Risks to the health and welfare of your business continue to span the ever-expanding threat spectrum. Having a comprehensive and reasonable plan, though, (based on actual threats to your business and operating environment), while implementing said plan in a highly coordinated way is perhaps the single most effective approach to ensuring cyber-resilience.
Now, let’s explore the basic structure of what such a coordinated plan looks like.
ESTABLISH A BASELINE
If you are a small to medium-sized business, solo-preneur, or entrepreneur in today’s security environment, below are three questions that you must ask yourself:
What are my current security capabilities?
Based on threats to my business and industry, what is my security posture relative to where I need to be?
What steps are required of me to get there?
After you have asked, answered and properly documented your responses to these questions, the real work begins.
In general, most businesses strive to protect five things; reputation, operations, bottom-line, customers, and personnel. So, in order to design the right cybersecurity plan for your business that protects these things requires a 24/7, coordinated effort that at its core has a strong foundation.
You can start by getting answers to these key security requirements:
An inventory of all your business assets
The security infrastructure you have (in-house or off-premises)
The applications and APIs you use (custom-built or third-party)
Cloud services and extensions that integrate with these applications
The resulting data from these key requirements alone will place you on the right track and point you in the right direction.
STICK TO THE FUNDAMENTALS
Once you’re aware of the state of things, you’ll need to build your cybersecurity plan on these three bedrock, security principles. These principles will help guide and inform critical functions at key points within your plan and work to ensure business service availability, recovery, and insight.
Principle of Separation: whether you work from home, on the go, or at office, there needs to be some level of separation between business and personal activities. This may involve segmenting your network for business and personal use. Another often overlooked step involves proper configuration of the tools (Firewalls, Intrusion Detection/Prevention Systems, SIEM) that enforce this policy.
Principle of Designation: designate which person or group of personnel (and devices) are authorized to perform certain critical tasks. Mapping out your operation, the flow of your data, its collection and storage points, will offer you greater insight into who or what is designated as “need to know”.
Principle of Isolation: where you house the device (cellphone, laptop, tablet, workstation, or server) that contains sensitive information matters just as much as other technical protections that you implement. Also, how you conduct yourself and the environment you're in when discussing, sharing, or performing activities while in possession of personally identifiable information (PII) or personal health information (PHI) matters greatly. Communication and Operations Security go hand in hand with any and all technical solutions; how well, and to the extent that they are applied largely determines business failure or success.
SET THE RIGHT EXPECTATIONS
Let’s face it, even when you’ve established a solid baseline, stuck to the fundamentals and implemented the latest technical solutions: if your team isn’t in-sync and all in, then it’s lights out.
One of the hardest and most consequential undertakings businesses of all sizes are faced with is to get everyone on board. Failure to do this will breed personnel, coordination, and security challenges. The goal is to have one team executing different parts of the same solution. Depending on the size and complexity of your business, this means front-line workers, IT staff, developers, managers, executives and the board all pulling in the same direction. The key here is to establish clear and simple expectations, so here are a few:
Once a process has been established, do not circumvent it.
Avoid making changes that have not been tested.
Avoid ad-hoc methods and/or solutions.
Educate yourself on hidden complexities – i.e. cloud solutions and/or hybrid systems.
Deviate from a planned process only as a last resort and when absolutely necessary.
This cybersecurity plan outline will at the very least ensure that your business (no matter the size) is on the road to attaining cyber-resilience.