“The secret of getting ahead is getting started” – Mark Twain
Cybersecurity and risk assessment of your organization is a daunting task. However, taking the first steps doesn’t need to be challenging. The first steps (even if they’re baby steps) will go a long way to securing your organization and minimizing headaches.
Identifying the risk(s)
Discuss what the potential risks are, what attacks or attempts are being made, and who the attacks are being focused on. These can be internal or external risks, human-and-non, social finessing, or hacker-driven. Use these exercises to prioritize and allocate resources for maximum effect. Even if you think you have a good grasp on risk areas, having an external provider perform a risk assessment on your organization is an effective way to fast track and discover potential risks that you’re unaware of.
Risks Identified! Now what?
Establish guidelines for employees' handling of at-risk and sensitive information. Implement controls and policies to mitigate risks, limit exposure, and generate a rapid response to threats or suspicious activity. Start with controls and guidelines that protect your most vulnerable processes and data.
Keep your data private, not the risks to your organization.
Communication and training are essential in awareness of risks and compliance with guidelines. Don’t shame the user who accidentally clicked a link; instead, honor the ones that raised their hands after clicking a bad link. Identifying threats and generating swift action to shut them down before they ever arise is worthy of celebration.
Rinse and Repeat!
The process of finding risks, applying policy, and training isn’t one-and-done. Keep this as part of an annual plan to account for emerging risks, revising policies, and refreshing your team's awareness.
Policy creation is overwhelming for many to create. Here are three key policies that I recommend getting started with:
Incident response plan – Develop a standard operating procedure for dealing with incidents. When something happens, what do employees need to do, and what does the organization need to do in response? What phone number needs to be dialed? What changes need to be made to an account, data set, or application? What forensics need to occur so that the threat has been mitigated?
Acceptable Use Policy – These are guidelines on the handling of sensitive or personal information, as well as safe use of organizational devices and systems. It might feel silly to document rulesets like “not sending banking details over email”, “not visiting sketchy websites”, or “don’t install free software”. However, this helps reiterate the risks and common failure points that all organizations face.
Security Review Process – It is important to create a cadence of discussions, evaluations, communication, and training. This helps to continually find and categorize risks to organizations and generate actionable steps.
Taking these steps towards enhancing your security posture will mature and develop into your own stance against the threats in the wild. In time, the security posture you develop will address your organization's unique processes and construction, as well as the more commonly experienced threats. The key is taking those first steps, learning through the process, and channeling those lessons learned into impactful change for your organization.
If you need assistance taking those first steps toward Cyber Security, evaluating the risk to your organization, or enhancing your current security posture, One Bridge Consulting can help! Please reach out to us at info@obc.tech or call us directly at 207-352-1743 between the hours of 8am-5pm Monday-Friday.