Are you responsible for the cyber security plan for your company and not sure where to begin to ensure your program is up to the test of a cyber attack? Or, perhaps you are not directly responsible for cyber security, but as a manager you want to understand the risks? Cyber security can be complex and confusing, but there are some basic steps that can help you develop a more robust cyber security plan.
Follow these recommended actions in our cyber security strategy guide:
Take a complete and accurate inventory of your IT assets.
Security of any type is concerned with protecting assets. In the case of cyber security, those are information assets. But how can you begin to protect those assets if you don’t know exactly what and where those assets are?
Having a complete inventory of your information assets is a great starting point for any cyber security plan. Get a complete and accurate network diagram. Maintain a ledger of all devices connected to that network including applications, operating systems and version numbers for each device.
Have a vulnerability management and patching program tied to your inventory of assets.
Knowing where each network device resides is only half the battle. It is even more important to always know the vulnerability status of each device, so run automated vulnerability scans of the entire network at least monthly, preferably more frequently. Review the vulnerability reports and apply the recommended patches as quickly as possible. Vulnerabilities are what hackers are seeking in your network because, when left unpatched, they can be exploited in such a way that the hacker can take control of that device, establish a network presence, and eventually find their way to other valuable assets on the network.
Conduct an awareness and training program for all users.
The users of a network – the employees, vendors, contractors and customers – can be your greatest vulnerability in terms of cyber security. And again, as vulnerabilities, they may be targeted by hackers via phishing or social engineering scams in order to get them to do something – reveal private information, transfer unauthorized funds or expose a password – that eventually compromises network security.
Educate your users. Publish an “Acceptable Use Policy.” Train users on safe email and browsing practices and how to recognize social engineering scams. Teach them how to create a complex, easily remembered password. Investing in user awareness will not cost much compared with other components of your cyber security plan, but the return on investment can be substantial.
Continuously monitor information assets.
Continuous security monitoring is recommended for your network. Most, if not all, devices on your network are capable of generating continuous log data reporting activity on the device at any point in time. By aggregating, correlating and inquiring on this data, indicators of compromise may prompt an alert to the network administrator or security official, resulting in quick threat eradication.
Managing one’s own Security Operations Center (SOC) or contracting to a Managed Security Services Provider (MSSP) can be costly and technically complex, incorporating state-of-the-art data science, data enhancement and current threat intelligence. As an alternative, Zurich now offers all cyber policyholders, through a third party, an option for continuous security monitoring* for up to fifty devices as part of their policy.
Plan for incident response.
Assume something will go wrong, no matter how good your cyber security plan is. Your overall plan should define who takes the lead, who is on retainer for outside assistance (legal, forensic, law enforcement), and internal and external communication in responding to a cyber incident. Have a “playbook” for different scenarios: data breach, IoT intrusion, ransomware, etc. Once you have the plan and the playbooks, practice them, test them and fine-tune them.
Starting with the basics and building upon them goes a long way in helping to protect your company in case of a cyber security event.
* ZenOpz is not a subsidiary or affiliate of Zurich and use of their products and services is independent from any Zurich products or services. Zurich expressly disclaims any and all damages and other costs that may arise related to the use of or reliance upon the products, services, representations or warranties made by or on behalf of ZenOpz.