Do you know what questions to ask?
The purpose of this article is to prepare you to say “yes” when you’re finished exploring these major building blocks of an effective cybersecurity program.
It’s targeted to basic, intermediate, and advanced IT buyers because even the most advanced among us can overlook some of the basics.
Each section is cued up with a question to help you determine where you stand so you can prioritize and take incremental steps to protect your digital assets.
Don’t worry about ripping and replacing all of your infrastructure. Cybersecurity is first and foremost a mindset.
1 - Is company leadership driving the security conversation?
Cybersecurity is a top-down initiative that requires evangelization from your C-Suite to everyone else in your organization.
As the primary asset owners in the business, your executive team has a vested interest in protecting data because it represents digital cash.
Examples include intellectual property, custom software, client lists, and the business plan that four people making $150,000.00 per year have been collaborating on, two hours a day, for the past two weeks.
When you start to think of information as actual currency, security becomes less about mundane technology and more about a strategic business priority.
Maximizing the three basic pillars of security - confidentiality, integrity, and availability - is not something that should be relegated to that introverted guy who tinkers with servers in a cramped (and very cold) IT closet for eight hours a day and only emerges to rest passwords and manhandle the copier machine.
Unlike the asset owners in your enterprise, this individual is a data custodian and more likely to be fixated on refreshing hardware, software, and gadgets.
Be careful not to let your future hinge on one IT guy who you just assume has everything covered. That’s seldom the case.
It’s important to build consensus across your management hierarchy. Bring a wider audience of stakeholders into the discussion in order to stay focused on the long game.
2 - Have we addressed all single points of failure?
Establishing a Technology Planning Committee (TPC) is a great way to begin your shift away from reliance on a single technology expert (potential black hole) to a broader coalition of influencers and collaborators.
In the process, you’ll set the stage for a business continuity journey that is reinforced across all functional areas of your business.
Members of the TPC don’t have to be technical. They just need a high-level understanding in order to analyze the business rationale for any proposed changes to your IT systems.
The goal is to set up a system to prevent anything with business impact and risk from slipping through the cracks.
TPC meetings should be conducted on a regular basis: monthly, quarterly, or more frequently if you’re technology-forward and growing rapidly.
Now that I got you to consider setting up an official committee, let’s jump into some questions your team should ask.
3 – Can we assign a value to our current level of risk?
If you don’t have the documentation that allows you to answer this question, your risk is probably high.
The following exhibits are basic table stakes every modern enterprise should have on file:
- An Acceptable Use Policy
- A Network Diagram
- An IT Roadmap
- Technology Vendor Contracts and Contacts
- Hardware/Software Warranties and Renewals
- Service Invoices
- Project Invoices
You may not be required to follow any industry-specific cybersecurity frameworks. However, if you maintain solid documentation, it can be presented as evidence of due care in the event of a breach or a legal inquiry. This will lower your liability.
If you’re required to follow an established framework, a number of consulting firms, CPAs, and managed services providers can help you get compliant.
Companies who wish to take a more proactive approach (to invest in the future) but aren’t exactly sure where to start, would be well served to consider The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
It’s comprehensive, widely accepted, and will certainly exert a positive influence on your operating efficiency.
Learn More: The NIST CSF Framework
A NIST engagement will help you assess your current state, create a baseline, and establish a formal commitment to continuous improvement.
4 - Is our IT designed to be user-friendly?
If you make it easy for your team to access applications, you will create a culture of cheerful conformity.
Three steps to start working versus five - who wouldn’t play along with a smile under these circumstances?
Navigating your infrastructure and network backend is way too much of a diversion for non-technical staff.
When employees can’t reach a centralized corporate file share, they are more likely to use their own applications to finish the job: Yahoo, Gmail, DropBox, and Box.
Imagine your VP of Sales needs to leave a little early to pick up her kids and plans to finish up a few work details on the home computer.
She knows in advance that the VPN never works and decides to store her work in a personal DropBox account.
She might even email the twenty-page proposal to her Yahoo account and download it to the C drive of her seven-year-old computer (with a home/office version of Windows XP).
I just described a practice known as Shadow IT, a term for the use of unapproved IT applications - and a very old, unsupported operating system with profound security flaws.
This opens the door for phishing, malware, and ransomware attacks. The same thing can happen on millions of websites, where cyber crooks set up software to infiltrate your network.
Give your team what they need, (including ongoing cybersecurity awareness training and testing) and they are less likely to stray, especially if they know the risks.
5 – Have we examined new technologies that capture the best of both worlds: cybersecurity + operating innovation?
I am going to geek out a little bit with some exciting developments that put a proverbial bow on every question I’ve explored so far.
(“Geek out” is used lightly since I am mostly concerned with better business outcomes rather than technical arcana.)
Identity & Access Management (IAM) is sometimes referred to as the new firewall. Traditional firewalls can be bypassed. Plus, people are known to make small mistakes that frequently render hardware and software security solutions ineffective.
Combining a Password Manager with Single-Sign-On (SSO) and Multi-Factor Authentication (MFA) is not only easier for the user to reach all of their applications in one place, it’s also safer for the preservation of your enterprise assets.
With MFA, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password.
This scenario is Zero Trust Access in action.
According to CrowdStrike, “Zero Trust is a security concept that requires all users, even those inside the organization's enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data.”
Learn More: Zero Trust Access
Microsoft Azure Active Directory (MAAD) makes it very easy for organizations to adopt IAM. And you don’t need to be all cloud to use it.
MAAD puts a secure digital fence around your applications, onsite and cloud infrastructure, and networks, including Microsoft 365.
Conditional access, dynamic permissions, storage, backup, archiving as well as easy integration with other complementary solutions assures all of your data is safe.
And Microsoft 365 has specific services that are mapped to very specific pillars of the NIST CSF.
It’s like best-in-class technology met the perfect compliance blueprint on eHarmony.
Learn More: NIST CSF and M365
I hope I have given you a slightly different perspective on cybersecurity.
Perhaps you will start to formulate a few new questions about weak spots in your IT environment:
- Is it prioritized by risk and business impact?
- Does it need to be addressed immediately?
- Does it need to be addressed within 6-12 months?
- Can it wait 12-18 months?
If you have any additional questions, the ProviDyn team has decades of experience, and we look forward to guiding you.