/or engineering.
Operational Items: Resources and Vigilance
Resources. From an operational perspective, ensuring your organization has access to resources at a moment’s notice is crucial to staying current in the field and attuned to best practices. These resources range from attending conferences to a rolodex of informed and connected advisors and service providers, not the least of which is an insurance broker with specialized knowledge in cyber insurance and how it is both relevant and applicable to your organization.
Moreover, in the physical world, we have often trained ourselves to the point of annoyance. Active shooter drills, fire drill captains, rendezvous points, disaster plans, fire extinguisher trainings and plastic bags with flashlights and bottled water are staples of the workplace. In the cyber world, when disaster strikes, if your organization does not have the resources in place to help team members take swift action in an emergency, you could lose precious moments in staving off a cascade of consequences that might be unimaginable.
Vigilance. Again, using the physical world for comparison, your organization engages in fire and emergency drills, so why not do the same for the digital world? Penetration testing (referred to as pen testing) and threat intelligence are two areas of growing attention because hackers and other cyber criminals are sharpening their tactics and taking a much more direct and targeted approach to hacking your organization. Pen tests are a method of discovering your organization’s vulnerabilities and weaknesses and provide your systems and personnel a chance to raise the walls before an attack. On the other hand, threat intelligence is used to gather information about and monitor cyber threats as they test those walls. Pen testing and threat intelligence might sound intimidating, but standard protocols like regular password modification, multi-factor authentication and secure login credentials are still not fully implemented in every organization. This low hanging fruit is table stakes when it comes to cybersecurity vigilance in your organization. A well-resourced and experienced cybersecurity team that remains vigilant and on guard will gather the knowledge, know-how and information to better arm decision-makers to mitigate risk and take quick action as, if and when needed.
Remember: cybersecurity is a team sport – do not try to solve it yourself.
The final basic key to preparedness is knowing how to respond to an incident. When dealing with incident response, knowledge and action go hand-in-hand. Take the simple example of a missing mobile device: was it left at home or was it lifted from an employee’s pocket on the subway? The answer can have dramatically different results for your organization. Making sure there is a means and permission structure for information to rapidly flow to the right individuals in your organization so they can take action based on the information is critical in those moments while a threat is becoming an incident. Similarly, the same way you would call the fire department if your house was on fire, or the police if there was an intruder in your home, in the case of a cyber incident, it is time to reach out to those resources we noted above, both internal and external, and put them to work for you. Remember: cybersecurity is a team sport – do not try to solve it yourself.