4 Key Steps to Creating an Effective Cybersecurity Plan
Cybersecurity requirements are ramping up, and cybercrime continues to increase. The FBI’s Internet Crime Report shared that there was a record-breaking 847,376 complaints with potential losses of more than $6.9 billion in 2021. With continuously evolving cyberattacks, ransomware franchise models, and simple phishing-as-a-service kits, cybercrime now requires only minimal computer skills and has attracted a larger and more diverse crowd of criminals. But how do you stay ahead in this never-ending fight when you have a limited budget and everyone from regulators, to customers, and even your cyber insurance provider is demanding that you harden your defenses? It starts with these four key components that will help you design a successful, cost-effective cybersecurity plan.
The 4 Key Components of an Effective Cybersecurity Plan
Most organizations have limited cybersecurity budgets, and it’s crucial that you maximize your risk reduction while minimizing costs. Before you even get to the most cost-effective security controls (stay tuned, that blog is coming soon) that deliver the most bang for your buck, you need to assess your security posture and create a cybersecurity plan. There are four key strategic factors you need to assess as the foundation of your organization’s cybersecurity plan:
#1: Know what you’re trying to protect
Until you know what assets you’re trying to protect, you can’t properly protect them. Let’s look at what you should accomplish in this step:
- The first step in any cybersecurity plan is to identify and inventory your systems, data, and assets. This should include:
- Employee and customer data. Identify all types of employee and customer data you hold, such as social security numbers, personally identifying information, corporate and customer credit card information, driver’s license scans, medical information, tax returns, etc.
- Systems and assets. You should inventory all servers, programs, SaaS and cloud apps, backups, and file-sharing platforms. You should also inventory all assets such as cell phones, laptops, USBs, and IoT-enabled equipment/sensors, to name a few.
- To track your inventory, you will need to decide on a tracking mechanism that meets your needs and budget. You can start small with an Excel worksheet and manually track your data and assets. This approach is inexpensive, but it can be time-consuming to populate and update. Another approach is to use a tool like OneTrust. This type of tool integrates data mapping with your risk processes to provide an evergreen map of data flows and complete records of processing. If your budget is more robust, you can spring for their more comprehensive full data discovery package. Whatever process you choose, it’s crucial that you continuously update your records of assets and inventories so you can correctly analyze risk and identify security gaps.
- As you inventory your data, consider what you can delete. Data is hazardous material. The more data you have, the more risk you incur if you are breached. One of the quickest and most inexpensive ways to reduce your risk is to reduce the amount of data you hold. Only keep necessary data, and regularly review and delete data as part of your organization’s cybersecurity plan.
#2: Understand your obligations
In today’s digitally connected world, we all have myriad contractual and legal obligations, and cybersecurity commitments are now part of this picture. To design a cybersecurity plan that meets your organization’s needs, you need to fully understand your organization’s obligations. Let’s look at the various obligations your plan may need to address:
- State and federal privacy laws are changing. A number of states have privacy laws that are in place or under consideration. Our friends at Husch Blackwell have created a great state privacy laws map that details the status of these privacy laws. In addition, new 36-hour reporting requirements took effect for certain financial institutions in the spring of 2022 (watch this video for more information), and the US has also recently passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (don’t worry, you have some time before it takes effect) that will require covered entities to “report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.” With the continuously evolving cybersecurity and privacy laws, it’s a good idea to speak with a cybersecurity lawyer to get a list of your legal obligations. We recommend an annual review to get a statement of applicable laws and regulations and to ensure your program is in line with these requirements.
- Many customers and partners now include cybersecurity requirements in their contracts. Many customers and partners now include incident reporting requirements, software bill of materials reports, and/or minimum training and security standard in their contracts. Ensure that you have a list of all contractually required security and privacy requirements, as well as a person that is designated to oversee these obligations.
- Cybersecurity insurers are increasing their minimum requirements. As risk increases, many cybersecurity insurers are requiring their policyholders to have certain cybersecurity controls in place to retain their coverage. Your organization should check on these obligations and track any pending implementation deadlines.
#3: Monitor your risk
Every organization needs to be aware of their cybersecurity risks and any potential security gaps. There are several ways to understand and monitor your risk:
- Conduct a cybersecurity controls assessment. A cybersecurity controls assessment is an evaluation of your cybersecurity plan, program, policies, and technical stack. It generally uses an industry standard measurement framework, like the NIST Cybersecurity Framework, to assess your security posture and provide recommendations and priorities for risk reduction in both the short-term and the long-term. This should be the foundation of your cybersecurity plan, as it provides a framework that covers five key areas: identification, protection, detection, response, and recovery. You can do this internally, but it’s a lot of work and you may be better served if you outsource this to an experienced team. You don’t have to choose the NIST CSF, you can also use the ISO 27001 standard, but your organization should choose a standard and use your selected framework to structure and enhance your cybersecurity plan. For more details about conducting this assessment, read this blog: How to Ensure Your Cybersecurity Risk Assessment Results are Actionable.
- Schedule technical testing. Having an annual penetration test is crucial for your cybersecurity program. It identifies security gaps before a criminal uncovers them (read this pen testing blog for more details). But your pen test should include more than just your on-premises systems. One of the biggest mistakes organizations make these days is skipping cloud security testing. Misconfiguration of cloud solutions is a common cause of data breaches and we’ve seen too many examples where customers assume their cloud is secure only to have it be the source of their data breach. While pen testing is a great first step, once you have identified your gaps, you should consider a risk assessment to help you prioritize your risk mitigation. Whether it’s a full security controls assessment that we discussed above, or a smaller risk assessment that identifies security gaps and recommends remediation priorities, ensure you conduct technical testing to identify gaps and create a remediation plan.
- Track and review incidents. Part of monitoring your risk is to create a monthly report of any incidents. Whether you use an Excel spreadsheet and track this manually or use an incident tracking software, tracking and reviewing this data monthly will help you evaluate your risks and shed light on your programs’ strengths and weaknesses. For major incidents, you should conduct a dedicated post-mortem meeting. You can then use this information to adjust your organization’s cybersecurity plan accordingly.
#4: Manage your risk
If you develop your cybersecurity plan using one of the cybersecurity frameworks we mentioned above, part of your goals will be to develop a long-term risk management and reduction strategy. Whether you track this in a spreadsheet or use a software tool that enables you to go through and change your risks as your program evolves, this will help you acknowledge and manage your risks. This will also help you to decide how to prioritize and treat each of your risks. The standard risk treatment options are:
- Avoid the risk by eliminating corresponding activities
- Mitigate the risk by implementing security controls
- Transfer the risk to an external party, i.e., insurance
- Accept the risk
Once you have decided how to treat each risk, you can plan and track your multi-year risk reduction activities. Risk management is a whole topic unto itself, so please read this blog, The ABC’s of an Effective Cybersecurity Program or watch the video for more details on cybersecurity risk management.
We hope you found this information helpful! Contact us if you need additional assistance developing your cybersecurity policies, procedure, or plan. Our team is ready to help with a wide variety of technical testing, cybersecurity solutions, advisory, training, or incident response services.