While business processes and technology are important to cybersecurity risk management, Cybint Solutions reports that “95% of cybersecurity breaches are caused by human error.”[1] Once data is lost in a breach or ransomware attack, it may be difficult to recover if an organization is not prepared. This is why a strong cybersecurity culture is important: so organizations can protect their viability, assets and data.
Most importantly, only senior leadership within an organization can drive the cybersecurity culture. They provide the strategic planning and funding to ensure a proactive compliance and risk management program. Leaders also ensure that all business personnel (employees and contractors) are responsible for protecting assets and data, or reporting potential events and incidents.
In a joint report by the Center for Medicare and Medicaid Innovation and ISACA, “In organizations that have yet to establish an effective cyberculture, 58% cite a corresponding lack of a clear management plan or key performance indicators.”[2] Most surveyed in the report believe that their organization’s weak cybersecurity culture made them more vulnerable to cyber breaches, data loss, regulatory penalties, missed business opportunities and poor customer retention.
Prior to creating a cybersecurity strategic plan, organizations typically perform internal or third-party risk assessments, vulnerability testing, penetration tests and code reviews. All of these activities occur regularly, such as monthly scans and annual testing. A senior leader can define and establish the cybersecurity goals and objectives within an information security strategic plan based on these regular tests and assessments.
The primary objectives of the plan are to protect:
- Data confidentiality
- System and data integrity
- Availability
- Nonrepudiation
These are the pillars of strong cybersecurity. Make sure that only authorized personnel have access to data when needed, and that system and data integrity are structured and compliant with security requirements and controls. Use encryption and digital signatures to prove authorized access and receipt of information.
An effective plan includes all of the following:
- Executive Summary – Describe the comprehensive and risk-based approach to protect and support cybersecurity requirements.
- Introduction – Describe the plan’s roadmap to improving cybersecurity over the next three to five years.
- Overview – State the organization’s cybersecurity vision and mission.
- Strategic Goals – Typically goals are established after a third-party risk assessment, but this can also be done by an internal risk assessment. An example of a goal may be to decrease system vulnerabilities (such as configuration and patches).
- Objectives – List and describe how you will know that you have achieved your cybersecurity goals. For example, patch 100% of systems every 30 days with automation, and perform scans and remediate vulnerability compliance issues monthly.
Your organization can have a strong cybersecurity culture when all leaders, managers and supervisors ensure that employees and contractors regularly receive security and privacy training, and comply with the policy, procedures and reporting practices. All personnel must know their daily cybersecurity roles and responsibilities to prevent and reduce the impact of real-world risks and threats.
The organization’s privileged users, such as administrators and application developers, also need additional training beyond the general awareness security training. These personnel must know, identify and prevent risks and threats, and ask assistance when needed. All privileged users need to know:
- What are the security requirements that they must comply with for their roles and responsibilities? (i.e., CIS, NIST, ISO, OWASP, etc.)
- Where are the cybersecurity plans, policies, procedures and other relevant guidance located?
- Where to find the best practices for implementing security controls?
- Who are the subject matter experts within your organization?
- What is the process for making cybersecurity change management requests?
- What is the process for reporting a cybersecurity event or incident?
- How to prepare and plan for information security from the beginning of a project’s design to ensure that security is implemented and maintained throughout the lifecycle?
No organization can be properly prepared without an annually exercised incident response plan. Paper, desktop or simulated exercises are quite successful in finding issues when performed by key response team players (leaders and contributors). Most importantly, corrective actions must be taken to correct any issues with the plan, such as system and personnel changes.
It is possible to protect your organization from ransomware and other threats by having clean protected backups and procedures. A robust business continuity plan includes full and incremental data backups and testing. One key step is to have backups off network or off site. Additionally, regularly test backup restores. Some companies maintain 30 to 90 days of backups; many companies test the restores monthly or quarterly. Clean, available backups are key to recovering from ransomware and other forms of attacks.
The best way to counter phishing attacks is user training and testing. According to Proofpoint’s 2020 State of the Phish report, “88% of organizations faced spear phishing (attacks by name) in 2019.”[1] To motivate staff to take cybersecurity training seriously, use personnel cyber awards. This is an easy, low-cost information security win for an organization. Keep metrics on cybersecurity reporting — personnel may report system misconfigurations, gaps in coverage of new or legacy systems, process weaknesses, or other issues, vulnerabilities, events or incidents. Quarterly or annual rewards could be a word of acknowledgement from senior leadership, a printed certificate, picture posted on the organization’s intranet, or some other token of appreciation (coffee mug, gift card, etc.)
Your organization’s people are your greatest asset. Teach them that everyone wins with a strong cybersecurity culture.
[1] Cybint, 15 Alarming Cyber Security Facts and Stats, https://www.cybintsolutions.com/cyber-security-facts-stats/
[1] ISACA and CMMI, 2018 Cybersecurity Culture Report, https://www.isaca.org/-/media/info/cybersecurity-culture-report/index.html