Cybersecurity Awareness Month. Time for a reality check
October is National Cybersecurity Awareness Month. Extra focus will be given throughout the month on the importance of cybersecurity from garden-variety phishing to corporate data breaches that impact millions.
At LockPath, we’re all for prevention. In fact, if you’re looking for tips and resources for National Cybersecurity Awareness Month, the Homeland Security’s Stop.Think.Connect Toolkit offers best practices for creating a password, malware, using public WiFis, and more.
While most of the focus of National Cybersecurity Awareness Month is on what you personally can do to prevent hacking and other nefarious online activities, it’s our view that business needs a different approach. Why? If the preceding nine months of 2017 have taught us anything, it’s that all the prevention in the world won’t prevent cyber attacks and data breaches from happening. For most organizations, it’s not a question of if but rather when an incident will occur.
Our goal here is to drive awareness to what companies can do to prevent future cyber attacks and data breaches. Here’s our four-point strategy:
- Develop incident response plans
Cyber attacks and data breaches are classified as incidents. Manage incidents like an investigator at the scene of a crime. Gather evidence and record details at the scene. Conduct an investigation and produce a report. Ultimately, a corrective action plan is implemented to ensure the incident doesn’t happen again.
Does your company have an incident response plan? Watch this webinar on the six steps to a best-practices incident response program and lessons from high-profile data breaches.
- Create a business continuity plan
A cyber attack or data breach is a threat to the entire organization. It could mean an interruption to your network and operations, loss of revenue, damage to the brand, or defection of customers.
A business continuity plan is a strategy enabling a business to respond to accidents, disasters, emergencies and/or threats without any stoppage or hindrance to its key operations. Plans factor in probability, impact, policy standards, compliance requirements, and more. More than anything, a business continuity plan outlines how your company will resume operations with timelines for assets and resources.
Here are five key takeaways from a best practice approach to business continuity planning.
- Self-regulate cybersecurity
The first in the nation cybersecurity regulation was The Cybersecurity Requirements for Financial Services Companies for New York institutions, which went into effect last March. The Department of Treasury, the Federal Reserve System, and the Federal Deposit Insurance Corporation have all proposed regulations similar to New York’s cybersecurity regulation.
While the financial industry is leading the way with cybersecurity regulation, it’s only a matter of time before such regulation comes to your industry. Until then, why not self-regulate? Check your cybersecurity program against common regulatory requirements like establishing cybersecurity policies, adopting the duties and responsibilities of a chief information security officer, and creating assessments for vulnerabilities. It would give your compliance department a jumpstart for when cybersecurity regulation arrives.
- Review policies and procedures
You can have procedures for incident response and plans for business continuity. You can take steps toward regulatory compliance. But given many data breaches and cyber attacks can be traced to human error or a breakdown in systems, it pays to review your company policies and procedures with your staff.
Consider the case of Target’s infamous breach where hackers stole 70 million customer records. Target received early warning alerts that were missed or failed to be processed in time. It calls into question the procedures for managing threats and escalation. Lesson: don’t wait for an incident to review policies and procedures.
October is full of surprises, from politics to the stock market to kids in costumes at the front door. The National Cybersecurity Awareness Month is focused on raising awareness of the need for cybersecurity in helping prevent surprises to personal computing.
Business, on the other hand, would benefit from a reality check. Cyber attacks and data breaches are going to happen. Preventing them requires shifting how you respond and prepare. It calls for developing incident response plans, creating a business continuity plan, comparing your program against regulatory requirements and reviewing policies and procedures. Whether you realize it or not, cybersecurity is a business imperative in our global, digital world.