A review of the key elements of an effective cybersecurity plan to help security managers prevent or mitigate the impact of a breach.
It may be flattering to know that others think of you nearly non-stop, but when they’re hackers, it’s not really such a glamorous proposition. Malicious actors are constantly looking for information they can steal from your organization. They are probing your network in search of vulnerabilities they can exploit for their personal profit. They might even be tracking your employees and other users who have access to your systems and network.
Responding to a breach requires much forward planning. Every organization should have a cybersecurity plan, which has several key elements. They help to ensure all those responsible for dealing with the situation know what to do, have the resources at hand to stop the attack, secure the network, and deal with any ramifications.
This is the first of a two-part series. Here, we look at the main elements of a cybersecurity plan. The next article goes into the role of Privileged Access Management (PAM) in cybersecurity planning. PAM can serve as a central, unifying solution to define and enforce access control policies that affect nearly every aspect of cybersecurity planning and incident response.
Components of a Cybersecurity Plan
The following elements should be in place to a) prevent breaches from continuing and b) respond quickly to incidents and mitigate their impacts. Your cybersecurity plan should include all the following so your organization can respond effectively to a breach.
1. Get the Basics of Security In Order
Part of the planning process should involve avoiding having a problem in the first place. The best incidents are the ones that never happen. To achieve this goal, or at least improve your odds of never having a catastrophic breach, make sure your basic security systems are running at top form. And, make sure your security policies are being fully enforced. These include:
- Intrusion Detection Systems
- Security incident and event management (SIEM) systems, if appropriate
- Automated security monitoring and alert orchestration systems, if appropriate
- Spam filters/Anti-Phishing
- Access control – both Identity and Access Management (IAM) and Privileged Access Management (PAM) for back-end administrative access.
- Strong passwords/two-factor authentication where necessary
- Encryption of sensitive data – at rest and in transit, as required by regulation and policies
- Security software for smartphones
2. Collaborate with Internal Stakeholders
In the event of a cybersecurity breach, personnel and teams in the company’s IT, finance, legal, and other departments should be ready at a moment’s notice. Everyone should have a pre-determined role related to incident response. Eliminating guesswork will allow the situation to be assessed without wasting any valuable time. All employees should be trained to recognize the signs of an attack. When the time comes, they will hopefully recognize tactics such as social engineering used to trick people into providing personal details, installing malicious software on the network or allowing the hacker to steal information. When it comes to data loss, everyone is on-deck, and minutes count.
3. Work Within a Framework
The cybersecurity response must adapt to the types of data protected and the circumstances involved. A framework is an important component of cybersecurity risk management. It requires governance across all people, technologies, and processes in the organization. By the time you need to take action, this framework should give you the plan needed to deal with a cybersecurity incident without any guesswork or delay. Its scope should span all work processes; people inside and outside the company, including third-party vendors as well as devices that are connected to your corporate network. If you don’t know where to begin, check out the US Computer Emergency Readiness Team (US-CERT) Framework or the NIST Cybersecurity Framework.
4. Be Aware of Threat Intelligence
The more informed decisions you can make during a cyber-attack, the better off you may be. First, you must recognize the signs of an attack and the tactics, procedures and techniques, using predetermined indicators as a reference. Threat intelligence involves these indicators, context, and actionable insights into existing and emerging threats to company assets. The knowledge included here is evidence-based, providing the keys to making informed decisions the moment a cyber incident starts. Vulnerabilities such as shared administrative passwords, unpatched software and operating systems, infrastructure configurations or business operations and processes provide a context to the threat. Recognizing the accidental or intentional acts of an individual staff member will also provide the threat intelligence needed to appropriately respond to a cybersecurity incident.
5. Understand Regulatory Factors and General Liability
A response to a breach should consider regulations pertaining to your industry — particularly for fields like healthcare or finance. You risk fines and other penalties if personal information is exposed. For instance, if your organization is determined to have been negligent in its handling of security, there could be legal (civil torts) and regulatory ramifications. Having a detailed audit log of what happened before, during, and after the breach may prove quite helpful to clear your organization of the charge of negligence in its security duties.
6. Conduct a Thorough Risk Assessment
Refer to a model of the most pervasive threats based on the risks identified, their likelihood of occurring, and what damage they could do. The actions taken should involve the appropriate personnel outlined in the model. Once cybersecurity threats are prioritized, the steps to tackle each one as it occurs are clearer to all stakeholders. Risk assessment doesn’t only fine-tune your cybersecurity response, but also helps prevent attacks in the first place. It involves putting yourself in the mind of an attacker. If you can determine what may be most valuable to them, it’s more evident where to focus your resources to protect the most vulnerable data.
7. Undertake Incident Response Planning
Refer to the most recent changes in the plan and most current threats and regulations. Include the latest improvements, training, and preparation so your teams know how to act as soon as a threat is detected. It’s also a good idea to recognize that despite all your prevention efforts, a security breach is always a possibility. Cybersecurity threats are evolving all the time. That’s why it’s important to be proactive. Improvements, training, and preparation need to be completed before the next major breach attempt.
Each plan should be tested and kept up-to-date. Outdated incident response plans are likely to be ineffective.
If all the components of your plan are in place, you can alert all the personnel and risk management programs related to cybersecurity at a moment’s notice. Visibility is another key factor when an incident occurs. It’s best if you can see who has accessed the network, what systems, and at what time (a hallmark of Privileged Access Management systems), to gather as much intel as possible.
Want to learn more? Get the whitepaper to see how PAM can work for you!