Cybersecurity is a complex affair, with many smaller organizations not being sure where to start. Even in organizations that do have the capability, there is often a communication gap between the technical or GRC (Governance, Risk and Compliance) functions and the rest of the business.
In October 2018, Ireland’s National Cyber Security Centre (NCSC) published a 12-step guide to cybersecurity. It was aimed at giving businesses a starting point for creating and implementing their own cybersecurity strategies.
The report lists 12 areas to address. It suggests that these should be looked at on a rolling 12-month cycle:
1. Implement Governance and Organization
Start by understanding key business drivers and obtaining senior management support for a robust cybersecurity program. This is followed by establishing roles and responsibilities, agreeing with your strategy, developing policies and standards, and enabling reporting.
2. Realize What Matters the Most
Map business objectives/products/services to supporting people, processes, technology and data infrastructure. Rank them as per criticality to your business. This includes the ecosystem/supply chain that you operate within—third parties that supply you and those that you supply.
3. Analyze the Threats
Understand who might want to attack you, why, and how they might go about carrying out such an attack. This will allow you to focus your efforts on how to respond to the most likely threats.
4. Agree on Your Risk Appetite
Start to understand what the most likely cyberattacks could cost your business through simplified cyber risk quantification coupled with a cyber risk management framework. The framework should be a part of your overall operational risk management processes. This includes setting your risk appetite and reporting mechanisms to ensure you operate within it.
5. Concentrate on Education and Awareness
Establish an education and awareness program. This ensures that all your employees, contractors, and third parties can identify a cyberattack. They are aware of their role in defending your business against threat actors.
6. Work on Basic Protections
Secure your business at the technology level by deploying basic protections. Examples are secure configuration, patch management, firewalls, anti-malware, removable media controls, remote access controls, and encryption. Establish a vulnerability management (VM) program that manages vulnerabilities from identification to remediation. Establish an effective identity and access management (IAM) program to control access to your information. Focus on data protection and privacy (technical and compliance) as well as managing third parties that have access to/control your data.
7. Detect an Attack
Establish a security monitoring capability which can detect an attack through monitoring activity at various levels within your business. Depending on your industry and available resources, this could be a basic system. An alert is generated and emailed when suspicious activity is detected on a firewall. This is received by 24/7/365 security operations center monitoring networks, operating systems, applications, and end users.
8. Stay Ready to React
Establish a formal cyber incident management team that has been trained in and are following a documented plan. This plan must be tested at least once a year.
9. Implement a Risk-Based Approach to Resilience
Establish recovery plans (including comprehensive backups) for all processes and supporting technologies in line with their criticality to the survival of the business.
10. Prepare Additional Automated Protections
Start to upgrade existing capabilities (e.g. automate VM and IAM processes using specialist technology). Additionally, implement complementary capabilities/technologies such as intrusion prevention systems (IPS), intrusion detection systems (IDS), web application firewalls (WAF), and data loss prevention (DLP) systems.
11. Challenge and Test Frequently
Carry out a cyber incident simulation exercise to test your executive management’s ability to manage the response to a significant cyberattack. Carry out an initial red team exercise (Essentially, a planned attack, carried out by ethical hackers) to test your technical ability to detect and respond to sophisticated attacks.
12. Make a Cyber Risk Management Lifecycle
Reflect on all areas of your cyber risk management program. Identify areas for ongoing improvement, repeating risk assessments on a regular basis, and considering compliance with relevant regulations.