The Essentials of Cyber Security Planning

cyber-security-planning.jpg

Cyber Security Planning Levels

This article discusses some of the levels of systems planning for almost any  business for protection from security breaches. Planning should include focus on these topics.

  • Identify – Who is accessing the network resources
  • Protect – How much access is given to each network resource
  • Detect – Systems that identify unexpected or un-identify access to the network
  • Respond – Once a breach is detected, how the company teams will respond
  • Recover – If there is loss after the breach, how will the company resolve the loss

These are basic planning steps that require management input. While IT teams do the technical work, planning each step will reduce financial costs, lost time, lost productivity and lost downtime after a potential breach.

As you read through the following, remember that planning should be driven by management rather than the technical teams. Note: It is always less expensive to plan and execute as much as possible before the disaster rather than after.

Here is a list to consider for cybersecurity planning:

  • Data Classification – types of sensitive information
  • Personnel
  • Owner / Partners / shareholders
  • Business
  • Financial
  • Customer
  • Vendor
  • Other Businesses inside the same firewall
  • Hardware Inventories
  • Software Inventory
  • Cloud Inventory
  • Naming Conventions/policy – Security users
  • Lockout policy
  • Encryption Inventory
  • Database
  • Server Drives
  • Laptops
  • Mobile Devices
  • Email in Transit
  • Other
  • Site access policies
  • Firewall descriptions (Small business vs Large business)
  • Patching policies (IT, Virtual, Cloud)
  • Anti-virus/malware/ransomware protection etc.
  • Disaster Recovery Plan
  • Support team Directory
  • Digital Forensics
  • Legal
  • Insurance
  • Incident Report Policy & process
  • Physical security – Define security policies

Threat Types

We often think only about external hackers in our planning.

Yet statistically...

External breach sources (Hackers) – 25% of all data breaches

Internal breach sources (Staff, vendors, etc.) – 75% of all data breaches

Most breaches are a result of someone who works inside the company. Resolving internal breaches is often best accomplished by policies created by the Human Resources (HR) department. Allowing HR to drive the solution, instead of the IT department, is 90% more successful than the IT department alone.

Passwords

Security planning must include password planning.

It turns out that,

80% of Data Breaches are due to stolen or weak Passwords

It is not just users who have this problem. You would be amazed at how poorly the Admin user account is protected by the IT department. There are too many recommendations to share in this short article. If this is an area of concern, contact me for help to determine password policies, including the Admin Passwords.

Note: Your teams should determine password policies based on the organization’s propensity for risk exposure.

IT resource Ownership

Who owns your domain and website? This might seem a strange question. You would think a business owns everything, but have you checked? With the newest cloud resources, you might be surprised. We’ve seen angry IT vendors who, when fired by their clients, continue to own all digital cloud resources, including:

  • All Email systems
  • Online phone systems
  • Websites
  • Domain Names
  • Firewall systems
  • Hosted servers and resources
  • And more.

When your IT team sets up those resources, they often put their own names as the owner or administrator. In which case, the cloud vendor will consider that person who setup the system to be the owner. Changing ownership is simple when the vendor is happy but very painful when the vendor is unhappy. I have seen owners frustrated, even years after paying the bill, but they still did not own their mission critical systems. It may not be discovered until the business is in the process of being sold during due diligence. This is often when the owner learns they don’t own the domain name or the code to the website.

Summary

I would encourage anyone to learn as much as possible and spend some time working on the business by reducing risk and increasing the value and sustainability of the organization. Feel free to contact me if you have questions.

Topics: Security Cybersecurity