You read and hear about cyberattacks, data leakages or compromises all the time today. Companies and organizations are getting attacked constantly. Some successfully, some undiscovered and others were lucky or well protected. The risk is steadily increasing and not only that, but also regulatory requirements beginning to raise. So it is clear that a lot of companies want to improve and prove their Cybersecurity by setting up a cybersecurity strategy. The problem is often, they don’t know how and where to start. This article shows what is the best Cybersecurity Strategy for 2021 and how to start.
When you define a cybersecurity strategy you always have to think about identifying, knowing, reducing and eliminating your risks. You do not need to dive deep into riskmanagement yet. But keep in mind that the goal and the reason for defining a cybersecurity strategy and for building up and increasing your Information Security, IT-Security or Cybersecurity is always to identify and diminish or better get rid of your risks.
Here you can find a detailed step by step guide on how to define your Cybersecurity, InfoSec or IT-Security strategy and how to start.
1. Identify in what business sector your organization operates
That sounds silly but is sometimes more difficult than you think. Especially for bigger companies that are operating in several sectors or have different businesses. Examples can be, finances, healthcare, production, sales, etc. The goal is to find out about your organizational and technical security risks.
2. Find out about your organizational risks
From my experience there are two major categories of risk; organizational and technical risks.
Organizational risks depend on the sector your business is operating. Because of the high danger coming from cyberattacks governments and regulators started to force companies and organization to improve their security and prove its implementation. Not only by increasing regulatory requirements but also by introducing new cybersecurity laws or acts. A good example for this is the current “General Data Protection Regulation” (GDPR) in Europe. But many countries have also implemented specific cybersecurity laws for organizations providing critiacal infrastructure like energy suppliers, water supply, financial institues, healthcare, etc.
So you should always comply with regulations and laws specific to your business sector to avoid penalties and to reduce the financial, commercial, legal, regulatory, media and external visible impact.
There are not only organizational risk coming from external threats but also risks coming from inside your organization. These are often weaknesses coming from the non-compliance with your security guidelines and policies or the failure to implement security measures concerning the confidentiality, integrity or availability of your information.
3. Know your technical (security) risks
In addition to the organizational risks, there are always technical or cybersecurity risks. The best strategy is to know yourself which challenges your organization has to deal with. Is it fighting against Malware all the time, or are your devices, data or information get lost again and again? Also maybe your hardware, servers or applications may fail more often than they should or are not available.
Most of the risks should be obvious and of course the highest security risks at the moment are the spread of Malware – especially ransomware – and phishing mails. But besides of that there is another way you can find out about your current risks.
A lot of vendors, security organizations, providers or authorities publish annual “Data Breach” or “Security Reports”. These are always a good read. Even if you already know about your risks, most of the reports will cover security threats about a whole business sector. Here you can find out what threats you maybe facing in the future. Another reason why you have to know in which business sector your organization is (see point 1).
You can find a few links with examples below this article.
4. Define and implement technical security measures
Even if your organization is in a highly regulated business or you have to comply with security laws, I would always start to implement technical security measures to protect my organization from threats and cybersecurity attacks. The likelihood for an attack, security or data breach is much higher than getting punished by authorities for not complying with regulations or laws in my opinion. Nowadays also the attention for security incidents and breaches and the impact through media and the external visibility is much higher.
Because of that I would focus on getting a basic security protection first. Here are a few common security measures every company should implement:
- Have a strong Password Policy in place
- Better implement 2-Factor Authentication
- Have a solid Patchmanagement
- Implement a Vulnerabilitymanagement to find security holes
- Encrypt your data and traffic
- Have a good Backup- and Recovery Strategy
- Never connect devices directly to the Internet
- Always use Firewalls, Proxies, Application Gateways or Load Balancer
- Install an Anti Malware Solution
- Have an Incident Response Plan
- Do Awareness Trainings
5. Implement and get certified for a Security Framework
When it comes to building a security framework the most common strategy is to start a project for implementing a security standard like ISO 27001 or the NIST Cybersecurity Framework. Not only to get certified and prove the fulfillment for regulations and laws but also to improve your internal “organizational security”. A security framework can help you to better identify and understand your risks, but also to enforce the implementation of security measures through policies, processes, procedures and the right controls.
