Cracking Cybersecurity Consulting: How Do We Continuously Improve Our Cybersecurity Program?

Cracking Cybersecurity Consulting: How Do We Continuously Improve Our Cybersecurity Program?

Twelfth article in a 12-part series on “Cracking Cybersecurity Consulting”

After 11 articles in this cyber consulting process series, I’ve covered everything from vetting, contracting, engaging, and following up with your third-party vendors. Now, it’s time for your internal team to learn how to keep moving forward.

Having a single yearly risk assessment for compliance purposes isn’t going to improve your cybersecurity much. Changes come from having a top-down culture of cybersecurity and integrating it into every part of your business.

To continuously improve your cybersecurity program, focus on these big areas:

·        Employee training: Human error is the biggest cause of cyber incidents. No matter how much money is spent on technical defenses and the latest EDR solution, employees still hold the keys to your most valuable assets with their authentication credentials. The best way to address the human error component is to implement dynamic training and education events centered on the latest threats. Without cyber awareness education, your employees are your greatest risk. Think outside the box when structuring training sessions:

o  Have a company pizza party and share examples of recent phishing attempts;

o  Send out content in employee newsletters; or

o  Put up posters in the restroom about phishing emails.

·        Policies and procedures: No matter how focused your organization is on cybersecurity, you must have the rules in writing. When your company issues computers, phones, and other equipment to employees, there must be rules on how to use the equipment and safely control the risk each person has with their organization-owned devices. Spend time with your team and (if needed) outside experts to create an information security policy, access control policy, acceptable use policy, and a cyber incident response plan.

·        Testing your plans: A plan or procedure is only as good as the paper it’s written on – particularly your Disaster Recovery (DR); Incident Response (IR); and Business Continuity (BC) plans. If you don’t test your plans, then only a few people will know what to do (usually the authors of said plan), and it will likely not go according to the suggested plan outcome. To thoroughly “test” a plan, do yearly tabletop or DR exercises to ensure the plan will work as written. Talk through how the plan works, make sure everyone understands their role and responsibilities, and look for ways to improve. This can be done internally or with an outside facilitator.

·        Patches and updates: Your operating systems and tools are constantly being updated, so make sure your security team is continuously implementing the latest patches and updates. Make “Patch Tuesday” a new tradition and ensure everyone is following the new patching schedule.

·        Continual scanning: Vulnerability scanning is everywhere now. Even your cyber insurance companies are using it to determine your level of risk. Keep up to date on potential vulnerabilities and fix them. Hackers always look for the most viable attack tree by initially scanning your system, so get ahead of them and continually run scans to look for open vulnerabilities and critical risk areas.

·        Future projects: Don’t expect to do everything yourself. The whole reason I wrote a series of articles was to explain how to use outside expertise when needed. Once you’ve completed one big cyber project, consider what is on the horizon and what your next step should be. Third-party cyber projects are a good way to outsource expertise without having to hire an entire security team. There are different types of projects to choose from, and it’s best to prioritize your game plan to address your company’s risk. Start with a risk assessment, dig into more technical projects like scanning and penetration testing, and don’t forget to spend some time on the human issue via onsite employee training or tabletop exercises.

In cybersecurity, your job will never be complete. There will always be improvements to make and projects in the pipeline. But remember, each improvement or adjustment could be the difference between a normal day and a ransomware claim. It’s hard to know what could “save” you from the next big cyber-attack but working to continuously improve your cybersecurity is the only way to know you are making reasonable efforts to protect your business and the data you hold. 

For more information and to discuss the consulting services that are right for your organization, contact Violet Sullivan, Esq. CIPP/US, Cyber Security Consulting Practice Manager, 512-662-2502 or email vsullivan(at)eplaceinc.com.

Patrick Nowlin

Senior Counsel // Cybersecurity // Incident Response // Privacy

3y

Thanks for all of your insights!

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics