Is your organization equipped with at least cybersecurity basics? If you don’t know the answer to that question, the following information will help you learn the essentials that can create a starting point for reducing your organization’s security risk.
The 20 most critical elements of cybersecurity basics can be broken into the following five key categories:
- Asset Tracking
- Access Management
- Risk Management
- Security Controls
- Incident Response and Recovery
1. Create an asset inventory.
What should be included in the inventory? IT departments typically focus on assets that are most critical to the organization and that are connected to the network. That makes sense (and we’ll discuss those next). However, any asset within the organization that stores or processes information about the organization can be used by cybercriminals. There are numerous asset discovery and logging tools available to help you ensure that you have listed all assets in the organization. In addition to technology assets (hardware, software, and data), you should also include people.
2. Determine the most critical assets in your organization.
Once you’ve created an asset inventory, you then need to determine which assets are considered the most critical. In addition to highlighting this group in your asset inventory, make sure you add important information about the asset such as location, employee who uses it, and technical details (i.e., date of last software update).
3. Analyze the details about the assets in your organization.
You should now have a good picture of the assets in your organization. This basic information can help you start thinking about the level of security and security measures you need to implement. For example, if a large percentage of the organization works from a remote location, it’s probably a good idea to invest in security controls that provide protection for assets in such an environment.
4. Continually update your asset inventory list.
Keeping your asset inventory list current will help you keep track of important information about your assets, such as when software updates are required. One of the most common sources of a data breach is neglecting to apply a software patch. The consequences of this neglect can be exorbitant. The Equifax data breach that occurred in 2017 is an example. Nearly 150 million records were compromised during the breach, and the organization was still dealing with the impact three years later. Equifax eventually had to pay a $425 million global settlement.
5. Determine the employees in the organization that have access to the critical assets.
The first step of implementing access control to your assets is to learn which employees in the organization have access to the most critical assets and how they access them. It’s also a good idea to determine how access to your critical assets is monitored. The First American Financial data breach of 2019 is a good example of why this step is important. The data breach, which resulted in nearly a billion sensitive records being exposed online, was linked to a website for privileged users that was not designed to verify the identity of the user.
6. Implement strong authentication and authorization controls.
Multi-factor authentication and password encryption are examples of advanced access controls that have been considered the basics for protecting critical assets. In the summer of 2020, we learned that they too can be compromised. Twitter announced on their blog that they were subjected to a social engineering attack. The social media company divulged that the attack was driven by the criminals being able to bypass multi-factor authentication, reset passwords, successfully log in to “high-profile accounts” and send unauthorized Tweets.
7. Use privileged access management (PAM) solution to protect your organization’s critical assets.
A PAM solution enables you to securely control and monitor your organization’s privileged accounts, which are targets for cybercriminals. However, access control isn’t just for preventing people outside your organization from gaining unauthorized access to your organization’s critical assets. According to The Cost of Insider Threats (2020) benchmark study performed by Ponemon Institute, the negligence of insiders in an organization was the top cause of 63% of incident reports and cost organizations nearly $5 million.
8. Consider implementing a Zero Trust access security model.
Microsoft defines a Zero Trust access security model as one that “assumes breach and verifies each request as though it originates from an open network”. By assuming everything in the organization is at risk and must be verified, the process of identifying and granting access to critical assets is much stronger. Implementing a Zero Trust access security model will require that you modify your infrastructure and security policies.
9. Develop a comprehensive cybersecurity plan that is specific to your organization.
There is no one-size-fits-all cybersecurity strategy. You must analyze your situation and determine the threats that your organization are most vulnerable to, and then create a plan that mitigates your risk.
10. Monitor, analyze, and monitor your organization’s network for potential threats.
There are many threat monitoring, detection, and analysis tools and services available on the market. Many of these allow you to pick and choose the services your organization requires. There are some services available that monitor security threats for you. For example, the Department of Homeland Security’s (DHS) Enhanced Cybersecurity Services (ECS) program provides an intrusion prevention capability service to both public and private entities. If your organization is a government entity, you may be able to sign up for the service with little or no cost.