6. Improve, learn and collaborate
Even if you have implemented a security framework or set up a basic protection does not mean your are able to detect security events or be able to respond to security incidents. A good cybersecurity strategy always comes from the collaboration between Information Security and IT-Security (and later Cybersecurity or other divisions). The most common problem I see in the wild is that both divisions are operating in their own cosmos. Information Security is focusing on their security framework, riskmanagement and controls where IT-Security tries to implement security and protection measures. But in order to successfully implement a security strategy, Information Security should define realistic policies, key figures and controls. That enables IT-Security to implement the right security measures and automatically return the required data back to the InfoSec division.
The goal here is to get a better understanding of your organizational or security risks and your IT infrastructure by collecting and monitoring the right key figures. The key is to build a baseline to be able to detect deviations from it and to realisticly detect cyberattacks, threats and maybe “Advanced Persistent Threats” (APT) and violations from the compliance of your security policies.
With the strategy and steps above you have built a solid security foundation and you are able to:
- protect your organization and infrastructure.
- identify your risks and are able to enforce your security policies.
- automatically collect the right key figures.
- monitor your security measures with the help of controls.
- and to detect security events by building your baseline.
When you have reached this level you have accomplished more than most other organizations or companies. But there is still one level you can reach to get to the endgame. During this point everyting is more or less focused on protection and detection and then reacting to an event.
The ultimate strategy how ever is to switch from the reactive to the proactive side.
7. Get proactive by building up and improving Cybersecurity
The final step of an holistic cybersecurity strategy is by going from the reactive to the proactive approach.
That means that you actively start hunting for threats, vulnerabilities or holes in your organization or infrastructure. This is also the point at which you can think about building a Security Operation Center (SOC) or Computer Security Incident Response Team (CSIRT).
With a proactive approach you have the possibility to avoid security incidents because you are well prepared and know your weaknesses. Also you are able to more effectively respond to security breaches and limit their impact. Additionaly you might also be able to analyse and verify if your organization is directly targeted or if attacks are just part of an overall attack wave or another spread of malware.
Congratulations, if you followed this strategy you were able to build a solid cybersecurity foundation to protect your organization, detect security events and be able to effectivley respond to security incidents.
But this is not the end of the story. There are a few more things that we need to cover.
8. Be prepared for the inevitable
No matter how well prepared you are, something bad will happen. Maybe not now but definitly in the future. You can not protect yourself against all the threats out there and you can not find all the vulnerabilities and weaknesses in your protection measures. So you have to think about the worst case scenario. And these days this is mainly the loss of the availability of your data and/or infrastructure because of ransomware.
And to be able to react to this scenario you have to have a solid backup- and recovery strategy. A lot of companies underestimate the importance of a Business- and IT Continuity Plan. With the increasing amount of malware today this is more important than ever.
9. Focus on one thing and make it right
A big problem I see when companies beginning a cybersecurity project is that they overreact. Because of the daily reporting of cybersecurity and data breaches people feel driven to implement their strategy and then they start with a project that includes 30 subprojects that have to be implemented in one year. That is unrealistic. Implementing a cybersecurity strategy is always a marathon not a sprint. So you need to have a long term strategy and you should try to implement only one to three topics at a time and doing them right.
10. Prepare yourself for future challenges
This article focuses on IT-Security, Information Security and Cybersecurity, but there are many more areas that should be mentioned in this strategy. I am thinking about things like Industry 4.0; IoT; autonomous driving and so on. So the field of Cybersecurity is becoming more extensive and confusing in the future.
What helps me not to be overwhelmed by all of these security issues is whenever security is at stake, and it is not about protecting information / data, I think about the problem from a risk management perspective.
Here the goal is always to identify, reduce, avoid or get rid of your organizational, technical, life-threating – and more important than ever – environmental risks ;).
So what is your cybersecurity strategy and have you started a security project already? Let us know in the comments.