Cybersecurity is not something to be evaluated on a one-time basis or reserved for high-risk business areas. Today, with digitalization and data-centricity, we need a real, continuously updated Cybersecurity strategy. We need initial planning and constant monitoring to make sure we are properly defending our business value. Here are the aspects to consider when structuring a Cybersecurity strategy.
What are the goals of a cybersecurity strategy?
When we ask our employees to comply with cybersecurity regulations and procedures, we cannot limit ourselves to training or asking them to perform some data protection activities. We must involve them and get them to share the vision and fully understand the importance of the required compliance. This is true in all contexts, but especially when a request is made to introduce a change that seems to be not strictly necessary for the execution of usual activities.
Let me explain. If I ask an employee to fill out an authorization form before connecting a new device, even a personal one, to the corporate network I am adding, to his or her normal work activity, something that is not strictly functional for that type of task. Whether or not the resource requests authorization from the IT department, the device will still connect to the network and can still perform the action related to the use of that device. Moreover, if the employee in question does not know the risks of unsecured connections, he or she will consider the authorization request unnecessary and may choose not to implement it, if only for lack of time. Instead, we know that a device, connected without proper care, is a gateway to data on the corporate network. Such a threat is known as Shadow IoT.
1. Spreading the culture of corporate safety
Here is where the first goal of a cybersecurity strategy becomes critical: to spread a culture of corporate security. If we share the risks and motivations with our employees, we are not imposing anything. At the same time, however, we are making sure that they are clear about actions related to securing data processing or protecting information systems. The motivations will help to remember the actions and raise the threshold of attention. It is not only operatives who will be involved by information security officers, but also managers and stakeholders.
Workflows today are increasingly interconnected: information circulates through shared information systems with customers, suppliers, and partners. We cannot take care of internal security and risk being attacked while exchanging information with the outside world. Therefore, sharing the cybersecurity strategy with the internal and external stakeholders we collaborate with is instrumental in creating a truly global security ecosystem.
2. Protecting resources and data
Also part of the strategy is the planning of specific protection actions related to the activities performed by the resources and the data circulating internally and externally. We will see later what the analysis of the data and activities to be protected consists of. For now, it is enough for us to know that it is a process that needs to be done upstream and, above all, across the board since, access gaps and risks can lurk anywhere.
For greater protection, employees need to know how to recognize the most common threats and especially those that creep into simple, routine activities, such as email management. One attack that comes through mail servers is the Business Email Compromise (BEC). We may receive an email in our inbox that has a corporate employee or boss as its header and looks, in all respects, like an internal request. Too bad, however, that the links within the message take us back to a fake site. The risks, in this case, could lead to the extortion of money or the opening of a gateway to corporate data.
After a careful risk analysis, we also need an assessment of the expert figures in the company. External consultants support us at first, but on a day-to-day basis, we need resources to deal with information security on an ongoing basis.
3. Ensuring continuous coverage over time
Another strategic goal of cybersecurity is precisely to ensure that monitoring becomes a constant, ongoing activity and is not limited to reacting to a problem when it arises. Cybersecurity is a constantly updating field because threats are evolving and attacks are becoming more insidious. Working proactively and not just reactively, we will soon discover, is the most effective strategy to combat cybercriminals.
Digitalization and the centrality of data have made it essential to plan a Cyber Security strategy, preventing a cyber attack is better than curing it. Click To Tweet
Proactive and reactive cybersecurity strategies
Planning proactive strategies means protecting your company from upstream attacks. If we resort to a preventive approach we have a way to plan appropriate responses to the risks we face.
But what tools do we have to plan such strategies? The Cyber Risk Assessment, which is the document that allows us to map the risks and vulnerabilities of an information system as part of a proactive strategy, and the Cyber Emergency Response Plan, which allows us to define in advance the actions to be taken in the event of any cybersecurity breach defined in the reactive phase.
In fact, before defining the objectives of an information security strategy, a risk assessment to avert possible threats is functional. Based on the results obtained from this analysis we could, also, assess the level of corporate maturity regarding information security and a possible need to involve experts, either to be hired or as external consultants. In addition, the design of identity and access management protocols might be needed.
Picking up on the initial example, whenever employees find themselves connecting a device to the corporate network they know that there is a process to follow they will adhere to the protocol. In this way, they will protect the data accessible from that network and dramatically reduce the risk of Shadow IoT.
We then move on to the tools that allow me to implement reactive strategies to the cyber attack aimed at our company. In this case, we talk about the Cyber Emergency Response Plan or a strategy that will guide the company in dealing with threats or attacks already in place. The most important variable at this stage is time: quick and decisive action will drastically reduce the effects of a cyber attack. Therefore, it is important to draw up an attack response plan with procedures to follow.
Useful tools and skills for protecting data and resources
Having highlighted the experts and data to be protected, it will be necessary to plan activities and tools that allow individual resources to make as few mistakes as possible.
First, for example, it will be useful to activate backup systems that periodically and automatically save data from specific areas defined as sensitive or high-risk. Also, strategically, a recovery plan will need to be in place in case of damage to systems (disaster recovery). We can predict possible threats, and draw up a plan of preventive actions, but we will never achieve 100 percent risk coverage. Therefore, when we manage services, the interruption of whose activities would generate harm to us and our customers, it is essential to provide an alternative plan that ensures continuity of service while fighting cyber threats such as attacks aimed at preventing access to a system such as Distributed Denial of Service (DDoS) or data breaches.
At this point in the strategy, we must not forget the constant updating of the entire information security system. The risk is to let our guard down when: it appears that the implementation has been done correctly; the resources have been trained and we have learned the procedures related to cybersecurity, and the security system proceeds almost automatically. Instead, it is as important, as much if not more important than the previous activities, to constantly update software and related procedures related to cybersecurity. Indeed, threats evolve rapidly, and outdated systems are in danger of not doing their job properly.
Local and contractual regulations with which you must comply
Safety also comes through the standards and guidelines provided by local governments with which one must necessarily comply. Whether they are certifications, regulations, or local standards, it is important to consider them already at the strategic stage. European Regulation 679/2016, or G.D.P.R. (General Data Protection Regulation), for example, provides processes for the processing of personal data of individuals traceable by affiliation to the European Union with which one must comply.
In addition, the European Commission and the European External Action Service (EEAS) regularly draft new cybersecurity strategies that aim to strengthen Europe’s resilience to ensure reliable and trustworthy digital services and tools for citizens and businesses.
Another aspect, which needs to be properly evaluated during the strategic definition process, is contracts with any external vendors regarding data processing because each state has different regulations and certifications regarding this.
Final evaluation of the strategy
Especially after the first year, it is essential to make a careful evaluation of the implemented strategy. Like updating the software, updating the strategic lines has an immediate impact on the efficiency of activities and the reduction of the risk rate.
In subsequent years, comparing the work performed with past work will highlight the critical points in terms of cybersecurity of installed software and the strategies implemented to deal with threats. Many algorithms will have to be rewritten as they will be found to be fallacious in the Cyber Risk Assessment. The results of this analysis will be used to define new cybersecurity plans, new policies, and most importantly, new guidelines and procedures.
