Experts estimate that by 2019, companies worldwide will be on track to lose $2.1 trillion due to data breaches. If you haven't already taken steps to ensure your company is prepared for a cyber attack, that statistic should be a wake up call.
To better prepare your company for a cyber incident, we compiled cyber security best practices recently issued by the U.S. Department of Justice and asked our course expert from Intel Security, David Brezinski, to share how to implement them into your organization.
Already got hacked? Read this blog post for eight smart ways to handle a data breach in your organization.
1. Identify all of your mission critical data and assets and start making security measures to protect those assets.
Your organization needs to be accountable for its information assets and the best way to take accountability is to take appropriate actions to protect your critical systems.
The SANS top-20 critical controls can help your organization take the right steps relative to identifying, tracking, and maintaining your critical data and discovering previously unknown vulnerabilities that might be connected to your organization's network.
2. Adopt risk management practices and guidance directly from the experts.
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) provides a great communication mechanism to help you bridge the gaps often found between business teams and IT/security.
One excellent resource for this is the test case Intel used which showcases how to drive and identify risk management priorities and investments for your organization.
3. Create an actionable incident response plan you can test with exercises and always keep that plan up-to-date.
Take a proactive (not reactive) approach to cyber security. It's imperative to perform due diligence to ensure you have a tested and repeatable incident response plan with clearly defined roles and responsibilities.
The NIST CSF can provide a baseline means to assess the current “as is” state of your organization. Then, you can define the desired state objectives which helps you measure progress toward a “to be” state that will include incident response and recovery procedures.
Putting forth the time and effort upfront to establish this BEFORE a major breach can help you potentially mitigate severe financial and brand reputational damage.
4. Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident.
Technology can include methods to perform data captures, forensics, malware analysis, legal hold, incident case tracking, etc.
Again, the NIST CSF and related controls standards such as NIST 800-53 R4 can be a great resource on the technology that can be best leveraged in an incident scenario.
But remember: there is no magic bullet when it comes to ensuring preparedness; every organization has specific vulnerabilities that will need to be addressed.
5. Have procedures in place that will permit lawful network monitoring.
Most organizations have state, federal, or international (locality) based rules and regulations to review and assess before implementing specific network monitoring capabilities.
There are also significant privacy concerns (especially prevalent in the European Union) that need to be evaluated and discussed. Chief Information and Security Officers and security organizations should work very closely with their privacy teams and legal advisors to understand the parameters of network monitoring.
In most cases, this is something that must be worked through in a broader organizational context as to what is acceptable. Further, employees or third-party users may need to be informed of such activities.
Once these discussions occur and key decisions are made relating to acceptable network monitoring and practices, procedures can then be defined, put in place, and communicated as required.
6. Have legal counsel that is familiar with legal issues associated with cyber incidents.
There are a multitude of professional forums and conferences specifically focused on bridging the legal and cyber incident realm. Here is a recent example of this.
If your organization and information assets (and data) fall under any regulatory scrutiny (e.g. PCI, HIPAA, SOX, etc.) it is critical that legal counsel is fully educated and aligned to information security and incident concerns along with their other duties.
A cohesive risk management program can be an excellent starting point for legal representation to make sure everyone in your organization is on the same page.
7. Align other policies (e.g., human resources and personnel policies) with your incident response plan.
Putting policies in place shows due diligence. The resources involved in supporting incident response activities must clearly understand the “do’s and don’ts” of handling sensitive data. This will protect against any actions that could lead to broader legal and regulatory issues.
Policies should be clearly defined and fully communicated to all individuals with regular reviews, training, and annual attestations and acknowledgement that they are understood and will be adhered to.
8. Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cybersecurity firms that you may require in the event of an incident.
Information sharing and collaboration outside of your organization is important so you can gain insight into the ever-changing threat landscape.
You should also be aware of best practices for reputation damage control and seek legal advice on information security concerns. The retention of professional security firms such as Intel Security can be leveraged in the event of a significant breach.
The FBI has their Cyber Security Task Force which organizations can volunteer to participate in and obtain information on cyber attack trends and current threats. There are also similar groups in various industries such as finance/banking, critical infrastructure, technology, and other areas that can be useful for information and knowledge sharing.
In matters of information security, ignornance is not bliss. It's important to be aware of your organization's specific vulnerabilities and have processes in place so that any potential damage from a security breach is minimized.
Be proactive about cyber security so that when a breach does occur, you will be able to ensure that you took all necessary precautions to protect company information and customer data.
Click the link below to start your free Cyber Security training!
As an Enterprise Security Architect with Intel Security, David leverages his vast expertise in information security to help organizations around the globe maximize their investments, online security, and foster a business environment with robust risk mitigation capabilities.
David's insight along with over 25 years of experience in enterprise architecture planning, security, operations, monitoring, and optimization make him an essential authority in the information security sector.