Companies must do everything in their power to secure their reputation and the data that resides in their systems. This may include proprietary intellectual property as well as financial, medical and personal information. Data about your vendors, contractors, employees and customers is also stored in these systems, either on-premise or in the “cloud” on a hosted server or storage facility. We all know this, but why is it that most companies only focus on the attack side of the equation – often neglecting the “other” side of a cyberattack or other disaster – the recovery phase?
Many companies are ill-prepared and do not have a comprehensive plan for recovery. It does not matter how much you devote in terms of money or technology to protect your company, a devoted hacker with enough time and sufficient resources can breach any security. If you have not been hacked yet, you will…and probably multiple times over the course of your company’s future. The ability to recover from these attacks will be what will reduce your stress and give you the confidence to know that you have a plan to get to business as quickly and securely as possible. So what does that plan look like? Well it doesn’t have to take a lot of time and it doesn’t have to cost a lot of money. However, not having a plan can cost you…possibly your business…if you don’t have one!
First and foremost, controls and access to your data must be done correctly. That means that you must take a step back and understand what it is that your company stands for. What is the Mission? What is the Vision? What is the Corporate Culture at your company? You may not think that any of these are important, but they are vital to creating an environment that is complimentary to your security plan, and which does not run counter to what you stand for.
As an example, if you run a marketing agency, it is important to allow your staff to be creative and give them the ability to do so without imposing overly restrictive controls and security on your systems and data. Employees need to work uninterrupted without constantly being prompted to authenticate themselves or change their login credentials. Having a flow of creative inspiration stymied by having to constantly log in to different systems or entering validating information is a sure-fire way to interrupt the creative process. Understanding this is key in various situations, because I can assure you that if you implement overly restrictive controls on your creative minds, they will creatively figure out a way around them, ignore them or simply not comply with them. That is certainly not what you want – you must strike that balance, and understanding who your users are and how much you need to secure your data is where it all begins.
On the other extreme, if you have a business that deals with highly sensitive financial or medical information, your systems must be more secure, and your employees should expect that they are. They may get annoyed with how frequently they have to change their passwords, but it is not interrupting creative flow such as in the prior example. In fact, they will be more apt to adhere to those controls in this situation, especially when you educate them as to why they must do certain things.
Now take a look at the information that you are trying to protect, the threats to that data, and the likelihood of any specific attack occurring to your company. If the information that your company deals with on a daily basis is highly sensitive, there is a good chance that it will be desirable data for hackers to try and steal or hold for ransom. We have seen many cyberattacks and ransomware attacks over the past few years that have targeted hospitals, banks, municipalities and utility companies. Why? Because the data in their systems is highly valuable and can be held for ransom, sold on the black market such as in the case of consumer data, or both.
It is imperative to understand that just because you have an IT department in your company and they have backups of your data does not constitute a cybersecurity recovery plan. IT and cybersecurity are different, and they must be separate in your plan. Information technology is responsible for creating value using assets; cybersecurity is responsible for protecting those assets. They cannot and should not be the same. The same department that creates value cannot be the same one that protects it! That is a direct conflict of interest.
Next, you must value every asset that you need to protect and know what its worth is to you. Then rank these assets in terms of their worth and priority. After that, you need to determine what the business impact is from the loss or disruption of each asset or department. Meet with your department heads and figure it out. This step is crucial because knowing what the value of each asset is will help you determine what is reasonable to spend to protect it. You don’t want to spend more to protect an asset than it is worth, but you also don’t want to spend less than you should in order to secure critical aspects of, and assets in, your workflows. This must be a comprehensive process that looks at every department and what it is worth to your ability to provide your service or get your product out the door.
Once that is done (and it will take a while!), it is time to move on to threat assessment. Incredibly, approximately 80% of all businesses have been the victim of some type of cyberattack – whether they knew it or not! Some of these attacks go unnoticed and many are ineffective. It is my job, and yours, to ensure that you don’t become the latest victim! Intrusions happen, so you must have the right tools and technologies in place to spot them quickly in order to minimize their impact and implement your response plan.
Next up is risk analysis. Once you have determined the most realistic threats to your business and how vulnerable or protected you are, it is time to analyze each risk that your company could potentially face. Keep it simple at first, and then you can get more detailed. You want to list each type of risk, its description, likelihood, impact, response and who is responsible for it. Deal with the most realistic threats that your business could face first, and not those beyond your control such as a global catastrophe or overly paranoid scenarios.
Your processes are the critical “stuff” that must be performed by the people in your company to get the job done. They link your assets together – your technology, programs and people all work together to create value for your organization. Some are set in stone, while others are more flexible, making them more easily controlled and protected. Map out all key processes in your company including all workflows such as order taking, transaction processing, ordering inventory, paying vendors and employees, and any other processes specific to your company. If you invest the time, you will reap the rewards when the inevitable occurs.
The tricky part comes next…applying controls within your organization to protect your assets. It is important to remember that the people in your company are what makes things happen – it is their creativity and innovation along with the corporate culture that defines who you are as a company. The problem is that although your people are your most valuable asset, they are also your most critical liability. The controls you put in place are designed to protect your company, assets, systems, employees, vendors, board members, suppliers and others…but controls can only do so much. Ultimately people cannot be controlled, but you can implement controls that limit the damage they can do, either accidentally or purposefully, to your company.
Ongoing education of your employees to make them aware of the various threats they face (that you have identified) is of paramount importance and will reduce your threat level significantly. Companies that have well-trained employees who are sensitive to the various threats that exist will protect your company more than any control you can put in place. Your greatest weapon against cybercriminals is your employees awareness of what threats exist in both the digital world and the physical world.
Uneducated, disgruntled or disillusioned employees, internal threats from blackmailed employees or simply those with criminal intent represent the biggest threat to your organization’s cybersecurity.
With all these pieces in place, you should now have a clear understanding of your company’s vision and mission and how it relates to the various threats and risks that exist. You have detailed the processes and controls that you need to put into practice. You also recognize the need for educating your staff.
Now it’s time to put it all together into your Cybersecurity Recovery Plan. Good luck and stay safe!