November 06, 2018
How to Get Your Cybersecurity up to Speed
Share This Post
Smaller businesses are no longer able to depend on cybersecurity by obscurity
Technological protection is readily available in the form of firewalls, cryptography (the use of HTTPS being almost universal now), spam filters, anti-malware and so forth. Major OS vendors such as Microsoft have also improved the security of their products with built-in firewalls and cryptography. None of this will work, however, if patching of the thousands of vulnerabilities discovered every year is not kept up-to-date. (Grimes, Roger, Hacking the Hackers Wiley 2017 ISBN 978-1-119-39621-5). These defenses are also subject to failure due to social engineering or the discovery of a “zero-day” vulnerability by hackers. Zero-day because once discovered there are zero days available for vendors to provide a patch (AT&T 2017 Global State of Cybersecurity).
Technology is not enough to respond to attacks. Experts agree we’re facing an onslaught of malware, a new one being devised every few minutes (Cisco 2018 Annual Cybersecurity Report). Experts also agree that a primary vulnerability to hacker attacks is social engineering -- a phishing email with a malware loaded macro, file or link that an unsuspecting employee clicks thereby opening their employer to a data breach or ransomware attack.
IoT (the internet of things) is also a major source of concern as internet-connected convenience devices proliferate and provide entry points for hackers. Passwords may also be a new/old frontier for cybercriminals. Janet Cloud eloquently describes the need to develop a cyber safety culture in her
If you’re early stage, using an SDN (software-defined network) and moving to the cloud could be wise especially given that “hold-harmless” and other indemnification agreements can significantly transfer liability to the vendor. In any case you want to seek a balance between frugality and risk by carefully planning the implementation of your CS systems; understanding the impact of mobile, obsolete and exposed devices, and special requirements such as PCI (Payment Card Institute) security requirements that may invoke penalties, HIPAA(Health Insurance Portability and Accountability Act) if you’re in healthcare, or the GDPR (General Data Privacy Regulations) if you’re doing business in the European Union. If your company does not yet have an IT department there are plenty of vendors who can take care of your needs. As always, carefully vet, interview and seek proposals from at least two or three of these companies
In order for cyber defense efforts to be effective, a single designated C-suiter should be in charge of cybersecurity instead of a committee, the IT department or the developers in a software company. Defender response is best a blend of documented procedures that includes cyber hygiene training.
The Advisor IQ video https://www.execrank.com/advisory-id-class/cyber-security-for-start-ups by Randall Duran describes a phased approach to cybersecurity. He suggests starting with the no-cost NIST (National Institute of Standards and Technology) Cybersecurity Framework https://www.nist.gov/cyberframework or the ISO/IEC https://www.iso.org/standard/73906.html. Documentation is exceptionally important as are Policies and Operational Procedures including Recovery Planning. Fortunately, many templates are available on the internet.
Also, consider obtaining Cyber Liability Insurance from your broker. These policies are now available packaged with your regular property policy CGL (corporate General Liability), D&O (directors and officers) EPL (employment practices liability) and fiduciary insurance. They are complex and rapidly evolving, but offer unique coverages. They may also come with expert and comprehensive breach response help unlike any other form of insurance.
Share This Post