“There is no one category that will create and maintain a healthy cybersecurity program.”
As we have seen in recent years, data breaches continue to rise in the breadth of industry and scale of the attacks. This has required companies to add layers of protection to cyber risk programs. To do this, it’s important to have good overall coverage with your people, processes, and technology.
“People” focuses on what companies do to increase security awareness via short-length, high-frequency training on various types of threats—and the things to watch out for in order to protect the company. Security training requirements are becoming more specialized based on employees’ functions. I see the growing need to train for secure coding practices. Training at the business level for business email compromise focusing on wire transfers is also important.
Use security tips to communicate lurking threats. Include what can affect employees while on the company’s networks and what can affect them on their Bring Your Own Device(BYOD) or home computer. A data breach that affects an employee’s personal assets can also affect the employee’s work productivity.
Processes include the company’s incident response, security oversight, IT controls, and policies/procedures. The incident response plan defines the critical response team that will work on the issues found when an incident occurs. This includes both internal and external communications/responsibilities.
It is important to have cyber scenarios in the company’s business continuity/disaster recovery plan that leverage the incident response plan and provide practice via tabletop exercises to ensure a full understanding of the process. Some type of security oversight is required to ensure the security program is aligned to mitigate the appropriate level of risk in the company. Having business and technology representation on this committee helps ensure there is a balance between security and ease-of-use.
Additionally, a healthy IT control structure helps ensure IT systems and services have protections built into the process. Have IT review the process periodically to discover issues and update the control structure to continuously improve the process.
Policies define what employees need to do and procedures define how these will be accomplished. This includes passwords, acceptable use, system patching, vulnerability management, and change management, but also the growing need to assess third party software and service providers (third party vendors). Third-party vendors are a growing area of risk as companies can’t assume that everyone protects company data with the same level of fervor.
Ensure your third-party vendors have some type of process to assess their third-party vendors’ level of risk. There are some nice security score carding solutions maturing that utilize externally accessible information to dynamically assess a company’s security risk. Use this to supplement a baseline set for a security checklist.
Companies can assess all of their third-party vendors by using a checklist that requires vendors:
- Do background checks for all employees and contractors prior to hiring
- Have a cybersecurity policy that describes how they will identify and manage cybersecurity risks
- Notify their clients of a data breach
- Have cyber liability coverage
- Use a process to assess the security risk of all their vendors
- Have a data destruction process for paper and electronic assets—including subsequent hardware
- Have an offline backup process for electronic data
- Use a process to obtain, test, and automatically deploy security patches in a timely manner
- Have access to physical and logical devices based on a valid business need
- Practice strong authentication mechanisms to manage user identities and access to assets
- Limit the use and management of administrative privileges
- Utilize security tools like firewalls, antivirus, spam filtering, intrusion detection, workstation encryption, and mobile encryption
Technology includes the company’s perimeter security, internal security, and monitoring/correlation services. Perimeter security includes firewalls, remote access services, virtual private networks (VPN), spam filtering and internet demilitarized zones(DMZ). These usually account for multiple layers of perimeter security that not only try to prevent the “bad guys” from getting in—but also try to prevent the data from getting out (commonly called egress).
Internal security includes file blocking/Uniform Resource Locator(URL) defense, sandboxing, anti-virus, advanced threat detection, intrusion detection/prevention (IDS, IPS) systems, offline backups, and the least access privileges approach to user account permissions. These solutions work together to provide multiple layers of security to prevent vulnerabilities from occurring or spreading if they do occur.
It’s critical to have 24/7 monitoring services that analyze the company’s critical assets in real-time—escalating any evidence of infiltration so the company’s security and IT teams can mitigate the issue.
As you can see, there is no one category that will create and maintain a healthy cybersecurity program. It takes everyone in the company working together to mitigate risks—balancing the level of risk the company is willing to accept with the effect on ease-of-use and employee productivity. The threats are continually moving targets so having an adaptable approach to the security built on a strong foundation is critical to managing cyber risk.
Michael joined ProAssurance as Group Technology Officer in 2013. In January 2014 he became CTO of ProAssurance, a predominantly healthcare liability insurance group committed to treating all fairly. Prior to ProAssurance, Michael spent much of his career in financial services. He was CTO for Sungard Asset management, a technology provider for global financial institutions. Michael’s diverse experience includes Fiserv, EPL, Macromedia, Ernst and Young, Fidelity Investments, and Electronic Data Systems.