11. Maximize the cybersecurity IQ of all IT security professionals in the organization.
Cybersecurity is an advanced technical practice that requires a specialized set of skills. The individuals in your organization that are responsible for cybersecurity may manage that task alone or function as IT professionals with a myriad of technical responsibilities. Cybersecurity certification isn’t required, but these individuals should know more than cybersecurity basics. Cybersecurity has become an important aspect of doing business. Your cybersecurity staff can easily enroll in training courses in person or online. The training should be ongoing to ensure the security staff is prepared for the ever-changing cybersecurity landscape.
12. Educate all employees in the organization about cybersecurity awareness.
Security awareness training is also important for non-IT employees in your organization. This training teaches employees about security threats and how to avoid them. Your analysis of your organization’s threat landscape will help you determine the most significant information to include in your security training program.
The following are the basics of a security awareness training program:
- Types of cybersecurity threats and the danger they pose to the organization
- Policies regarding use of company equipment and networks, bring-your-own-device (BYOD), and remote work
- Handling sensitive data
- Communicating with people outside the organization
- Social media interactions
- The importance of strong passwords
Employee security awareness training should be a continual event. The goal is to create a culture of security awareness.
13. Implement controls that protect the organization’s network infrastructure.
The network in your organization is responsible for the transmission of data and one, if not the most, critical assets in your organization. The network is the main entry point that you want to protect.
Here are the most common types of basic network security controls:
- Anti-virus solutions
- Intrusion detection systems
14. Implement security controls that protect data (onsite and in the cloud).
The security controls mentioned in the previous section are measures designed to keep the perimeter of your infrastructure safe. Your protection shouldn’t stop there. You should also take steps to protect the data that is inside the organization or that is managed by a third-party cloud solution.
15. Implement security controls that protect remote connections.
Using a virtual private network (VPN) is the most common method of protecting remote connections to corporate networks. Alternative solutions include permission-based strategies such as identity and access management (IAM) platforms and VPN-like encryption-based strategies such as The Onion Router (Tor).
16. Adopt an adaptive security model.
The cybercriminals in the Twitter breach mentioned previously were able to bypass common access controls. Technology is constantly changing and, unfortunately, cybercriminals are modifying their tactics to keep up with the changes. Implementing a security model that is adaptive to the changes in the threat landscape for your organization is essential.
Incident Response and Recovery
17. Develop a security incident response plan.
Your incident response plan should be specific to your organization and outline how the organization will respond after an attack.
Here are the basic steps of creating a security incident response plan:
- Create an incident response team and assign responsibilities.
- Identify critical assets and alternate storage solutions.
- Determine the procedure for handling compromised assets.
- Determine data backup strategy.
- Outline the internal and external communication plan.
- Document the details from the steps above and have it approved by top-level executives in the organization.
18. Create detailed logs of all security incidents.
Incident logs can help you uncover weaknesses in your security solutions and prevent future incidents. Your organization may also be required by compliance regulations to log all security incidents. The basics of a security incident log answer the when, what, and who questions: When did the incident occur? What was the incident? Who discovered the incident? Make sure you include as much information as possible about the security incident.
19. Consider purchasing insurance to lessen the effects of a cybersecurity issue.
A security incident such as a data breach can have a significant impact on your organization’s reputation and revenue. Cybersecurity insurance can help your organization recover more smoothly from an incident. In addition to mitigating some of your financial losses, cybersecurity insurance may provide security consultants to assist with the recovery process.
20. Test your security incident response plan.
Determining the effectiveness of your security incident response plan is a critical task to perform once your plan is created. The common practice is to replicate a specific type of cyberattack that is realistic as possible for your organization and walk through your plan. Make sure you make notes about any flaws or weaknesses you discover.
Learning cybersecurity basics can be an eye-opening experience for security professionals. If you realize that your organization has not yet met the baseline of IT security, your next step is to work toward that goal. If you require assistance with performing an in-depth analysis of your business needs, BACS can help.
BACS is an IT services firm of security professionals that specializes in working one-on-one with organizations to first understand what their IT security needs are, and then determine the most robust, flexible, and cost-effective solution. BACS consultants are also experienced with assisting organizations with strengthening their security foundation.