Cybersecurity can be complex and confusing, but there are some basic steps that can help your clients develop a more robust cybersecurity program.
Starting with the basics and building upon them goes a long way in helping to protect companies in case of a cyber event. An overall plan should define who takes the lead, who is on retainer for outside assistance, and internal and external communication in responding to a cyber incident.
Do your clients know who is responsible for cybersecurity in their company? Are they not sure where to begin to ensure their program is up to the test of a cyberattack? Or, perhaps a manager who isn’t directly responsible just wants to understand the risks. Cybersecurity can be complex and confusing, but there are some basic steps that can help your clients develop a more robust cybersecurity program.
Recommended actions for your clients may include:
1. Take a complete and accurate inventory of IT assets
Security of any type is concerned with protecting assets. In the case of cybersecurity, those are information assets. But how can your clients begin to protect those assets if they don’t know exactly what and where those assets are?
Having a complete inventory of their information assets is a great starting point for any cybersecurity program. Get a complete and accurate network diagram. Maintain a ledger of all devices connected to that network including applications, operating systems and version numbers for each device.
2. Have a vulnerability management and patching program tied to an inventory of assets
Knowing where each network device resides is only half the battle. It is even more important to always know the vulnerability status of each device, so companies should run automated vulnerability scans of their entire network at least monthly, preferably more frequently. Reviewing the vulnerability reports and applying the recommended patches as quickly as possible is also key.
Vulnerabilities are what hackers are seeking in networks because, when left unpatched, they can be exploited in such a way that the hacker can take control of that device, establish a network presence, and eventually find their way to other valuable assets on the network.
3. Conduct an awareness and training program for all users
The users of a network – the employees, vendors, contractors and customers – can be the greatest vulnerability in terms of cybersecurity. And again, as vulnerabilities, they may be targeted by hackers via phishing or social engineering scams in order to get them to do something – reveal private information, transfer unauthorized funds or expose a password – that eventually compromises network security.
Educate users – publish an “Acceptable Use Policy.” Train users on safe email and browsing practices and how to recognise social engineering scams, teach them how to create a complex, easily remembered password. Investing in user awareness will not cost much compared with other components of your cybersecurity program, but the return on investment can be substantial.
4. Continuously monitor information assets
Continuous security monitoring is recommended for your client’s network. Most, if not all, devices on their network are capable of generating continuous log data reporting activity on the device at any point in time. By aggregating, correlating and inquiring on this data, indicators of compromise may prompt an alert to the network administrator or security official, resulting in quick threat eradication.
5. Plan for incident response
Assume something will go wrong, no matter how good their cybersecurity program is.
An overall plan should define who takes the lead, who is on retainer for outside assistance (legal, forensic, law enforcement), and internal and external communication in responding to a cyber incident. Have a “playbook” for different scenarios: data breach, IoT intrusion, ransomware, etc. Once a playbook and plan is in place, practice them, test them and fine-tune them.
Starting with the basics and building upon them goes a long way in helping to protect companies in case of a cyber event.
Original article posted by Zurich Insurance.
This guide is for information purposes and based on sources we believe are reliable, the general risk management and insurance information is not intended to be taken as advice with respect to any individual circumstance and cannot be relied upon as such.