Your Cybersecurity Plan Needs These 3 Phases
Cyber crime is on the rise. It’s a frustrating reality that you shouldn’t have to waste time worrying about. But numerous studies show that more companies are being attacked and large enterprises aren’t the only targets. In fact, according to a study performed by IBM, sixty-two (62) percent of all cyberattacks are directed at small or midsize businesses.
It’s no longer safe to assume that your organization can fly under the radar. Today’s cyber criminals are not disorganized hackers. They are “in business” to build a pipeline of prospective victims and work those “accounts” thoroughly, with systematic discipline, until they succeed.
Good companies are getting stopped in their tracks and even failing. According to Sophos, the leading supplier of ransomware protection software, the average cost to recover from a ransomware attack reached $1.85 million in 2021 (more than double the average cost in 2020).
Why Cybercrime is Growing
If you’ve ever watched a crime drama, you’ve heard investigators discuss whether or not a suspect had the “means, motive, and opportunity” to commit the crime. Well, recent trends have created a perfect storm of means, motives, and opportunities that are fueling the rapid rise in cyber attacks:
- The Means: Just like all industries, cybercrime has matured. There are now R&D groups, suppliers, distributors, and even consultants. Individuals motivated to get into the business can easily acquire software and knowhow from a thriving marketplace.
- The Motive: A key enabler of the marketplace mentioned above also fuels the motive for criminals. Crypto currencies facilitate anonymous transactions among parties, including the acquisition of ransom “income.” Cybercriminals can now more easily build wealth and keep it.
- The Opportunity: The digital footprint of any organization no longer exists neatly behind protective firewalls. Instead, critical data now resides in the cloud and on mobile devices, often accessed by users with weak passwords and insufficient security practices. From a cybercriminal’s perspective, there is an abundance of opportunity to inflict harm and capture profit.
How Cybersecurity Protection Tools Have Adapted
Luckily the cybersecurity work pioneered by large companies has been adapted to a smaller scale. But the word is still just getting out that:
- The paradigm has shifted. Merely buying “firewall” software and hardware is no longer sufficient.
- Protection requires a holistic approach. People, process, technology – we like to refer to the importance of good cybersecurity “hygiene” to be safer AND more resilient.
- A proven, step-by-step plan exists. In fact, a detailed cybersecurity implementation guide – tailored to small and midsize organizations – has been developed and made publicly available by the Center for Internet Security (CIS), an independent, non-profit organization.
While it requires cybersecurity knowledge and expertise to interpret and implement, this guide provides a clear path to follow. In our experience, this 3-phased plan delivers benefits quickly while illuminating a long-term strategy for organizations that seek very high levels of protection.
We support CIS’s mission because it aligns with our own. We want to see companies thrive and pursue their goals, not get held back and dragged down by savage opportunists.
What You Need to Know About the CIS Implementation Guide for SMEs
We manage the IT of over 300 small and midsize enterprises (SMEs), including the planning and implementation of appropriate cybersecurity controls. Our focus on security has earned us recognition by CRN four years in a row as a leading managed service provider in the security category.
We don’t share that information to brag. We just want you to understand that our support for the CIS recommendations comes from real experience.
Here are a few insights from the guide to help you and your team understand your state of readiness without having to invest in a potentially-expensive cybersecurity audit.
To get your process started, have your team consider these questions:
- Can we produce a list of computers and data in use?
- How would our firm fare if we lost access to all the computers and all the data in our building?
- What are we doing to teach our employees good cybersecurity practices?
- How often do we update our equipment?
- Do we have a written acceptable use plan/incident response plan/disaster recovery plan?
- What data do we have in the cloud?
- Who else has access to our data and what are they doing to secure it?
How to Up Your Cybersecurity Readiness
The answers to the question above will tell you a lot about your readiness. Luckily, wherever your organization resides in its readiness journey, the three-phased implementation strategy detailed in the CIS Implementation Guide for SMEs is a sound way to go.
Phase 1: Know Your Environment
In helping our clients implement cybersecurity controls, we’ve found this phase to always be enlightening. It makes sense, right? In order to put protections in place, one first needs to have a complete understanding of what needs to be protected.
A partial list of what should be inventoried:
- Credit card, banking, and financial information
- Personally identifiable information (PII), such as Social Security numbers, health information, usernames and passwords, home addresses, birth dates, etc.
- Customer lists, product lists, pricing, etc.
- Company trade secrets, formulas, methodologies, models, etc.
- Applications used.
You can learn more about Phase 1: Know Your Environment in our post titled All Cybersecurity Plans Start With This Step.
Phase 2: Protect Your Assets
Awareness and insight about your environment will illuminate low-hanging-fruit opportunities to improve security, such as requiring strong passwords and establishing policies around who and how new applications can be downloaded from the Internet.
The CIS Controls, and the SME implementation guide, provide detailed guidance for training employees, configuring systems, and leveraging software and practices to maintain security.
You can learn more about Phase 2: Protect Your Assets in our post titled IT Asset Protection and The CIS Controls v8.
Phase 3: Prepare Your Organization
As the saying goes, hope for the best, but prepare for the worst. All of your team’s hard work to
prepare your defenses may ultimately fall short. Therefore, you’ll also want to plan your response to a cybersecurity incident.
Tackling this phase of cybersecurity implementation entails things like:
- Developing a rigorous data backup regimen.
- Identifying and training a staff member to serve as the lead in case of an incident.
- Assembling contact information for IT staff and/or third-party IT consultants, legal counsel, and insurance agents.
- Preparing a plan to notify any affected individuals, law enforcement and other stakeholders.
Of course, you have other responsibilities, like growing your business, taking care of your customers, and making sure your business is an inspiring place to work. We love enabling business leaders to do those things while worrying less about IT matters.
If your company’s cybersecurity is not where you want it to be, we can help. And it starts with a no-obligation-to-buy consultation.
You can learn more about Phase 3: Prepare Your Organization in our post titled Prepare Your Organization: The Essential Ingredient to Cybersecurity Success..
Next Steps
- Schedule a complimentary consultation with a cybersecurity expert.
- Review your customized plan.
- Focus on growing your business, not worried about how to protect it.